Appeals Court Upholds Its Denial Of DOJ's Demand For Microsoft's Overseas Data
from the go-bother-some-legislators,-kid dept
After being handed a loss in its judicial quest to force Microsoft to hand over data held in Ireland, the DOJ asked the Second Circuit for a rehearing of its July decision. At the center of the case is the DOJ’s belief that it should be able to force US companies to turn over data/communications contained in overseas servers.
The government wants to have it both ways with its warrants for electronic data. On one hand, it analogizes data demands as being no different than digging through a filing cabinet found in a house it’s searching. It argues that data held in servers/devices should be treated no differently than the personal papers the founding fathers tried to protect with the Fourth Amendment.
Then it argues that even if the “filing cabinet” isn’t located on the premises it has a warrant to search, it should be able to access the contents of that cabinet. This, from Microsoft’s motion to dismiss, explains what the government is truly asking for, using the sort of physical world comparisons the DOJ understands.
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft’s Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do — i.e., execute a warranted search abroad.
In its original decision, the Appeals Court pointed out that Congress clearly didn’t intend the wording of the Stored Communications Act to cover foreign data centers, no matter what sort of twisted, hybrid paperwork the feds served Microsoft in hopes of routing around territorial limitations. The court noted, as it often does, that if the DOJ wanted its half-warrant/half-subpoena to both skirt mutual assistance treaties and the court’s interpretation of the SCA, then it needed to approach Congress directly and get the SCA updated/amended.
And, indeed, the DOJ has done exactly that. It’s seeking legislation specifically targeting the terroritorial limitations in the SCA that prevent it from doing what it wants to. But in the meantime, the DOJ thought the court should take another swing at it. The Second Circuit has decided to pass on this opportunity. But it has issued an affirmation [PDF] of its original ruling, with some additional dissenting voices appended.
An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
Tuesday’s 4-4 vote by the 2nd U.S. Circuit Court of Appeals in Manhattan let stand a July 14 decision that was seen as a victory for privacy advocates, and for technology companies offering cloud computing and other services worldwide.
But the dissenting judges said that decision by a three-judge panel could hamstring law enforcement, and called on the U.S. Supreme Court or Congress to reverse it.
“The panel majority’s decision does not serve any serious, legitimate, or substantial privacy interest,” Circuit Judge Jose Cabranes wrote in dissent.
The opinion doesn’t tell the DOJ anything it didn’t tell it previously, other than that the court is evenly divided. The decision reiterates points the DOJ didn’t like the first time around. And, once again, it directs the DOJ’s efforts at legislators, while also pointing out the dissent’s similar willingness to interpret the law in ways Congress never intended.
The position of the government and the dissenters necessarily ignores situations in which the effects outside the United States are less readily dismissed, whichever label is chosen to describe the “focus” of the statute. For example, under the dissents’ reasoning (as we understand it), the SCA warrant is valid when (1) it is served in the United States on a branch office of an Irish service provider, (2) it seeks content stored in Ireland but accessible at the U.S. branch, (3) the account holding that content was opened and established in Ireland by an Irish citizen, (4) the disclosure demanded by the warrant would breach Irish law, and (5) U.S. law enforcement could request the content through the MLAT process. This hardly seems like a “domestic application” of the SCA.
Rather, we find it difficult to imagine that the Congress enacting the SCA envisioned such an application, much less that it would not constitute the type of extraterritorial application with which Morrison was concerned. Indeed, calling such an application “domestic” runs roughshod over the concerns that undergird the Supreme Court’s strong presumption against extraterritoriality, and suggests the flaw in an approach to the SCA that considers only disclosure.
The DOJ’s flawed approach is also its most common approach. It seems genuinely baffled/irritated when its requests — and its interpretation of the law — are challenged. It views laws that don’t allow it to do what it wants to do as broken. Rather than view limits in laws as guidance to help keep it aligned with Constitutional rights, it tends to do what it wants and let the courts sort it out.
Sure, the judicial process isn’t exactly speedy, but it has better odds and a faster turnaround time than guiding legislation through multiple Congressional hoops. And it will continue to play the odds because not every service provider has the resources or legal acumen to fight back against unlawful demands.
Filed Under: data, doj, ireland, overseas, privacy, second circuit, subpoena, warrant
Companies: microsoft
Comments on “Appeals Court Upholds Its Denial Of DOJ's Demand For Microsoft's Overseas Data”
Microsoft and it’s various resellers here in Canada are constantly trying to convince us to move all our servers and workstations to the cloud. The number one selling feature, from an email just yesterday:
This is a big deal. A major theme of the NSA spying, Gitmo and drone killing debates in the US is "How Dare They Do It To AMERICANS!" The subtext being that doing it to non-Americans is acceptable. No-one believes that foreign-owned data has any legal protection whatsoever against otherwise unlawful search and seizure once it enters the US. No-one believes that it won’t be mined by American security contractors "because terrorism" to give an advantage to American industry.
If Microsoft were to lose this fight they’d lose much of their overseas cloud hosting business.
Re: Much worse than that
Re: Re: Much worse than that
I think most people familiar with the comparison would agree that the EU offers far better legal protections for citizen privacy that the US. But as I stated earlier it’s all a moot point. The EULAs for these services all indemnify the service providers against the consequences of either breaches or unlawful searches of data. And if you think the physical location of your server farms’ HDDs means scat to those who want that data I must respectfully inform you that you are naive. Not only does the NSA have unlimited access to the full feeds of the network legs leaving the US (which allows them to copy everything in transit) they are most definitely not above hacking it at/in/from it’s final destination. It is, in fact, part of their job description. As of yet no law in any jurisdiction, domestic or foreign; has deterred them. Cases can and will play out in court. And all the providers will experience an ebb and flow of market share. But no one is going to take any meaningful hit to their bottom line because data is the ultimate success story of globalization. Put it wherever you want, but it will be found, copied, moved and edited by whatever major power decides it’s worth the overhead to pursue. Your local jurisdiction may not allow such evidence to be introduced. If you are lucky. But it’s not something that should be counted on in today’s environment.
Re: Re:
That, or they’d restructure the companies so that it’s an "unrelated" Canadian company running the data centres. …a company which happens to have licensed the name "Microsoft", and pays royalties to Microsoft USA to advertise their services.
Re: Re:
On the subject of only spying on non-Americans.
I’ll just remind everyone of this excellent 19 minute TED talk from a few years ago when the Snowden leaks broke.
Mikko Hypponen:
How the NSA betrayed the world’s trust — time to act
I love how at 3:20 into the talk he mentions that the NSA is only spying on "foreigners". He talks to the audience, "I’m a foreigner", "you’re a foreigner". In fact, 96 % of the population of the planet is a "foreigner".
Re: Re:
not at all. we know from best buy/fbi informants case that cloud is filtered by fbi for criminal activities. so placement of server is only important for court evidence purposes.
separate issue is ms boloney argument that when you see through window an fbi agent with warrant in his hand for search of your suitcase, you just can move that suitcase across the street to invalidate warrant.
finally, this is en banc case. meaning that whole set of judges reconsiders previous judgment of only three of their fellows judges.stage is set for the supremes.
Re: Re: Re:
If the suitcase was never at your house – and was always at the address across the street – then the agent needs a warrant that includes that address.
This might not make a difference for strictly American cloud servers, where Microsoft or Amazon moves and duplicates your data between server farms in different states.
But if the data is in Ireland or Canada – with privacy laws or marketing specify that the data does NOT get moved or duplicated to the US – then the agent’s American warrant is invalid. He needs one from an Irish or Canadian judge.
Should the US Supreme Court rule otherwise it’ll make little difference. Microsoft and Amazon will adjust their cloud hosting ownership to be answerable only to those countries’ laws. They’ll HAVE to, or lose all business in those countries.
Re: Re:
Follow-up: New Trump Executive Order Says Federal Agencies Should Exclude Foreigners From Privacy Protections
Apparently that Executive Order was issued the same day I wrote the above post.
Re: Re:
This is rather important too because as Canadians doing business with customer data we have to actually jump through a lot of hoops to ensure our data is hosted in Canada to comply with Privacy Law up here.
If a company migrates to a Canadian arm of an american cloud provider. This change makes that move one that puts companies in a legal quagmire.
Well, yeah...
” The subtext being that doing it to non-Americans is acceptable.”
It is. It’s called “espionage”. Mickeysoft does it as well.
"Filing cabinet"
How does this work for physical papers? If they had searched Microsoft in America and found reference to a document held in the Dublin office, could they require the Dublin office to produce that document?
Re: "Filing cabinet"
Nope, they’d need an Irish search warrant. It’s private customer communications, that are protected by EU law.
The interesting part about this case is that the EU and US have procedures especially designed for just that scenario. Except, in the US E-Mails are considered “abandoned” after a time so they don’t need a warrant to force MS to turn them over. The EU and most of the world see this as crazy, and want to see actual probable cause first.
Yes, I realize the US law that declares E-Mail to be “abandoned” seems to violates the 4th amendment. Funnily enough, US law enforcement doesn’t really care about that…
If the DOJ thinks a government has the right to access data anywhere in the world – why do they have a problem with the Russian government (allegedly) reviewing data on US-servers?
Ides for storing private information on cloud servers
Here’s an idea for storing private information on cloudy servers.
What if each “page” of information were stored on two servers. (By page, I mean an arbitrary sized block of bytes, like 4K bytes or something.)
Suppose a 4K page were stored as two 4K pages on two different servers. Each server located in a different country. In order to reconstruct that 4K page, you must get the two pages from the two servers and XOR them together.
Now Big Brother wants that 4K page of data. They could compel by force of law the production of the 4K page stored in this country. But they could not compel the production of the other 4K page that must be combined with it to get plain readable information.
An alternate implementation is to store an encrypted 4K page in the country, but store the key for it out of country. Or better, store multiple parts of the key, using the above technique, which must be XORed together to form the actual decryption key. That way even the plain decryption key isn’t stored in any single country.
Redundant copies of the decryption key could be stored in two parts in various combinations of pairs of countries. For example the decryption key for a page could be produced by getting two parts from:
country A and B
country C and D
country C and B
country A and D
etc
Just an idea to keep Big Brother busy.
Re: Ides for storing private information on cloud servers
Actually key-segmentation is a very good idea.
I have been using something similar for quite a few yrs now.
Holding half a key in my mind and the other half in a USB key fob. And I have no idea what the half key is that’s held inside the fob. It would be nice to have a mechanism to backup the key that’s inside the fob, in as you say, 2 or more parts and in 2 or more countries.
Re: Re: Ides for storing private information on cloud servers
Kind of off topic but, the PCI DSS requires this (split keys) meaning that it takes two separate people to perform some actions because each of them has half of the key.
Re: Ides for storing private information on cloud servers
“Redundant copies of the decryption key could be stored in two parts in various combinations of pairs of countries.”
This would actually be quite easy on an architecture like Freenet. I haven’t looked at it in a while, so I don’t exactly remember the protocol spec. But my guess is, that all you would have to do is look up the country code on localhost, and the country code of a few randomly selected upload targets, and do an XOR. Everything else is already native to the framework.
There is some question in my mind as to whether the fed actually understood what they were doing. On one hand this precedent will really put a lot of load on international law enforcement bodies. On the other hand that might be intentional. In order to create a greater dependency of foreign states on U.S. intelligence gathering.
IOW, this may have been designed to make the U.S. the reserved intelligence resource of the rest of the world. Much like the dollar is the reserve currency of the rest of the world. If everybody is compelled to trade data, the guy with the most data wins.