Another Judge Says The Microsoft Decision Doesn't Matter; Orders Google To Hand Over Overseas Data

from the when-reality-is-complicated,-simply-ignore-it dept

Microsoft may not have to respond to government demands for US persons’ data held overseas, but it looks like everyone else (specifically, Google) will have to keep trawling their foreign data stores for US law enforcement.

The Second Circuit Appeals Court ruled US government warrants don’t apply to overseas data. Courts outside of the Second Circuit are finding this ruling doesn’t apply to Google’s foreign data storage. The most obvious reason for this is other circuits aren’t bound by this decision. The less obvious reason has to do with how Google stores its data.

As Google describes it, communications and data are in constant motion, moving in and out of the country as needed for maximum efficiency. When a warrant arrives, Google gathers everything it finds in its domestic servers but hands back a null response to data currently held overseas. Sometimes what Google hands law enforcement is nothing more than unusable digital fragments. Obviously, the government isn’t happy with this new status quo.

And it is a new status quo, as is pointed out in this ruling [PDF] by a DC magistrate judge [via]. The ruling here aligns itself with one handed down in Pennsylvania earlier this year. In that decision — like in this one — the judge noted Google used to capture everything requested, no matter where it was located. It’s only very recently Google has refused to chase down data (and data fragments) located in servers around the world.

The process was described this way in the Pennsylvania decision:

Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google’s network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.

As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.

Nothing has changed here. And nothing has changed in terms of legal analysis, despite this memorandum order being issued in a DC court. The court finds Google does not effect a seizure of requested data because it simply makes a copy of it. It also points out (and Google concedes) that it does not act as a government agent when it does this, despite the only reason for Google’s copying of the data is to respond to a government warrant. The court notes the Stored Communications Act does carry privacy implications, but only as far as the private entity’s actions — not the government’s demands. The court’s analysis states the SCA provisions only prohibits unlawful access (such as hacking) while regulating companies’ responses to government demands.

The court goes on to say Google’s view of its legal responsibilities is completely untenable. Because of the transitory nature of Google’s data handling, it would never be able to fully comply with demands for records, no matter which country issued the order.

Finally, it must be said that the above Morrison analysis of the operative sections of the SCA has the added benefit of avoiding the bizarre results that application of the Microsoft decision to modern data networks like Google’s would produce. If that decision’s focus on the physical location of the data’s storage were to be applied to service providers using such networks, the records and information the government would receive in response to an SCA warrant may differ significantly depending on the date on which the warrant is served. Indeed, the same warrant served on ten different days may well produce ten different results depending on where on the network the shards of responsive data are located at the moment each warrant is served. Such random results — generated by a computer algorithm — would serve the interests of neither privacy nor international comity.

Compounding the problem, even assuming the service provider could and would identify for law enforcement the location of the foreign-based servers on which the missing data was stored (as Google refused to do here), that knowledge would effectively be useless to the government here. By the time the government could initiate the international legal process necessary to obtain the missing data from wherever it was stored, it is entirely possible that the network would have relocated the data yet again to a server in a different country. Moreover, it is Google’s position that it need not respond overseas to any such international legal requests because it is only at its headquarters in California that its data can be accessed and compiled into a recognizable electronic file. Thus, in Google’s view, the only means available to obtain records and information related to a Google account is by serving an SCA warrant on its LIS team in California.

The magistrate says that’s not going to work — not under the stipulations of the SCA. In fact, it’s just not going to work at all because of Google’s data-handling. It may be primed for efficiency, but does little to help it comply with warrants.

To reach the conclusion advanced by Google here, the Court would need to find that a properly-issued SCA warrant requiring the disclosure to law enforcement in the United States from Google’s headquarters in the United States of digital files accessible only from the United States constitutes an extraterritorial application of the SCA simply because pieces of data that make up those files were stored on a server located outside the United States at the moment in time the warrant was executed. Because such a conclusion runs contrary to the straightforward extraterritorial analysis of the SCA under Morrison detailed above, the Court finds that Google has not shown cause for its failure to produce all the records and information called for in the instant warrant within its possession, custody, or control.

In the end, the court orders Google to ignore the realities of its data flow. It may make things easier for law enforcement, but it has very little to do with keeping the government within its jurisdictional confines.

