US Judge Says Prosecutors Can Use A Warrant To Go Fishing For Information Held Overseas
from the jurisdiction:-the-whole-world dept
We've had some discussion concerning the NSA and its defenders arguing that the 4th Amendment doesn't apply outside of the US, but it seems they also believe that the US jurisdiction applies basically anywhere when they want it to. While we recently wrote about magistrate judges pushing back on overly broad requests for information, that clearly is not absolute. Magistrate judge James Francis recently ruled that Microsoft needs to turn over data held on servers in Dublin, even though a US warrant isn't supposed to apply outside the US. Microsoft, quite reasonably, sees this as a problem:"A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States," the company said. "We think the same rules should apply in the online world, but the government disagrees."As does the judge. The judge's own explanation is basically that he's pretending the warrant is not a warrant, but a subpoena.
Francis agreed that this is true for "traditional" search warrants but not warrants seeking digital content, which are governed by a federal law called the Stored Communications Act.If the Stored Communications Act sounds familiar, that's because it's a part of ECPA, the horribly outdated law that we've been discussing for years concerning its need for reform. If this ruling stands (and Microsoft is already challenging it), it'll be just one more thing that ECPA reform needs to tackle.
A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, international, james francis, privacy, prosecutors, warrants
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
That certainly couldn't backfire...
[ link to this | view in chronology ]
Re: That certainly couldn't backfire...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This judge just confirmed it doesn't matter what jurisdiction a US company builds data centers in. They must comply with any and all requests the US Gov asks of them.
I'm going to start looking for a foreign held company to register an email address with. Maybe Germany or Russia.
[ link to this | view in chronology ]
Re:
You don't really have to even do that much. You can, quite easily, turn an old obsolete computer into your own email server. (a web search will lead you to instructions for how to do this, and even prebuilt images so you don't have to do anything but supply the relevant information).
Register your own domain name, and you have as many email addresses as you want, all hosted on a machine you own and physically control. You will have to arrange for mail exchange with an upstream provider, but they won't be storing your email. You will.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
there, FTFY...
[ link to this | view in chronology ]
Re: Re: Re: Re:
For instance, a Brazilian can use https://registro.br/ to register example.com.br.
[ link to this | view in chronology ]
Re: another company to register email
[ link to this | view in chronology ]
Re:
https://mykolab.com/
[ link to this | view in chronology ]
Here we go again.
No doubt we'll see the same response to the Stored Communications Act.
[ link to this | view in chronology ]
Oh boy...
[...] On February 7, the United States Department of State declared on this matter that American law imposed upon American companies is applied regardless of the location of the company.
The USA does believe their laws apply to the whole world. As a non-USA citizen, that is very disturbing.
[ link to this | view in chronology ]
Change Prothero to US goverment, and station to planet, and the quote still works.
[ link to this | view in chronology ]
How many US companies would take advantage, and deliberately hide data in off-shore servers just to keep it away from US regulators?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Oh and if it's for a criminal situation.. its a warrant no matter how they try to spin it.
Both EU & Irish law overrides whatever legal fictions the US wants to impose here though for a US company like MS its a LOSE-LOSE situation in that if they don't comply via the US directive they can be sanctioned, whereas if they do comply with US order they will be in absolute breach of current laws (up to and including criminal ones) and will be held accountable that way too.
[ link to this | view in chronology ]
Re: Re: Re:
Unless Ireland has some goofy law prohibiting the owner of data from transferring it to another country (which possibility is laughable, at best) there's no exposure here for MS.
Sorry, but you're talking out of your ass.
[ link to this | view in chronology ]
Re: Re: Re: Re:
If that data has commercially sensitive information that has references to commercial and/or private Irish entities (or any other entities other than specifically and solely Microsoft) than the Data laws come into effect.
These laws are already causing US cloud companies no end of angst over compliance policies etc. And will cause more as these Rules and Regulations become more and more Consumer and privacy orientated.
If the US Courts want this data so badly they only need to apply through APPROPRIATE jurisdictional avenues with the Irish courts, but the egotistic nature of most American entities means they think they can just route through all due processes no matter what.. just because.. Fuckin Eagles!!
[ link to this | view in chronology ]
Re: Re: Re: Re:
Your whole basis is incorrect. I actually have extensive experience with US and EU directives.
The data being requested is not MS data. They are a service processor only. The data is still the property of MS client.
So yes they would be held criminally liable for turning over their clients data.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The non-physical state of stored information was considered when the Stored Communications Act was crafted. No surprises here. It's a perfectly reasonable conclusion by Judge Francis.
