US Judge Says Prosecutors Can Use A Warrant To Go Fishing For Information Held Overseas
from the jurisdiction:-the-whole-world dept
We’ve had some discussion concerning the NSA and its defenders arguing that the 4th Amendment doesn’t apply outside of the US, but it seems they also believe that the US jurisdiction applies basically anywhere when they want it to. While we recently wrote about magistrate judges pushing back on overly broad requests for information, that clearly is not absolute. Magistrate judge James Francis recently ruled that Microsoft needs to turn over data held on servers in Dublin, even though a US warrant isn’t supposed to apply outside the US. Microsoft, quite reasonably, sees this as a problem:
“A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States,” the company said. “We think the same rules should apply in the online world, but the government disagrees.”
As does the judge. The judge’s own explanation is basically that he’s pretending the warrant is not a warrant, but a subpoena.
Francis agreed that this is true for “traditional” search warrants but not warrants seeking digital content, which are governed by a federal law called the Stored Communications Act.
A search warrant for email information, he said, is a “hybrid” order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said.
If the Stored Communications Act sounds familiar, that’s because it’s a part of ECPA, the horribly outdated law that we’ve been discussing for years concerning its need for reform. If this ruling stands (and Microsoft is already challenging it), it’ll be just one more thing that ECPA reform needs to tackle.
Filed Under: 4th amendment, international, james francis, privacy, prosecutors, warrants
Companies: microsoft
Comments on “US Judge Says Prosecutors Can Use A Warrant To Go Fishing For Information Held Overseas”
That certainly couldn't backfire...
Oh yeah, I’m sure this could in no way be used to help justify the drive several countries have to strengthen privacy and ‘data sharing’ laws in order to protect against the USG and keep their citizens’ information out of the USG’s hands… /s
Re: That certainly couldn't backfire...
Or, you know, people getting raided by foreign police agents.
You can’t have it both ways. If the 4th amendment doesn’t apply abroad then neither does the warrant. You don’t get to cherry pick which parts of the law you want to apply whenever it is convenient to your case.
Re: Re:
Perhaps you’ve not been paying attention to how the DoJ has been operating…
Re: Re:
Yes, we can. Or so the think 😉
Re: Re:
Fair enough…when the Saudi police are allowed to confiscate your computer based on violating the laws in their country, you come back and tell us again about “having it both ways.”
Just another nail in the US cloud coffin. No foreigners will want to do business with an American held company, even if American companies build their data centers on foreign soil to appease the privacy concerns of foreigners.
This judge just confirmed it doesn’t matter what jurisdiction a US company builds data centers in. They must comply with any and all requests the US Gov asks of them.
I’m going to start looking for a foreign held company to register an email address with. Maybe Germany or Russia.
Re: Re:
“I’m going to start looking for a foreign held company to register an email address with”
You don’t really have to even do that much. You can, quite easily, turn an old obsolete computer into your own email server. (a web search will lead you to instructions for how to do this, and even prebuilt images so you don’t have to do anything but supply the relevant information).
Register your own domain name, and you have as many email addresses as you want, all hosted on a machine you own and physically control. You will have to arrange for mail exchange with an upstream provider, but they won’t be storing your email. You will.
Re: Re: Re:
just make sure you do not use a US based registrar when you register your domains or ssl certs.
Re: Re: Re: Re:
just make sure you do not use an Earth-based registrar…
there, FTFY…
Re: Re: Re:2 Re:
Use your own country ccTLD and your own country’s registrar. That way, you are only subject to your own country’s law.
For instance, a Brazilian can use https://registro.br/ to register example.com.br.
Re: another company to register email
forget Germany or Russia, make that email company stationed out of North Korea since they have such a budding patent system and need more customers
Re: Re:
may I suggest:
https://mykolab.com/
Here we go again.
The Helms?Burton Act in 1996 attempted to extend US jurisdiction to foreign companies dealing with Cuba. The UK, EU, Canada and Mexico quickly enacted laws making it illegal for companies operating there to comply with Helms?Burton.
No doubt we’ll see the same response to the Stored Communications Act.