Google’s LIS representatives in California can access, compile, and disclose to the government those records and information with the push of a button and “without ever leaving their desks in the United States.” Microsoft, 829 F.3d at 229 (Lynch, J., concurring). Because that “entire process takes place domestically,” id., Google will be ordered to comply with the warrant in full, and to disclose to the government all responsive electronic records and infonnation identified in Attachment B to the warrant within its possession, custody or control, wherever those records and information may be electronically stored.

In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched — at least not by the government. Once it’s all packaged up locally, the local boys can access it without fear of a suppression challenge.

Filed Under: , , , , , , ,
Companies: google, microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Judge Says The Microsoft Decision Doesn't Matter; Orders Google To Hand Over Overseas Data”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Turnabout is fair play

In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched — at least not by the government. Once it’s all packaged up locally, the local boys can access it without fear of a suppression challenge.

By that argument any other country that google has offices in could also order the company to hand over US based data by claiming that the company isn’t demanding foreign-located information, but merely local, and the US person(s) involved wouldn’t have grounds to object because the ‘collection’ took place entirely within the country.

As for the ‘It’s not the government doing it, it’s entirely Google’, that’s complete and total garbage. Google is only performing the action under order of the government. If the government couldn’t do it itself, forcing someone else to do it and then pretending that they’re doing it entirely on their own is absurd, and ignores the limits of the law entirely though sleazy reasoning. If the government forces someone to do something then they are acting on the government’s behalf when they do it.

aerinai says:

Government has a point...

The choice of Google not to stitch these files together seems to be the choice of Google; This isn’t a technical issue, its an issue of whether or not Google will comply (because it obviously has the means to).

In light of the Microsoft case, I’d say Google has every right to withhold that information, but it does seem a bit like Google does say it is above the law… which I’m also not about.

Quite literally a convoluted network management solution of a company (regardless of how justified or efficient) is no better than the NSA saying “we cant tell how many people’s privacy we are tromping on because we will violate people’s privacy to find out”.

I’m a fan of accountability and the police doing the right thing (like requesting warrants). It is rulings like this that makes officer’s bend the law and do parallel construction and other nefarious backroom hacking… That helps no one. Just saying…

TKnarr (profile) says:

Re: Government has a point...

I suppose Google does have the means to comply with the order, by simply changing how it manages data. The question is, does it have to change how it manages it’s data so that it can comply?

That question isn’t just an abstract question about network management, it implicates a lot of other very concrete aspects of law. For instance, a person can set up their finances so all their income is earned in the name of and goes to an overseas trust which buys what it’s trustees (who happen to be the person in question and a couple of people he employs for the purpose of agreeing with his decisions) tells it to and lets the trust’s beneficiary (also the person in question) use it. That way the person has no income and no assets in the US and none of the trust’s income is under US jurisdiction, so they don’t have to pay US income tax on anything. That person can easily change their finances to bring all of their income under US jurisdiction. Assuming that the trust arrangement is legal, is that person then obligated to change their finances so the US can collect income tax from them?

The question’s the same in both cases. I do things in X way. The government orders me to give it something it’s entitled to ask me for. As it stands I’d only have to turn over A to comply with their order, but if I stop doing things X way and do them Z way instead then I’d have to turn over B, C, and D in addition to just A. Both X and Z are perfectly legal ways of doing things. The government would prefer I turn over A, B, C, and D. Am I obliged to change how I do things to suit their preference, or am I entitled to turn over only A and tell them to go pound sand as far as B, C, and D go until they can get the law changed to make doing things X way no longer legal?

Anonymous Coward says:

Re: Re: Government has a point...

Google’s American employees do have control over the data, and I don’t think it’s (entirely) crazy for that to impact the legal analysis. They could have set it up (and still should) so that no American employee ever has control over the data.* For example, encrypt it with a key that never enters the USA.

* More generally, they could set it up so a user’s key is never in their home country.

Jeff Green (profile) says:

Re: Re: Re:2 Government has a point...

And not constructing such a system could see Google banned from handling personal data anywhere outside the states and its satellite nations. For instance it is a very clear breach of EU law for Google to comply with this court order.

US courts have always had a tendency to regard the rest of the world as fair game, while regarding all actions on US soil as immune from any foreign action.