[ link to this | view in chronology ]
Re:
Quit posting as an Anonymous Coward.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
There's also the jurisdictional question. You have to pay US taxes on your worldwide income if you're a citizen, no matter where you reside (with a few exceptions). The government can try you for bribing a foreign government official even if the bribe occurred in another country and was legal in that country. So you may fulminate over the perceived injustice, but there's really nothing going on here. There's a lot of precedence and it looks as though the Stored Communications Act permits the government to petition for warrants that are administered like subpoenas. Moreover, I'd wager that this applies to foreign companies doing business in the US.
[ link to this | view in chronology ]
I can't see this sort of high-handed action by the US being viewed upon kindly by the EU without going through the proper channels to obtain such information.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
BTW: once MS crooks access servers in Dublin from Redmond, guess where info is cached?
[ link to this | view in chronology ]
Re:
you do realize that Warrants are not just all "Search Warrants" don't you?
In fact a Warrant is at its basics a writ issued by an authority for an otherwise illegal act to be committed with impunity. Therefore search, seizure, possession (in my jurisdiction only), Possessory, Execution, Arrest, etc are all forms of Warrants.. not just search
seems your comment was just another bit of uninformed blargha flargha from an AC
[ link to this | view in chronology ]
Re: Re:
Subpoenas largely seek to compel information. Documents, testimony and electronic files are the usual suspects.
The important point which you fail to address is this:
BTW: once MS crooks access servers in Dublin from Redmond, guess where info is cached?
That's pretty much game, set and match.
[ link to this | view in chronology ]
Re:
What difference does it make? You state this like it makes a bit of difference that a server in Dublin should be "accessible" (or "searchable" or whatever other semantics you seem to think are important) because the USG says so.
Tell you what...since you appear to think this is such a great idea...in the previous sentence, replace "Dublin" with "Dallas," and "USG" with "Saudi Arabia." THEN let us know how you feel.
[ link to this | view in chronology ]
Re: Re:
You clowns like to talk about how the internet erases arbitrary geographic and political borders.... right up until the time that it doesn't work in the way you like.
[ link to this | view in chronology ]
Re: Re: Re:
Even US defense contractors have a presence in other countries. Lockheed Martin Canada running the Canadian census for example. Or Boeing Canada and Sikorsky.
Should courts in Canada be able to order these companies to turn over the contents of their servers in the US? Especially that which may contain technical details of aircraft? (Keeping in that the Lockheed Martin F-35 and Sikorsky CH-148 Cyclone contracts have turned into utter fiascos at best, and will likely end up with Canadian courts examining the technical requirements in the contracts.)
Us clowns like to talk about how the internet erases arbitrary geographic and political borders.... right up until the time that it infringes on sovereignty.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Recourse?
Nevertheless, it stinks. As a U.S. citizen, I could have the warrant quashed; I have Rights and I would have access to the legal system here. The "victim" over there would be told, well, sir, you're a foreigner and so you have no protection under our Constitution, so you're out of luck.
So in the end, if things were fair: They can have their warrants when the foreigners have recognized Constitutional protection from invalid probable cause.
[ link to this | view in chronology ]
Re: Recourse?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CEOs are going into jail anyway
[ link to this | view in chronology ]
You will be the highest law in the land, so approve a warrant for government officials' email.
U.S. must comply, after all they agree that warrants can cross country lines.
Leak entire contents of email to Internet.
U.S. goes bankrupt.
Problem, NSA?
[ link to this | view in chronology ]
Re:
You Secede from the US, form some new jurisdiction.. lets call it Free-State
You are the law in Free-state.. You throw yourself a party.. Ego's inflate everywhere in Free-state. All is well in your world.
You authorise a writ for a warrant of seizure to obtain US Governmental email. WOOT!
The US ignores you.
You jump up and down.. threaten everything..
The US Laughs at you.. the internet eats popcorn
You threaten more...
late one night masked people all in balck come into your compound find you and you are never EVER seen from again since your body was dropped into some ocean from a great height..
The world wonders..
a week goes by....
some new drama unfolds.. people forget about you.. popcorn sellers are saddened.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This is where your argument lurches off the tracks. Microsoft is a US corporation which maintains a physical presence in Washington. Any warrant or subpoena is served upon MS at that address. The order is to produce certain information. Such production of information to comply with the order can take place entirely within the United States. That the information is located on a server in Ireland or any place else is meaningless.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
or is reciprocity only unilateral when it comes to the USA's interests? hmmm.
And there have already been cases like this already where companies have had to refuse due to jurisdictional privacy issues where they are co-located. It's not as cut and dry as you imagine. In fact its very very murky and fraught with a whole range of problems for MS or any company in this predicament.
Oh and they can fulfill the subpoena by attending and stating that due to legal jurisdictional sovereignty issues - criminal ones would be better for them - they are unable though not unwilling to comply . The court then has major problems and is in a pretty interesting bind (though i suspect a lower court or sensible magistrate judge would punt it up the line then).
Again this would of been fixed if they went the appropriate jurisdictional due process route.. Ego is better than comity though I gather in the USA *shrugs*
[ link to this | view in chronology ]
Re:
Keep in mind that if the data is in Ireland, you're talking about Microsoft Ireland. And that with a physical presence in Ireland, Ireland's data protection laws apply. It may very well be illegal for Microsoft Ireland to comply with the American judge's order.
We've been through this before. The Helms–Burton Act in 1996 attempted to extend US jurisdiction to foreign companies dealing with Cuba. The UK, EU, Canada and Mexico quickly enacted laws making it illegal for companies operating there to comply with Helms–Burton.
The difference here is that the other countries already have data protection laws in place.
[ link to this | view in chronology ]
You have to give any information up that you have control over.
These rules help us do everything from collecting taxed to closing down sites with child pornography.
If the rules of another government do not forbid your giving the information up, then the court can compel you. If the foreign countries rules do forbid it, than you cannot be compelled because it is beyond your control. The court isn't going to require you to break laws, treaties, etc.
That is what I remember from intellectual property. A real lawyer can probably clear up the matter in a paragraph or two.
We do not want people in American committing crimes and havign a sort of "immunity" because they store their information in another country.
We have treaties that allow for this type of thing with most of the countries we trade with.
We can extradite criminals from most of those countries to. e.g. a criminal who flees to Canada can frustrate extradition if the United States penalty is death. If not, the Canadians will usually hand them right over.
I feel your frustration with the American government. They cannot keep their own house in order, why do they get to tell other people what to do? I don't blame you but this is a good rule. We don't want justice prevented because their server is in another country.
If they have a right to write things to a server in a foreign country than they have a right to retrieve that information and present it to the court.
[ link to this | view in chronology ]
Re:
What effectively invalidates this argument is that it applies both ways, in ways that the US government would never allow.
The Irish or Canadian or British governments could demand that Microsoft Ireland or Microsoft Canada or any other company, hand over information from US servers pertaining to a criminal investigation.
But that could include any investigation into the American government's kidnapping and torture of their citizens a few years ago, or NSA spying. Those criminals could very well be past or current US officials.
[ link to this | view in chronology ]
Sovereignty? You Canadians are a joke. You have no real culture of your own and are indistinguishable from any other large, cold, boring upper midwestern state. You're mostly viewed as an expansive version of North Dakota, though somewhat less interesting. Culturally, the only thing preserving whatever now passes as Canadian "culture" (other than hunting and fishing shows) are ghastly, legally- mandated, Canadian productions that no one watches.
The CFL is a joke and Canadian NHL teams routinely get punked by US teams. You send annoying hoards of your citizens to our southern climes fleeing your Arctic winters who demonstrate their cultural superiority by wearing socks with sandals and tipping 10%.
So piss on your sovereignty, it's not like you use it in your relentless pursuit of statehood.
[ link to this | view in chronology ]
And....? It still means that Microsoft has a presence in Ireland. The rules for one country's court order for a server in the other, will work both ways.
Sovereignty? You Canadians are a joke.
Some day when you grow up, you'll re-read posts your own posts. But don't worry, your self-embarrassment doesn't reflect badly on America. We have people like you too.
Canadian NHL teams routinely get punked by US teams.
Granted, without all that metal, the US hockey teams had an easier time going through customs on the way home from the Olympics.
So piss on your sovereignty
My point still stands: US sovereignty has the most to lose from this particular pissing match.
[ link to this | view in chronology ]
Euro Govt Data
As there are many government departments from around the EU keeping data on the Dutch and Irish MS cloud servers, you can expect a serious blow-back from this. Indeed, MS went to the cost and trouble of securing BIL2 (a UK government security certification) for their EU cloud so that EU government departments could use it for Official and Official-Sensitive documents. If the US forces this to happen, it may well not only break EU data protection laws but also break the certifications. This would lose MS millions of dollars of revenue.
The amazing pointless thing about this to me is that there are plenty of EU/US legal agreements for getting the release of data. They only need to go through the normal process. Instead they just want to demand without due process.
I really anticipate this will be made to go away. It is politically embarrassing and a time when the current trade negotiations are already looking shaky and when there are major calls for the abolishment of safe harbour agreements. Both of these issues would ultimately result in very large losses of sales for US companies.
[ link to this | view in chronology ]