Re: Oh boy...
Looking it up on Wikipedia and Wikiwalking a bit, look what I found:
[…] On February 7, the United States Department of State declared on this matter that American law imposed upon American companies is applied regardless of the location of the company.
The USA does believe their laws apply to the whole world. As a non-USA citizen, that is very disturbing.
“Must be Prothero. I wish someone had the balls to tell that brat this station ain’t his playground.” – V for Vendetta
Change Prothero to US goverment, and station to planet, and the quote still works.
Where do you draw the line with this, though?
How many US companies would take advantage, and deliberately hide data in off-shore servers just to keep it away from US regulators?
Re: Re:
It seems pretty easy to me, and was mentioned in that article: warrants can’t cross national borders, but subpoenas can.
Re: Re: Re:
Actually just because the US justice system thinks subpoenas can cross jurisdictional boundaries doesn’t mean they can in actuality or practice.
Oh and if it’s for a criminal situation.. its a warrant no matter how they try to spin it.
Both EU & Irish law overrides whatever legal fictions the US wants to impose here though for a US company like MS its a LOSE-LOSE situation in that if they don’t comply via the US directive they can be sanctioned, whereas if they do comply with US order they will be in absolute breach of current laws (up to and including criminal ones) and will be held accountable that way too.
Re: Re: Re: Re:
Not sure where your legal theory comes from. MS holds that data in servers in Ireland. What’s to prevent them from transferring that data to the US and then complying? How does that put them “in absolute breach of current laws (up to and including criminal ones) “
Unless Ireland has some goofy law prohibiting the owner of data from transferring it to another country (which possibility is laughable, at best) there’s no exposure here for MS.
Sorry, but you’re talking out of your ass.
Re: Re: Re:2 Re:
The EU and a whole bunch of other countries (all Commonwealth cones too) actually has a Data law that states that data can not just be sent willy nilly around the planet without safeguards in place whether you are the owner of that data or not (though an owner does have more ability than most).
If that data has commercially sensitive information that has references to commercial and/or private Irish entities (or any other entities other than specifically and solely Microsoft) than the Data laws come into effect.
These laws are already causing US cloud companies no end of angst over compliance policies etc. And will cause more as these Rules and Regulations become more and more Consumer and privacy orientated.
If the US Courts want this data so badly they only need to apply through APPROPRIATE jurisdictional avenues with the Irish courts, but the egotistic nature of most American entities means they think they can just route through all due processes no matter what.. just because.. Fuckin Eagles!!
Re: Re: Re:2 Re:
Anonymous coward.
Your whole basis is incorrect. I actually have extensive experience with US and EU directives.
The data being requested is not MS data. They are a service processor only. The data is still the property of MS client.
So yes they would be held criminally liable for turning over their clients data.
Re: Re:
If it’s anything like US companies using foreign bank accounts to avoid paying taxes, it would will probably be the vast majority of them.
Techdirt again goes to great pains to oversimplify to the point of distortion. Warrants typically apply to physical objects. What seemingly is sought here is information stored in a digital format. It has no physical form, per se.
The non-physical state of stored information was considered when the Stored Communications Act was crafted. No surprises here. It’s a perfectly reasonable conclusion by Judge Francis.
Re: Re:
Judge Francis,
Quit posting as an Anonymous Coward.
Re: Re: Re:
Suck it, Red.
Re: Re:
Technically, information stored in electronic form does actually have physical form, but I get your point. What I don’t understand is why the physicality or nonphysicality makes any difference whatsoever in terms of how warrants should be handled. Why does this nonphysicality make the judge’s ruling reasonable? Can you explain?
Re: Re: Re:
Copyright theft, obviously.
Re: Re: Re:
Not my area of expertise, but it is more of a subpoena than a warrant. At the fundamental level a warrant gives the government the right to take. While a subpoena compels production of information (most often in the form of testimony). However records are subpoenaed routinely. Warrants seem more common in criminal matters while subpoenas appear to be mostly used in civil cases.