This is the sort of attitude that is common an acceptable in 5 year old children …

Cowardly Lion says:

Re: Re: Re:3 Sad day to be an LEO

Google would likely be in breach of EU law, although to be said, it’s not totally clear what’s meant by a "Person’s data". It might be an eMail or bank record but then again it might be an mp3 track stored in a cloud somewhere.

More food for thought; a lot of organisations that handle personal, sensitive or restricted data quite often prevent anyone within their organisation from having actual sight of the data, and that can include the hard-core admins. It’s only when data enters or exits their platform that data becomes plaintext, or meaningful. And that perimeter can be on someone’s application or browser in an entirely different jurisdiction.

Anonymous Coward says:

Re: Re: Re:4 Sad day to be an LEO

More food for thought; a lot of organisations that handle personal, sensitive or restricted data quite often prevent anyone within their organisation from having actual sight of the data, and that can include the hard-core admins.

The loophole is the hardcore admins can be ordered by their local jurisdiction to reconfigure things so that data is visible. As is the implication in this case with Google: "Your current methods are not favorable to us, so change them so they are favorable, or else."

Is it political suicide? In the US I’d wager not, and sadly, that is becoming my default opinion for every nation around the world. As nations have woken up to the idea that they can use the technology to control their populous without fear of penalty, they are increasingly becoming more tyrannical in how they shape it’s policy.

Just because you can shift the location of data doesn’t mean that you’ll be able to. If anything will kill the internet, (or at least the modern version of it), it will be the governments of the world abusing it to the point that it’s only primary use in practice will be for spying on and controlling the lives of citizens.

Anonymous Coward says:

Re: Government has a point...

Let’s say I own a U.S. based bus company with services in many countries around the world. One country of my service is Ecuador (which has no extradition treaty with the U.S.). Can the U.S. government force me to change my business model in Ecuador, rerouting a particular bus with a wanted fugitive onboard when they demand, so that I cross borders with an extadition-friendly country on the way to the actual destination?

Anonymous Coward says:

Nice to see a judge who isn’t hoodwinked by big companies playing ‘we are American ‘ and ‘nothing we do is American ‘.

The data is available to and generally controlled by the US parent company. What physical device it is on should not be material. Otherwise all US companies would just offshore all IT operations and nake all of their business records out of bounds.

Roger Strong (profile) says:

Re: Re:

And the implications of that?

Google is a multinational company with offices and doing business in more than 40 countries around the world. It has product research and development operations in cities around the world. They are subject to the laws of those countries just as much as to American law.

Sure, American law will likely set the standard for how Google responds to one country’s request for data beyond it’s borders. And then other countries will expect no less.

An American company or person has upset authorities in Turkey? Their court will be able to demand international data – including on American servers – too.

Anomalous Coward says:

Re: Re: Time to re-incorporate in another country

Unless you are incorporated in a country that doesn’t take such an intrusive view of the world’s data (say Nevis or Anguilla), there will always be some pressure from the government of the incorporating country to have you cough up data.

That the US has a particularly disturbing history of extra-territorially imposing its laws on other countries and citizens of other countries is cause for concern.

Better for Google, et. al. to re-incorporate in another country, change the composition of its Board to be majority non-American (and have no American C-level executives).

Anonymous Coward says:

Awesome video on the leftist victim mentality

Leftists need to watch this or remain willfully ignorant. Today we saw the leftists violence leave a congressman in critical condition. Leftists policies always lead to violence and ultimately death. If it could be defended with speech, as is often the battle cry here, it would be. But it can’t so it needs violence to oppress opposition.

Anonymous Coward says:

Re: Re: Awesome video on the leftist victim mentality

That is always the response from the left when confronted with the truth about their violent ideology. Just look at the violent protests that take place almost weekly now. Look at Madonna saying she wants to blow up the Whitehouse. Look at Kathy Griffin perform a mock beheading of the President. Look at the 100 million people killed by Socialism and Communism in the last 100+ years and the cry of the left to bring that ideology here. Look at abortion killing a million children every year. Every where you look on the left is death and misery. Just ask Venezuela, once praised as the model of the left, even praised by Bernie Sanders.

Anonymous Coward says:

Re: Re: Re:2 Awesome video on the leftist victim mentality

I don’t follow your argument. There is no doubt that leftists employ the “victim mentality”, just consider Thad and his “dog whistle” “secret message” fantasy. The leftists in the US are have coalesced around minorities who display their victimhood as a badge of honor and now want to create a “second class” of white citizens, even banning them from University campuses and using violence to suppress free speech.

