Court Says Who Cares If Ireland Is Another Country, Of Course DOJ Can Use A Warrant To Demand Microsoft Cough Up Your Emails

from the say-what-now? dept

A NY judge has ruled against Microsoft in a rather important case concerning the powers of the Justice Department to go fishing for information in other countries — and what it means for privacy laws in those countries. As you may recall, back in April, we wrote about a magistrate judge first ruling that the DOJ could issue a warrant demanding email data that Microsoft held overseas, on servers in Dublin, Ireland. Microsoft challenged that, pointing out that you can’t issue a warrant in another country. However, the magistrate judge said that this “warrant” wasn’t really a “warrant” but a “hybrid warrant/subpoena.” That is when the DOJ wanted it to be like a warrant, it was. When it wanted it to be like a subpoena, it was.

Microsoft fought back, noting that the distinction between a warrant and a subpoena is a rather important one. And you can’t just say “hey, sure that’s a warrant, but we’ll pretend it’s a subpoena.” As Microsoft noted:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word “warrant” in ECPA to mean “warrant,” and not some super-powerful “hybrid subpoena.” And Congress used the term “warrant” expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government’s interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a “court order,” but required a warrant to obtain a person’s most sensitive and constitutionally protected information — the contents of emails less than 6 months old.

The DOJ hit back earlier this month by basically saying, “yeah, whatever, let’s pretend it’s a subpoena and give us what we want already.”

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft?s reliance on principles of extra-territoriality and comity falls wide of the mark.

Unfortunately, it appears that the judge just went with the DOJ’s reasoning — though, immediately stayed the ruling since Microsoft made it clear it plans to appeal. Judge Loretta Preska basically just upheld the magistrate judge’s ruling that Microsoft could, in fact, be compelled to hand over data held overseas via a warrant under ECPA, the Electronic Communications and Privacy Act (which we’ve already noted has tremendous problems and needs to be reformed).

Beyond the problems this has for the 4th Amendment in the US, it’s also going to create a mess in Europe, where they have much stricter data privacy rules, and where something like ECPA is clearly a problem. For the US to argue that it can make ECPA reach across the ocean into European servers is going to be a big problem — especially at a time when Europeans are (rightfully) distrustful of the US government’s ability to snoop on their data.

Filed Under: , , , , , , , , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Says Who Cares If Ireland Is Another Country, Of Course DOJ Can Use A Warrant To Demand Microsoft Cough Up Your Emails”

Subscribe: RSS Leave a comment
64 Comments
Anonymous Coward says:

Re: So, if US Law applies everywhere...

this is a very bad decision…if this thing stands… i think we’ll start seeing the Muslim countries demanding that Sharia law should apply to USA too, to all people … who cares what their religious beliefs might be.

The old saying goes both ways… what’s good for the goose is good for the gander too.

looks like we’ll start seeing mandatory public amputations and executions by stoning to death in the USA.

Anonymous Coward says:

and when someone from another country wants info from the USA what will they be told? i hear a resounding ‘fuck off’! what the hell is wrong with judges and security forces in the USA? they seem to think that they can get anything, from anyone, anywhere but when the shoe is on the other foot, stop the same thing from happening in reverse! and as for what Bharara or whatever his name is, he needs to stop and think of the consequences to USA firms and people when their details are wanted by overseas courts. it definitely hasn’t been thought through very well, as usual, thinking only of what is wanted in this particular case.

Anonymous Coward says:

Re: Re: Re:

why wage war? If the rest of the world decides to just get rid of all US bonds, the USA will be bankrupt in less than 24 hours.

That is the reality and so far the downsides of doing that were bigger then the upsides. The current bullying tactics and warmongering of the US government are in the process of turning that equation around. Already large parts of the world are rejecting the dollar in trade relations. The US position is not nearly as safe as you might think.

Anonymous Anonymous Coward says:

Judges

All over the world some judges wake up with the intent of doing good. Then reality hits them in the face as they take the bench, and as the power soaks in it clouds reason and enthralls them with that which they can actually order.

And then they do. And then the rest of their judge community groans their internal groan and prepare to deal with the fall-out. And then the offending judge…well nothing.

That One Guy (profile) says:

Oh yeah, this'll help restore trust in the US

Just waiting for when a US judge flat out orders a multi-national company to break the law in another country, by ordering them to hand over data from another country, in clear violation of that country’s privacy and data sharing laws.

Even better, I’m sure the judge will see no problem with an order like that, and just tell the company ‘It’s your problem to deal with, all I want is the data, I don’t care what laws you have to break to get it.'(though I imagine they won’t say that last bit out loud)

G Thompson (profile) says:

Re: Oh yeah, this'll help restore trust in the US

Well why would a US judge care, they’d just point towards there Qualified immunity that of course stops them from being indicted, charged, sentenced, sued, etc

Oh wait.. that Immunity only applies within the USA.. hmmm I wonder how many Judges like to travel overseas and wont be able to anymore. So sad

Anonymous Coward says:

Re: Oh yeah, this'll help restore trust in the US

If this doesn’t get overruled, it will make US cloud services virtually unusable for EU businesses, because they’ll no longer be able to comply with the Data Protection mandate.