There’s also the jurisdictional question. You have to pay US taxes on your worldwide income if you’re a citizen, no matter where you reside (with a few exceptions). The government can try you for bribing a foreign government official even if the bribe occurred in another country and was legal in that country. So you may fulminate over the perceived injustice, but there’s really nothing going on here. There’s a lot of precedence and it looks as though the Stored Communications Act permits the government to petition for warrants that are administered like subpoenas. Moreover, I’d wager that this applies to foreign companies doing business in the US.
The EU has certain data protection enactments, and Dublin is in the EU, or it was the last time I looked.
I can’t see this sort of high-handed action by the US being viewed upon kindly by the EU without going through the proper channels to obtain such information.
Russia to issue subpoena for NSA database contents in 3…2…1…
Re: Re:
after all, “it’s just meta-data”.
Another fine piece of “journalism” from Mr Masnick: can’t distinct between subpoena and search.
BTW: once MS crooks access servers in Dublin from Redmond, guess where info is cached?
Re: Re:
Search??/
you do realize that Warrants are not just all “Search Warrants” don’t you?
In fact a Warrant is at its basics a writ issued by an authority for an otherwise illegal act to be committed with impunity. Therefore search, seizure, possession (in my jurisdiction only), Possessory, Execution, Arrest, etc are all forms of Warrants.. not just search
seems your comment was just another bit of uninformed blargha flargha from an AC
Re: Re: Re:
All warrants typically entail taking of possession. Whether an individual into custody, evidence; or the act of search is the act of possessing your domicile or vehicle or person for the purpose of examination.
Subpoenas largely seek to compel information. Documents, testimony and electronic files are the usual suspects.
The important point which you fail to address is this:
BTW: once MS crooks access servers in Dublin from Redmond, guess where info is cached?
That’s pretty much game, set and match.
Re: Re:
BTW: once MS crooks access servers in Dublin from Redmond, guess where info is cached?
What difference does it make? You state this like it makes a bit of difference that a server in Dublin should be “accessible” (or “searchable” or whatever other semantics you seem to think are important) because the USG says so.
Tell you what…since you appear to think this is such a great idea…in the previous sentence, replace “Dublin” with “Dallas,” and “USG” with “Saudi Arabia.” THEN let us know how you feel.
Re: Re: Re:
If the Saudi court ordered a Saudi company to provide information that was on the Saudi company’s server in Dallas, I’d have no issue with that.
You clowns like to talk about how the internet erases arbitrary geographic and political borders…. right up until the time that it doesn’t work in the way you like.
Re: Re: Re: Re:
So you have no problem with an Irish court ordering Microsoft Ireland to provide information from Microsoft US’s server in Dallas? Potentially on a US citizen? Because that’s a more direct comparison.
Even US defense contractors have a presence in other countries. Lockheed Martin Canada running the Canadian census for example. Or Boeing Canada and Sikorsky.
Should courts in Canada be able to order these companies to turn over the contents of their servers in the US? Especially that which may contain technical details of aircraft? (Keeping in that the Lockheed Martin F-35 and Sikorsky CH-148 Cyclone contracts have turned into utter fiascos at best, and will likely end up with Canadian courts examining the technical requirements in the contracts.)
Us clowns like to talk about how the internet erases arbitrary geographic and political borders…. right up until the time that it infringes on sovereignty.
Re: Re: Re: Re:
You clowns like to talk about how the law lets you fuck over whoever you want… right up until the time that it doesn’t work in the way you like.
Re: Re: Re:2 Re:
That’s true for James Clapper, violent cops, the MPAA/RIAA etc. Not nearly so much for the people here.
What is the underlying case. No one has mentioned who or what the prosecutor is after.
Recourse?
I understand the judge’s point. It’s called a warrant, but it is executed as if it were a subpoena by the company that is holding the user’s data. They’re not giving the warrant to the user, they’re giving the order to Microsoft, ordering it to turn over data on its servers in Ireland.
Nevertheless, it stinks. As a U.S. citizen, I could have the warrant quashed; I have Rights and I would have access to the legal system here. The “victim” over there would be told, well, sir, you’re a foreigner and so you have no protection under our Constitution, so you’re out of luck.