I thought the post was rather insightful, irrespective of your “cognitive dissonance”, which I don’t think applies here.

Anonymous Coward says:

Re: Re: Re:2 Awesome video on the leftist victim mentality

Humor, right? Thank you for that. I like humor.

Imagine, just for a moment, Techdirt without censoring. When two different opinions, or even three, are allowed to be displayed without the fear based censorship displayed above.

When you hide the dissent, and display only the vitriol, you damage your own cause.

I would also respectfully point out that if you had a point, you would just present it, and not have to resort to either nasty language or humor. You have no argument to present, right, that’s why you go this route. I believe your behavior is exactly consistent with the original poster’s message – you are a leftist, you have nothing to say, so you resort for to rhetorical violence, and later to physical violence, like Berkeley and others.

Talmyr (profile) says:

Re: Awesome video on the leftist victim mentality

Looks like the “leftists” are finally learning to live down to your “Second Amendment solutions” and using their easy access to weapons of mass murder to attempt to use them as designed. If only at least one side of the partisan divide weren’t so gun happy but wanted stringent gun controls! If only at least one side of the partisan divide didn’t want every crazy, criminal, and terrorist to have their ‘Constitutionally mandated’ access to firearms!

It’s a shame people had to get hurt in the crossfire of ideas. Good thing none of them were inveterate NRA supporters or the irony would be palpable. Almost like the irony of voting away people’s healthcare then needing your own government-handout healthcare to save your life…

Anonymous Coward says:

Re: Re: Awesome video on the leftist victim mentality

Prohibition didn’t work and in fact gave rise to the mob. The drug war has been raging for decades and is costing $21 billion per year now. So please explain to me how making guns illegal will actually get them out of criminals hands.

Wendy Cockcroft (user link) says:

Re: Re: Re: Awesome video on the leftist victim mentality

Strawman; nobody is trying to make guns or the ownership thereof illegal on principle. Some people have proposed and enacted some misguided laws in an effort to limit the kind of guns available to the public, that’s true, but nobody, as far as I know, is actually trying to ban all guns and gun ownership. They just want to limit ownership to sane law-abiding citizens.

Anonymous Coward says:

The problem isn’t the U.S. government–there’s always _some_ government; the problem is that what one government may do, the others may do also.

What’s to keep some Chinese lawyer presenting a demand–blessed with all the forms of Chinese legality that good money can bribe–demanding the trade secrets of some American company, because, after all, part of those secrets might have once resided on a server in Hong Kong?

Google needs to clarify their own jurisdiction; and if the intent is to maintain the data outside the U.S. (as EU laws may require), then having it “sometimes in the U.S.” isn’t going to be a workable solution.

Arthur Moore (profile) says:

Re: Re:

EU laws may require

This is going to bite them so hard. The moment it’s an EU citizens data in question Google is going to face massive EU fines. Except, if they don’t comply they’re in contempt in the US.

This is exactly the reason why Microsoft has refused to turn over the data. They know that the moment they do so the EU will burn them alive.

Bruce C. says:

They could treat it like foreign profits...

US only taxes foreign earnings if they are imported into the US. Using this analogy on data, if it’s ever accessed for business purposes within the jurisdiction of the US, then the US isn’t forcing Google to do anything it wouldn’t normally do with the data within the US jurisdiction.

OTOH, Google may very consciously keep foreign data out of the US, whether due to foreign regulations or simply because there is no business need to know. In cases where the data has never been “in” the US, I find it hard to see where the US can claim jurisdiction.

This approach addresses the shell-game (where is the data at the moment the order is served?) that the PA and DC courts are worried about, while still maintaining jurisdictional boundaries. The order would be valid if the data was ever in the US, but not if it was walled away from the US on an ongoing basis.

That One Guy (profile) says:

Re: Re: Foreign Laws

The data has no nationality, no. Where it’s located most certainly does have an impact.

If ‘it’s accessible in the US’ means that it’s not foreign when it comes to a US court demanding it be handed over, then by that same argument foreign courts can demand that US based data be handed over because google happens to have an office there.

Be very careful opening up that can of worms, as once open it can be easily used by others in ways you might not be so happy with.

Anonymous Coward says:

EU Applicability

All very interesting. The EU has already made it clear that it is prepared to play hardball to keep its citizens’ data private within the EU. This decision is a red flag and will inevitably have serious and unexpected consequences. The US legal system needs to stop confusing technical influence with legal remit.

Sok Puppette (profile) says:

Yeah, OK, whatever

Look folks. If you let somebody other than yourself hold your unencrypted data (or hold the keys to your encrypted data), then you can expect those data to be given to people you don’t want them given to.

That’s not a US law matter, and it’s not an international law matter. It’s a laws of physics matter. It will happen regardless of anybody’s laws.

Only idiots store anything in the cloud unencrypted if they don’t want it known.

The solutiond to this are decentralization, user-managed end-to-end cryptography, and stealth technology. Where that interacts with the law is in the need to keep those things from being forbidden (or to make it impossible to enforce any laws against them).

Spending time on some doomed attempt to keep governments from forcing corporations to turn over data is a distraction.

It may actually be a useful distraction, because as long as the governments think they can get what they want by attacking Google or whoever, their attention doesn’t turn to finding ways to attack the actually effective technical approaches. With some luck, you might even get them to tie themselves up in giant nets of treaties and precedents that would make it harder for them to interfere with anything actually effective once they figured out that they needed to.

But it’s not useful to drink your own Kool-Aid and think that you’ll ever get useful protection from Google, Microsoft, or anybody else.

Thad (user link) says:

Re: Re: Yeah, OK, whatever

I’m not the person you asked, but I hope you don’t mind my answering:

do you have any opinion about whether this solution ("user-managed end-to-end cryptography") could be or should be open source?

It would have to be; how else could you verify that it worked as intended, and didn’t contain any nasty surprises?

Security through obscurity doesn’t work. Strong security is reproducible and verifiable. If an E2E encryption process works, then there’s no reason to hide the nature of how it works.

That’s not to say there are no vulnerabilities in open-source software; of course there are. There have been some extremely serious ones found in major projects like OpenSSL, after going undetected for years. That is seriously bad news. But "it was vulnerable because it was open-source" is the wrong conclusion to draw.

orbitalinsertion (profile) says:

Re: Yeah, OK, whatever

That’s great and i agree with a lot of your points, however, it is irrelevant and we are not discussing the woes of an individual targeted with this order.

The cloud, or companies, being crap, does not excuse governments and their courts from being crap.

Everything which may be abused (which is everything), will be abused. See? I told you so. Therefore you are all idiots. All your base nao morally belong to me, apparently.

Anonymous Coward says:

Re: Re: Re:

Not really. If Google is returning the contents of your emails, then the contents are copyrighted. But if it returns things like email date/sender/receiver or search history or a variety of other things, those aren’t copyrighted because they are simply a collection of facts, which aren’t (yet) copyright-able.

Anonymous Coward says:

law as written != law as intended

I think, just going by the rules as written (which determines what is legal), Google would neither be required nor allowed to serve up the data currently outside of the US. Of course warrants depend on their time of execution.

If I execute a search warrant on a physical property while someone has just departed with the eveidence, I won’t find anything. Just because it was once in that cupboard over there does not mean it will be forever, and a warrant for that cupboard will not extent to anything that has ever been or will ever be in that cupboard.

But the existing legislation written for a physical world often do not work very well in a modern digital context. Just as searching someones pocket contents in 1917 is very, very different from searching all digital devices carried in their pockets in 2017, other laws don’t translate well. You will need to update them.

You have an amorphous network of data that self-organizes, moves and copies according to current neeeds? It needs to be fair game for seizure from any government that has legal jurisdiction over part of that network. You want to obey several different legal privacy frameworks? Build different data networks, e.g. one North American, one European. As soon as the data moves automatically from one jurisdiction to another you need to submit it to both jurisdictions to avoid idiotic results as those described above, where any warrant is just a lucky grab for fragments to puzzle over, like a legalistic heartbleed exploit.

But such legal reforms need technically competent legislators, or competently advised legislators willing to *be* advised. Not to mention legislators without hidden agendas (like corruption, lobbying, thirst for power…). Since both are rare qualities, ever getting a majority having both those qualities seems unlikely.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...