Such considerations aren’t supposed to affect judges’ interpretation of the law, although it might make them decide that such subpoena is unreasonably burdensome. However, it should get the Treasury to send a rocket to the DoJ, and they’ll issue a “clarification”, especially when their political masters realise what’s going on.

hydroxide (profile) says:

Well, if she insists...

on instigating a criminal conspiracy against European citizens, I’m sure there’s a jail cell available for her in Europe. I hear the Dutch have to shut down prisons because they can’t fill them.

What’s clear is that any employee of Microsoft Ireland is legally bound to tell MS in the US where they can shove their warrant OR subpoena, as NEITHER has any force whatsoever in Europe.

There are procedures established through international law enforcement cooperation to get one’s hand on such data in valid cases. This is merely an attempt by the DOJ to violate international and European law, and the court is aiding and abetting in that.

Anonymous Coward says:

This'll be great for the IT economy

Consider: you are a citizen of France or Germany or Italy. Your data is held on servers physically located in your country BUT those servers are owned by the local branch of an American company.

The American government is insisting that even though it’s your personal data located on servers in your country, its laws applies, not your country’s.

How long will it be before you and 50,000,000 others decide not to keep your data there?

Anonymous Coward says:

Re: Re:

Good luck getting that through our referendum process.

There’s enough innate animosity to Yanks and Poms as it is. Our pollies may want one thing but they would have to get it passed through a national vote first and on the basis of past efforts, that is more than likely to fail badly.

Michael Vilain (user link) says:

Let an Irish Magistrate try the reverse on this judge

I’d love to see a couple if Detective Chief Inspectors with their State Department minders present a warrant for the search of the Judge’s computer for emails pertinent to the case. I’m sure Microsoft Ireland could convince a Judge over there that there’s some sort of payoff going on and they want to “have a look” at her computer, just like MI5 looked at the Guardian’s computers.

Oh, the hijinks that would ensure.

lfroen (profile) says:

Nothing to see here

As non-US person, I must say this is blown out of proportion. Common sense says, that my local court can request data from me, even if I store it on Amazon/Google/Dropbox or any other “cloud” service located nobody-knows-where-exactly.
Exactly same thing going on here, where judge correctly pointed out that data is not a document or object. And as was repeated many times on this very site – data can’t be “owned”, only copyrighted, patented and so on.

I also must note, that I couldn’t care less about kind of form judge must fill. Be it “order”, or “subpoena”, or “hybrid warrant/subpoena” or purple scroll. That’s issue of US bureaucracy.

Bottom line is clear – MS has office in US, data is stored on MS’s server and judge ordered a copy. Because “has office in US” part, MS must comply. “Privacy protection” laws in Europe are as stupid as “right to forget” – by same token they can outlaw gravity.

hydroxide (profile) says:

Re: Nothing to see here

As non-US person, I must say this is blown out of proportion. Common sense says, that my local court can request data from me, even if I store it on Amazon/Google/Dropbox or any other “cloud” service located nobody-knows-where-exactly.
Exactly same thing going on here, where judge correctly pointed out that data is not a document or object.

You could not possibly be further from the truth.

A local court can request YOUR data from YOU because it is YOUR data.

That’s not the case here, Microsoft is merely STORING the data for others, and it is doing so under specific laws.

Bottom line is clear – MS has office in US, data is stored on MS’s server and judge ordered a copy. Because “has office in US” part, MS must comply.

Nope. The servers belong to Microsoft Ireland, which doesn’t have an office in the US, merely an owner.

“Privacy protection” laws in Europe are as stupid as “right to forget” – by same token they can outlaw gravity.

We have jails aplenty to teach you otherwise.

lfroen (profile) says:

Re: Re: Nothing to see here

> Nope. The servers belong to Microsoft Ireland, which doesn’t have an office in the US, merely an owner.

Say wwwwhat? By this logic, if I have a warehouse, here, and you rent it, and put your stuff in there, local judge can’t order me to open the warehouse and examine content just because stuff doesn’t belong to me? Common sense just doesn’t work this way: judge can order a owner of a property to do something with said property.

>>> That’s not the case here, Microsoft is merely STORING the data for others, and it is doing so under specific laws.
You probably talking about laws of physics, because other laws are irrelevant. What if MS using sort of distributed file system, where files are spread (shadowed/mirrored) all over the world? Will you apply jurisdiction per filesystem block? Your idea about “specific laws” is ridiculous.

>> We have jails aplenty to teach you otherwise.
Putting someone in jail doesn’t make law more just or less stupid. Some people were burned at stake, and this didn’t make heresy laws sensible.