So in the end, if things were fair: They can have their warrants when the foreigners have recognized Constitutional protection from invalid probable cause.
Re: Recourse?
I wonder, what if the data is in Ireland but is owned by an American citizen?
I wouldn’t be surprised if this was also an attempt to retroactively make the shenanigans against Kim Dotcom legal.
Hey America, the rest of the world just called, go fuck yourself!
CEOs are going into jail anyway
Either they’re violating US laws or EU laws. Dear CEO, please choose which one you prefer 😉
Secede from U.S. and form new country where you are the only resident.
You will be the highest law in the land, so approve a warrant for government officials’ email.
U.S. must comply, after all they agree that warrants can cross country lines.
Leak entire contents of email to Internet.
U.S. goes bankrupt.
Problem, NSA?
Re: Re:
Great theory.. though lets look into my crystal ball and see what would occur in practice.
You Secede from the US, form some new jurisdiction.. lets call it Free-State
You are the law in Free-state.. You throw yourself a party.. Ego’s inflate everywhere in Free-state. All is well in your world.
You authorise a writ for a warrant of seizure to obtain US Governmental email. WOOT!
The US ignores you.
You jump up and down.. threaten everything..
The US Laughs at you.. the internet eats popcorn
You threaten more…
late one night masked people all in balck come into your compound find you and you are never EVER seen from again since your body was dropped into some ocean from a great height..
The world wonders..
a week goes by….
some new drama unfolds.. people forget about you.. popcorn sellers are saddened.
if law enforcement or whatever wanted to enter the USA to do the same thing here, they would be stopped or at least restricted. is this judge yet another moron who knows fuck all about the Internet but is still trying to keep his job and is making ridiculous rulings based on ‘how it was in yesteryear’? he would be better off getting out of the job, living off a pension 10x at least greater than an ordinary, hard worker gets as a paycheck each week, before he screws up even more! what a dipstick!!
If the US Courts want this data so badly they only need to apply through APPROPRIATE jurisdictional avenues with the Irish courts…….
This is where your argument lurches off the tracks. Microsoft is a US corporation which maintains a physical presence in Washington. Any warrant or subpoena is served upon MS at that address. The order is to produce certain information. Such production of information to comply with the order can take place entirely within the United States. That the information is located on a server in Ireland or any place else is meaningless.
Re: Re:
If it involves EU citizen private data ‘crossing’ an external EU border (say from Ireland to MS HQ) then EU rules apply eith a vengeance. Doesn’t matter where the person accessing the data is.
Re: Re:
So from your understanding the USA would then allow this to happen to non-US companies on non US soil then..
or is reciprocity only unilateral when it comes to the USA’s interests? hmmm.
And there have already been cases like this already where companies have had to refuse due to jurisdictional privacy issues where they are co-located. It’s not as cut and dry as you imagine. In fact its very very murky and fraught with a whole range of problems for MS or any company in this predicament.
Oh and they can fulfill the subpoena by attending and stating that due to legal jurisdictional sovereignty issues – criminal ones would be better for them – they are unable though not unwilling to comply . The court then has major problems and is in a pretty interesting bind (though i suspect a lower court or sensible magistrate judge would punt it up the line then).
Again this would of been fixed if they went the appropriate jurisdictional due process route.. Ego is better than comity though I gather in the USA shrugs
Re: Re:
[i]This is where your argument lurches off the tracks. Microsoft is a US corporation which maintains a physical presence in Washington[/i]
Keep in mind that if the data is in Ireland, you’re talking about Microsoft Ireland. And that with a physical presence in Ireland, Ireland’s data protection laws apply. It may very well be illegal for Microsoft Ireland to comply with the American judge’s order.
We’ve been through this before. The Helms?Burton Act in 1996 attempted to extend US jurisdiction to foreign companies dealing with Cuba. The UK, EU, Canada and Mexico quickly enacted laws making it illegal for companies operating there to comply with Helms?Burton.
The difference here is that the other countries already have data protection laws in place.
ESI or electronically stored information is always part of the discovery process if it will lead to evidence that will be admissible in court.
You have to give any information up that you have control over.
These rules help us do everything from collecting taxed to closing down sites with child pornography.
If the rules of another government do not forbid your giving the information up, then the court can compel you. If the foreign countries rules do forbid it, than you cannot be compelled because it is beyond your control. The court isn’t going to require you to break laws, treaties, etc.
That is what I remember from intellectual property. A real lawyer can probably clear up the matter in a paragraph or two.
We do not want people in American committing crimes and havign a sort of “immunity” because they store their information in another country.
We have treaties that allow for this type of thing with most of the countries we trade with.
We can extradite criminals from most of those countries to. e.g. a criminal who flees to Canada can frustrate extradition if the United States penalty is death. If not, the Canadians will usually hand them right over.
I feel your frustration with the American government. They cannot keep their own house in order, why do they get to tell other people what to do? I don’t blame you but this is a good rule. We don’t want justice prevented because their server is in another country.
If they have a right to write things to a server in a foreign country than they have a right to retrieve that information and present it to the court.
Re: Re:
We do not want people in American committing crimes and havign a sort of “immunity” because they store their information in another country.
What effectively invalidates this argument is that it applies both ways, in ways that the US government would never allow.
The Irish or Canadian or British governments could demand that Microsoft Ireland or Microsoft Canada or any other company, hand over information from US servers pertaining to a criminal investigation.
But that could include any investigation into the American government’s kidnapping and torture of their citizens a few years ago, or NSA spying. Those criminals could very well be past or current US officials.
Microsoft Ireland is owned by the Microsoft Corporation. So MS controls Microsoft Ireland, not vice versa. Same goes for Lockheed Martin, Boeing and Sikorsky.
Sovereignty? You Canadians are a joke. You have no real culture of your own and are indistinguishable from any other large, cold, boring upper midwestern state. You’re mostly viewed as an expansive version of North Dakota, though somewhat less interesting. Culturally, the only thing preserving whatever now passes as Canadian “culture” (other than hunting and fishing shows) are ghastly, legally- mandated, Canadian productions that no one watches.
The CFL is a joke and Canadian NHL teams routinely get punked by US teams. You send annoying hoards of your citizens to our southern climes fleeing your Arctic winters who demonstrate their cultural superiority by wearing socks with sandals and tipping 10%.
So piss on your sovereignty, it’s not like you use it in your relentless pursuit of statehood.
Microsoft Ireland is owned by the Microsoft Corporation.
And….? It still means that Microsoft has a presence in Ireland. The rules for one country’s court order for a server in the other, will work both ways.
Sovereignty? You Canadians are a joke.
Some day when you grow up, you’ll re-read posts your own posts. But don’t worry, your self-embarrassment doesn’t reflect badly on America. We have people like you too.
Canadian NHL teams routinely get punked by US teams.
Granted, without all that metal, the US hockey teams had an easier time going through customs on the way home from the Olympics.
So piss on your sovereignty
My point still stands: US sovereignty has the most to lose from this particular pissing match.
Euro Govt Data
Microsoft were already lining up their EMEA cloud operations for independence in preparation for the removal of the Safe Harbour agreements by the EU.
As there are many government departments from around the EU keeping data on the Dutch and Irish MS cloud servers, you can expect a serious blow-back from this. Indeed, MS went to the cost and trouble of securing BIL2 (a UK government security certification) for their EU cloud so that EU government departments could use it for Official and Official-Sensitive documents. If the US forces this to happen, it may well not only break EU data protection laws but also break the certifications. This would lose MS millions of dollars of revenue.
The amazing pointless thing about this to me is that there are plenty of EU/US legal agreements for getting the release of data. They only need to go through the normal process. Instead they just want to demand without due process.
I really anticipate this will be made to go away. It is politically embarrassing and a time when the current trade negotiations are already looking shaky and when there are major calls for the abolishment of safe harbour agreements. Both of these issues would ultimately result in very large losses of sales for US companies.