Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US

from the going-to-be-an-important-fight dept

Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn’t apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it’s true that traditional warrants only apply inside the US, this is different because it’s “digital.” He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft’s filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:

The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act (“ECPA”) that on its face, purports to authorize the Government to search any and all of Microsoft’s facilities worldwide. Microsoft moved to vacate the warrant because the private email communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and because Congress has not authorized the issuance of warrants that reach outside U.S. territory. The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft’s Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do — i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a “warrant” at all. They assert that Congress did not mean “warrant” when using that term, but instead meant some previously unheard of “hybrid” between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word “warrant” in ECPA to mean “warrant,” and not some super-powerful “hybrid subpoena.” And Congress used the term “warrant” expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government’s interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a “court order,” but required a warrant to obtain a person’s most sensitive and constitutionally protected information — the contents of emails less than 6 months old.

Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them — an increasingly important issue in light of the Snowden revelations.

The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications and cloud service providers. Studies have estimated that this distrust will result in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if left standing, will dramatically increase the harm to American businesses. It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.

If you hadn’t figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.



Filed Under: , , , , , , , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US”

Subscribe: RSS Leave a comment
26 Comments
Anonymous Coward says:

Re: Re:

The Letter of the Law only matters when the judge wants it to.
The Spirit of the Law only matters when the judge wants it to.

Anyone seeing the pattern here? Judges are less and less about Judging and more and more about legislating.

Good lawyer would request mistrial immediately on grounds that “His Honor” less seems to be incapable of basic high school level reading and deigns to create new and unintended interpretations to codified law.

He should file a complaint against the BAR and see if said judge can have his law license revoked. It may not immediately remove him from the bench, but it would make the next attempt to remove him easier. Judges lately have been enjoying a great deal of extra constitutional power beyond what was intended, but they are not being challenged on it either so why stop?

John Fenderson (profile) says:

Re: Re: Re:

“Judges are less and less about Judging and more and more about legislating.”

It is the legitimate, and critically important, role of the judiciary to act as check and balance to the legislature, and to find ways to apply the laws that is both Constitutional and in spirit with the intention of the law. That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.

It’s how the system was designed.

Anonymous Coward says:

And what about NSLs?

“It would mean that foreign customers? communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.”

Forgive me for being a non-USian and thus not knowing all the details, but isn’t that already the case due to NSLs? Can’t a NSL already force a US-company to violate foreign laws?

Anonymous Coward says:

Re: And what about NSLs?

The laws of a foreign land means jack and shit. This is universal. The laws that DO matter are the ones established in Treaties and Agreements, but often enough get broken all the same.

The general rule is this… I a business has an office that country then that business office itself is subject to the laws of that land, but not the rest of the company where other offices are located. This includes things like this… the US Gov really can legally issue a warrant or subpena for anything they want including Pluto. The issue is that if it contradicts laws for that office in that land then the business is obliged to follow the laws of that land. Now if the data is held on server on US soil… that’s fair game and can be enforced.

Despite this, you will still see governments go ahead and force their way through like criminals anyways because what is a business gonna do? Hire an army and protect their assets? Are the citizens going to do anything?

So in short despite what the laws and treaties say… if you are a business, you can be quickly screwed and bullied by any country in the world in which you have an office. Governments are every bit as criminal as your local thugs, its just that these thugs have the backing of most of the citizens… well usually.

Anonymous Coward says:

Re: Re:

—–BEGIN PGP MESSAGE—–
Version: GnuPG v2.0.22 (MingW32)

KAQgAs6EgKY0PvjivQsHULzKZWW/nCNnEFHCC2BNyd7O+yTGWcTqyBPbMnztCIYB
9fm+n6lx1O47v56nMhix7wqhotKQw6iGqZOcATt0bgrfJRKVhJdQ+7Ez53QXO5MS
pgai9poUBQMyWodNE6S3DpDOgXo9IVb+ZoJQmMDnDD/xzEqGpA7o76KWp/zv4BR
GQDkIG/J/ZKYLte09Hbs36dGhWevTGaSyXtzBBWZXwWVbpPj76a3d/1lfIoBMchs
qRSxAQP1kI9FDLCLgoqE2/1Bwhs/E4gmfJ3d14A+ivDRzhiEbGLDDuus8JtNYfUb
qTr/Mr/FoGQMyNjDm5Tp8x4vC4ttK1AcHaFb7VGdU/hof04AV11nPzMgOEazsHse
—–END PGP MESSAGE—–

The Wanderer (profile) says:

Re: Re: Re: Re:

And apparently there’s a reason for that. My (slightly outdated) version of HTTPS Everywhere doesn’t automatically convert Bing to HTTPS, and lists it as “Partial, buggy” – meaning that although some parts of the site work via HTTPS, others don’t, and the result breaks some of the site’s functionality.

So they’d have more work to do than just rewriting the protocol specifiers in their HTML (and HTML generators) – possibly considerably more. For all we know, they might be working on doing that right now…

jackn says:

“Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them — an increasingly important issue in light of the Snowden revelations. “

Verizon, go figure. They should read the text they release beforehand.

Anonymous Coward says:

So, the government can go shopping for warrants now

So, if every other nation decided to go with that same logic, that means if a government wants to get at digital emails/evidence, all they need to do is go to the country with the weakest privacy laws. Get a judge to sign off on a warrant there, and you can collect whatever digital information you want from anywhere in the world?

Yeah, that’s just insane.

The Wanderer (profile) says:

Re: So, the government can go shopping for warrants now

Well, there’s an argument to be made that the only reason the USA could do this to Microsoft is because Microsoft is an American company, operating out of America – albeit with offices and so forth in other countries as well.

Even if we don’t go that far, there’s also an argument to be made that only a country where Microsoft has a business presence could do this to Microsoft, and the worst penalty that could be applied if Microsoft refuses is to deny Microsoft permission to operate or otherwise do business in that country. That might still result in “any country in the world” being able to do it, but it would at least be a sufficiently logical-sounding limitation that courts – including international ones – might sign off on it…

Anonymous Coward says:

Another fine piece of “journalism” from Mr Masnick. This is a clear cut case of seeking information, and not search.

Most likley it has something to do with potentially opening doors to tax fraud using off shore stuff then protecting customers. After all, it was none other then shyster Bill Gates who whored himself out to NSA with Windows 95 backdoors.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...