Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US

from the going-to-be-an-important-fight dept

Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:
The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA") that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and because Congress has not authorized the issuance of warrants that reach outside U.S. territory. The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.
The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications and cloud service providers. Studies have estimated that this distrust will result in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if left standing, will dramatically increase the harm to American businesses. It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.
If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    mcinsand, Jun 11th, 2014 @ 11:15am

    just like Comcast versus Prenda Law

    Two such shocks in a year, but you know the NSA is evil when Microsoft is one of the good guys!

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    kenichi tanaka (profile), Jun 11th, 2014 @ 11:20am

    The absurdity of the claim that "Congress did not mean "warrant" when using that term" is ridiculous because if Congress was really meaning "subpoena", then they would have included that particular distinction in the law.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    AricTheRed (profile), Jun 11th, 2014 @ 11:41am

    Good on you Microsoft!

    However I still won't forgive you for Windows 8.

    Even my grandma hated it!

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    silverscarcat (profile), Jun 11th, 2014 @ 11:45am

    Re: Good on you Microsoft!

    Hate them for what they throw out at times, but this is NOT one of those times.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 11:48am

    And what about NSLs?

    "It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States."

    Forgive me for being a non-USian and thus not knowing all the details, but isn't that already the case due to NSLs? Can't a NSL already force a US-company to violate foreign laws?

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 11:50am

    Re:

    The Letter of the Law only matters when the judge wants it to.
    The Spirit of the Law only matters when the judge wants it to.

    Anyone seeing the pattern here? Judges are less and less about Judging and more and more about legislating.

    Good lawyer would request mistrial immediately on grounds that "His Honor" less seems to be incapable of basic high school level reading and deigns to create new and unintended interpretations to codified law.

    He should file a complaint against the BAR and see if said judge can have his law license revoked. It may not immediately remove him from the bench, but it would make the next attempt to remove him easier. Judges lately have been enjoying a great deal of extra constitutional power beyond what was intended, but they are not being challenged on it either so why stop?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 11:52am

    But Bing still doesn't use HTTPS. Nice going, Microsoft.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    DannyB (profile), Jun 11th, 2014 @ 11:53am

    Re: And what about NSLs?

    Nothing to worry about. It only applies to foreigners. Those "foreigners" are only 96% of the human beings on the planet. Move along.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Geno0wl (profile), Jun 11th, 2014 @ 11:56am

    The DoJ doesn't care about economic impacts to the technology world. They have made that abundantly clear.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 11:57am

    Re: And what about NSLs?

    The laws of a foreign land means jack and shit. This is universal. The laws that DO matter are the ones established in Treaties and Agreements, but often enough get broken all the same.

    The general rule is this... I a business has an office that country then that business office itself is subject to the laws of that land, but not the rest of the company where other offices are located. This includes things like this... the US Gov really can legally issue a warrant or subpena for anything they want including Pluto. The issue is that if it contradicts laws for that office in that land then the business is obliged to follow the laws of that land. Now if the data is held on server on US soil... that's fair game and can be enforced.

    Despite this, you will still see governments go ahead and force their way through like criminals anyways because what is a business gonna do? Hire an army and protect their assets? Are the citizens going to do anything?

    So in short despite what the laws and treaties say... if you are a business, you can be quickly screwed and bullied by any country in the world in which you have an office. Governments are every bit as criminal as your local thugs, its just that these thugs have the backing of most of the citizens... well usually.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Frankz (profile), Jun 11th, 2014 @ 12:20pm

    How far does this extend?

    Where do you draw the line with this, though?
    How many US companies would take advantage, and deliberately hide data in off-shore servers just to keep it away from US government/regulators?

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    That One Guy (profile), Jun 11th, 2014 @ 12:21pm

    Slight fix for accuracy

    The DoJ/NSA doesn't care about economic impacts to any US industry/company other than themselves. They have made that abundantly clear.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Michael, Jun 11th, 2014 @ 12:28pm

    Re: How far does this extend?