Anonymous Coward says:

Re: Re: Re: Nothing to see here

more correctly, would be if you had a warehouse in another country and local judge ordered you to open it up. He has no authority to do so since it is in another jurisdiction in another country.

It would require getting the co-operation of the foreign government and courts to force you to open up.

Anonymous Coward says:

Re: Re: Re: Nothing to see here

The servers are in Ireland and belong to MS Ireland, which is a separate company which just happens to be owned by MS USA (possibly indirectly). MS USA must hand over what it has, and it can be ordered to send any instructions it wants to MS Ireland, but MS Ireland’s officials aren’t bound by the US court order and can’t be disciplined for refusing to follow instructions which are illegal in Ireland.

If the CEO of MS Ireland were to order his staff to hand over the information, he’d be breaking Irish laws, the employees would be protected if they refused (and guilty if they complied), and the fact that his shareholders ordered him to do it wouldn’t be a valid defence.

If MS USA has a back door in their servers, and MS Ireland know about it, they’re breaking their obligations to store the data securely. If they don’t know about it, then if MS USA were to use it, they’d be breaking Irelands anti-hacking laws, and so would the individuals in question. (That could be especially amusing if Ireland has something equivalent to RICO.)

hydroxide (profile) says:

You still don't get it

Say wwwwhat? By this logic, if I have a warehouse, here, and you rent it, and put your stuff in there, local judge can’t order me to open the warehouse and examine content just because stuff doesn’t belong to me?

Except the servers aren’t rented. They are the property of MS-Ireland, too. And no, local judges would have a search warrant against the person who rented it, yes.

You probably talking about laws of physics, because other laws are irrelevant.

Quite the contrary. Irish laws are the only thing that’s relevant for servers in ireland.

What if MS using sort of distributed file system, where files are spread (shadowed/mirrored) all over the world? Will you apply jurisdiction per filesystem block? Your idea about “specific laws” is ridiculous.

No, your ideas are ridiculous. You miss that to install such a file system, MS would have to move the data out of Europe, which is covered by very strict laws.

Putting someone in jail doesn’t make law more just or less stupid. Some people were burned at stake, and this didn’t make heresy laws sensible.

And your lack of understanding of legal matters doesn’t make laws “stupid”. It says more about you than the law.

Rikuo (profile) says:

I simply don’t see this working. (Irish person here). I can imagine, hypothetically, Microsoft USA sending orders down the chain of command (if they complied with the court order) to Microsoft Ireland, but at that point…what are the MS Ireland employees going to do? They’ll talk with their legal department, legal will say “Fuck no, we have data protection laws” and the MS Ireland employees will reply back to Redmond, Washington saying “Sorry, no, we will not be complicit in breaking the laws of our sovereign country“.
At that point, what is MS USA supposed to do? Fly over here to Dublin and physically do the US’s court order? They’d be known and arrested at the airport for conspiracy to commit a crime.

Rikuo (profile) says:

This has me scratching my noggin as to just why the US Department of “Justice” seems so allergic to following rules and producers. What’s wrong with working through Interpol and An Garda Síochána (Irish police force) to get the information needed? It wouldn’t be creating this diplomatic and political hassle at all if the US just fucking asked for cooperation in the matter.

Anonymous Coward says:

Re: Re:

It wouldn’t be creating this diplomatic and political hassle at all if the US just fucking asked for cooperation in the matter.

It’s an intentional diplomatic insult by the United States directed to the Republic of Ireland.

Not sure exactly what the Irish did to the Obama administratio to piss ’em off, but the Obama administration is retaliating.

Diplomatically.

Rikuo (profile) says:

Anyone know if the people in Microsoft’s headquarters in Redmond have access to data stored on MS Ireland servers, or is the only way MS USA could get at the data is to ask/order MS Ireland to produce it?
If the latter, then MS USA can’t do anything. MS Ireland employees will just say no to the order, and they can’t be disciplined over the matter. They’ll know that if they get fired over this, they can sue Microsoft for punishing them for not committing a crime. Anyone know if these Irish employees could also bring a case internationally against the US government for starting this whole mess (either the employees or Microsoft Ireland/USA).

Anonymous Coward says:

The World At War - Against US

Lets see: we’re attacking Putin/Russia on their policy in the Ukraine. We’re attacking Israel on their policy in Gaza, we’re attacking Europe and Britain by demanding data on things that are none of our business. We keep this up for much longer, we won’t have to wonder what they think. They’ll all declare war on us. Any such actions by anybody outside of the US TO the US would be regarded as an act of war by Congress. Why do we think we can get away with it?

Anonymous Coward says:

Wait til the russian or iranian government asks for email data for say an american charity ,ngo,
OR american journalist from yahoo or google that did some work in iran or russia or travelled thru russia .
Say some one has a blog in the us that someone says insults the iranian government ,
or breaks russian law ,
say reveals corruption in russian government .

Will they be able to acess all the email data of a us citizen or journalist from an american gmail server .

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »