Government Seeks Do-Over On Win For Microsoft And Its Overseas Data
from the please-please-please-let-me-get-what-I-want dept
The DOJ wants the Second Circuit Court of Appeals to revisit the decision it handed down in July — the one that’s preventing it from forcing Microsoft to hand over data stored on its servers in Ireland. The DOJ hoped the court would read the Stored Communications Act as applying to the location of the company served with the data request, rather than the actual location of the data. The Appeals Court disagreed with the lower court’s finding — one that dragged in the Patriot Act for some reason — pointing out that the purpose of the SCA was to protect the privacy of communications, not to facilitate the government in obtaining them.
The government has filed a petition [PDF] for a rehearing of the case, obviously in hopes of a reversal. Jennifer Daskal of Just Security has posted several reasons why the DOJ’s desired interpretation of the Stored Communications Act is dangerous, along with other problems arising from this decision.
To begin with, the decision raises new logistical issues, both for the government and the private companies served with these warrants.
According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”
The court’s interpretation of the SCA theoretically means Google will never again have to turn over requested emails to law enforcement.
Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.
That being said, Daskal points out that the government also feels that just because it has a warrant, it should be able to demand the production of communications wherever, whenever. This flat assertion that warrants trump privacy in every case is every bit as one-sided as the DOJ’s theory that Google now has the option to rebuff warrants at its sole discretion.
The DOJ’s fears aren’t entirely unfeasible. Companies that sell their communications tools with privacy-heavy sales pitches could simply offshore their data storage to put it out of reach of SCA-citing warrants, turning the 2nd Circuit’s ruling into a middle finger to US law enforcement.
If this is going to be fixed in any sort of way that doesn’t turn this into a one-sided victory for service providers or the government, it’s probably going to need to be through legislation. The court’s revisitation of the issue (courts have generally been favorable to rehearing requests from the US government) may come to that very conclusion.
Indeed, the DOJ has already begun pushing for a legislative solution, albeit one that heavily favors the government. The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.
As Daskal notes, Congress is better off addressing this issue sooner rather than later. Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.
Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.
Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.
Unfortunately, Congress doesn’t really have a great track record when it comes to legislative fixes for tech issues. We have a more technologically-adept set of legislators than we’ve ever had previously, but there are still many who won’t see the forest of implications for the law enforcement trees. But the situation may become much, much worse if left unattended.
Filed Under: doj, electronic surveillance, ireland, jurisdiction, stored communications, warrant
Companies: microsoft
Comments on “Government Seeks Do-Over On Win For Microsoft And Its Overseas Data”
Classic case of “do as I say, not as I do”?
New NSA tagline
All your data are belong to us!
A few years back, I would have said that was strictly the Chinese government. It’s pretty depressing.
Re: New NSA tagline
Who shouldn’t China, or Russia, or even France just do the same thing and say, here’s our warrant, we want access to Microsoft’s or Apple’s, or whoever’s servers in the U.S. Should they get that right? It’s the same thing the U.S. Government is trying to pull after all.
>Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.
There is a simple way (currently in the process of implementation) to make sure there are no such countries.
Mutual Legal Asistance Treaties?
The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.
Not sure what these are but if they’re real, legally binding treaties approved by the Senate and with foreign countries then the foreign countries need to approve a new treaty as well as the U. S. Senate. Could be tricky.
Re: Mutual Legal Asistance Treaties?
It’s actually worse than that. The EU has, historically, relaxed it’s privacy protections when dealing with US companies. The NSA leaks have caused them to now lean towards a “all EU data must be on EU soil” policy.
The big problem with this lawsuit is the data is on EU soil, but the US wants access to it without going through the EU. If the US wins the EU may go one step further and everything to be under the control of an EU company. A company that the US can not compel to divulge data.
This actually wouldn’t be too big of a deal for Microsoft and other big companies. Sure it wouldn’t be easy, but they’d basically set up subsidiaries in the EU to deal with it. The problem is any US company that stores user data would be required to have an EU subsidiary with at least one employee. Not exactly easy for things like a one man startup.
Re: Re: Mutual Legal Asistance Treaties?
Given the US government attitude, a subsidiary would still be under control of its US parent, and so its parent could compel it to produce the data. The law of unintended consequences could do severe damage to US companies.
It is also worth reminding people that Linux encryption development used to be carried out outside the US because of US laws, and so Linux and other FLOSS software can export development of parts of it by simply leaving the development up to foreign hackers. This could be the big advantage of the anarchistic overall development model.
Re: Mutual Legal Asistance Treaties?
But one case mentioned could easily be fixed:
> foreign governments cannot because they lack jurisdiction over the US-based employees that control the data.
The USA can change its own laws to allow this, without any new requirements on foreign governments. I.e., compel American employee to respond to a foreign requests that were initiated by American courts/police via MLATs.
REALLY?
you want our government to force its LAWS into another nation, and HACK a friendly nations PRIVATE servers, for a case of Corporate fraud??
YES, the word hack is correct, as it would involve the LAWS the USA has created.
WE HAVE NO rights against another nations LAWS.
We have no rights invading another nations computers.
We have NO rights invading PRIVATE servers of a company in ANOTHER NATION..
IF we had ANY OF THESE RIGHTS, why arent we investigating the BANK SERVERS IN THIS NATION, and following what the corps are DOING IN THIS NATION??
Re: REALLY?
Because whenever a government and its friends mess up a country, they find an external enemy to blame.
Re: REALLY?
The most heavily corrupted government comes to mind. A few bribes here and there and they ignore any crimes committed by said bribers.
All none of them
Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.
Given how little the USG respects the privacy of US citizens I’m not sure if there are any other countries that would qualify for this position.
A more accurate line would perhaps be:
Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries just as concerned about US privacy protections will be sure to utilize the same tactics.
Compeling
So the DOJ would seek to compel Microsoft to ex-filtrate the data from Ireland. I haven’t seen anyone consider of comment that such an act might be against the some Ireland law. I mean can the US government force someone to break the law?
Re: Compeling
Very likely to be in violation of EU data protection laws – which will have a Irish variant.
If only the DOJ went after Secretary of States like it does Microsoft
If only the DOJ would go after government leaders like it does American citizens, we would have justice.
Be careful what you wish for
If the feds win this case the US will get requests for the same thing from other countries. Even though they can and will refuse to hand US stored data to governments that request it, it will eventually turn into a real pain in the ass at the very least.
Re: Be careful what you wish for
Even though they can and will refuse to hand US stored data to governments that request it,
You’re kidding right? The NSA hands out US data to other spy agencies like it’s candy and every day is halloween, when the other agencies aren’t handing them US data in return.
Re: Re: Be careful what you wish for
That is sharing between spy agencies. It’s more of what appears to be a long standing quid pro quo arrangement between allies. What happens when Russia or China show up with a warrant?
If the data is offshore and is needed then work with the country in question to get the data via legal means. It’s very, very simple.
Blowback
Do this congress give the doj what it wants and then cry when Iran manages to get any information on any American citizen using social media, with the protection of social media entities like google not being allowed to notify anyone including congress.