    If you think it is such a good idea, remember that it can easily be flipped on it's head. If US law can force MS into giving up emails in another country, laws in other countries can force MS to give up emails in the US.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 12:40pm

    Re:

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v2.0.22 (MingW32)

    KAQgAs6EgKY0PvjivQsHULzKZWW/nCNnEFHCC2BNyd7O+yTGWcTqyBPbMnztCIYB
    9fm+n6lx1O47v56nMhix7wqhotK Qw6iGqZOcATt0bgrfJRKVhJdQ+7Ez53QXO5MS
    pgai9poUBQMyWodNE6S3DpDOgXo9IVb+ZoJQmMDnDD/xzEqGpA7o76KWp/zv4BR
    GQDkIG/J/ZKYLte09Hbs36dGhWevTGaSyXtzBBWZXwWVbpPj76a3d/1lfIoBMchs
    qRSxAQP1kI9FDLCLgoqE2/1Bwhs/E4gmfJ3d 14A+ivDRzhiEbGLDDuus8JtNYfUb
    qTr/Mr/FoGQMyNjDm5Tp8x4vC4ttK1AcHaFb7VGdU/hof04AV11nPzMgOEazsHse
    -----END PGP MESSAGE-----

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    John Fenderson (profile), Jun 11th, 2014 @ 12:47pm

    Re: Re:

    "Judges are less and less about Judging and more and more about legislating."

    It is the legitimate, and critically important, role of the judiciary to act as check and balance to the legislature, and to find ways to apply the laws that is both Constitutional and in spirit with the intention of the law. That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.

    It's how the system was designed.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 12:53pm

    Re: How far does this extend?

    About the same number of companies that hide money in off shore subsidiaries to avoid tax.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    jackn, Jun 11th, 2014 @ 1:26pm

    "Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations. "

    Verizon, go figure. They should read the text they release beforehand.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 1:39pm

    So, the government can go shopping for warrants now

    So, if every other nation decided to go with that same logic, that means if a government wants to get at digital emails/evidence, all they need to do is go to the country with the weakest privacy laws. Get a judge to sign off on a warrant there, and you can collect whatever digital information you want from anywhere in the world?

    Yeah, that's just insane.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 3:03pm

    Re:

    Apparently you haven't actually tried since Bing does use https if you use https...

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 4:55pm

    What about banking?

    What about banking?

    I would be most concerned about banking, when it comes to these privacy issues.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jun 11th, 2014 @ 8:01pm

    Another fine piece of "journalism" from Mr Masnick. This is a clear cut case of seeking information, and not search.

    Most likley it has something to do with potentially opening doors to tax fraud using off shore stuff then protecting customers. After all, it was none other then shyster Bill Gates who whored himself out to NSA with Windows 95 backdoors.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    nasch (profile), Jun 12th, 2014 @ 8:23am

    Re: Re: Re:

    That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.

    It's how the system was designed.


    True, but there are too many cases like this one where judges ignore the clear meaning of a law to get a result they want, for whatever reason.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Easily Amused (profile), Jun 12th, 2014 @ 8:33am

    Re: Re:

    He means it doesn't default to https. as it (and most everything online in a properly configured world) should do.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    John Fenderson (profile), Jun 12th, 2014 @ 9:06am

    Re: Re: Re: Re:

    Absolutely true, but there are checks and balances that should rectify that. The deeper problem is that the overall system of checks & balances has broken down. This is a problem larger than just the judiciary.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    The Wanderer (profile), Jun 13th, 2014 @ 5:14am

    Re: Re: Re:

    And apparently there's a reason for that. My (slightly outdated) version of HTTPS Everywhere doesn't automatically convert Bing to HTTPS, and lists it as "Partial, buggy" - meaning that although some parts of the site work via HTTPS, others don't, and the result breaks some of the site's functionality.

    So they'd have more work to do than just rewriting the protocol specifiers in their HTML (and HTML generators) - possibly considerably more. For all we know, they might be working on doing that right now...

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    The Wanderer (profile), Jun 13th, 2014 @ 5:17am

    Re: So, the government can go shopping for warrants now

    Well, there's an argument to be made that the only reason the USA could do this to Microsoft is because Microsoft is an American company, operating out of America - albeit with offices and so forth in other countries as well.

    Even if we don't go that far, there's also an argument to be made that only a country where Microsoft has a business presence could do this to Microsoft, and the worst penalty that could be applied if Microsoft refuses is to deny Microsoft permission to operate or otherwise do business in that country. That might still result in "any country in the world" being able to do it, but it would at least be a sufficiently logical-sounding limitation that courts - including international ones - might sign off on it...

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.