Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US

from the going-to-be-an-important-fight dept

Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:
The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA") that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and because Congress has not authorized the issuance of warrants that reach outside U.S. territory. The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.
The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications and cloud service providers. Studies have estimated that this distrust will result in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if left standing, will dramatically increase the harm to American businesses. It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.
If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.


Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, ecpa, email, international, james francis, magistrate judge, privacy, sca, subpoena, warrants
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    mcinsand, 11 Jun 2014 @ 11:15am

    just like Comcast versus Prenda Law

    Two such shocks in a year, but you know the NSA is evil when Microsoft is one of the good guys!

    link to this | view in chronology ]

  • icon
    kenichi tanaka (profile), 11 Jun 2014 @ 11:20am

    The absurdity of the claim that "Congress did not mean "warrant" when using that term" is ridiculous because if Congress was really meaning "subpoena", then they would have included that particular distinction in the law.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2014 @ 11:50am

      Re:

      The Letter of the Law only matters when the judge wants it to.
      The Spirit of the Law only matters when the judge wants it to.

      Anyone seeing the pattern here? Judges are less and less about Judging and more and more about legislating.

      Good lawyer would request mistrial immediately on grounds that "His Honor" less seems to be incapable of basic high school level reading and deigns to create new and unintended interpretations to codified law.

      He should file a complaint against the BAR and see if said judge can have his law license revoked. It may not immediately remove him from the bench, but it would make the next attempt to remove him easier. Judges lately have been enjoying a great deal of extra constitutional power beyond what was intended, but they are not being challenged on it either so why stop?

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 11 Jun 2014 @ 12:47pm

        Re: Re:

        "Judges are less and less about Judging and more and more about legislating."

        It is the legitimate, and critically important, role of the judiciary to act as check and balance to the legislature, and to find ways to apply the laws that is both Constitutional and in spirit with the intention of the law. That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.

        It's how the system was designed.

        link to this | view in chronology ]

        • icon
          nasch (profile), 12 Jun 2014 @ 8:23am

          Re: Re: Re:

          That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.

          It's how the system was designed.


          True, but there are too many cases like this one where judges ignore the clear meaning of a law to get a result they want, for whatever reason.

          link to this | view in chronology ]

          • icon
            John Fenderson (profile), 12 Jun 2014 @ 9:06am

            Re: Re: Re: Re:

            Absolutely true, but there are checks and balances that should rectify that. The deeper problem is that the overall system of checks & balances has broken down. This is a problem larger than just the judiciary.

            link to this | view in chronology ]

  • icon
    AricTheRed (profile), 11 Jun 2014 @ 11:41am

    Good on you Microsoft!

    However I still won't forgive you for Windows 8.

    Even my grandma hated it!

    link to this | view in chronology ]

    • icon
      silverscarcat (profile), 11 Jun 2014 @ 11:45am

      Re: Good on you Microsoft!

      Hate them for what they throw out at times, but this is NOT one of those times.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2014 @ 11:48am

    And what about NSLs?

    "It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States."

    Forgive me for being a non-USian and thus not knowing all the details, but isn't that already the case due to NSLs? Can't a NSL already force a US-company to violate foreign laws?

    link to this | view in chronology ]

    • icon
      DannyB (profile), 11 Jun 2014 @ 11:53am

      Re: And what about NSLs?

      Nothing to worry about. It only applies to foreigners. Those "foreigners" are only 96% of the human beings on the planet. Move along.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2014 @ 11:57am

      Re: And what about NSLs?

      The laws of a foreign land means jack and shit. This is universal. The laws that DO matter are the ones established in Treaties and Agreements, but often enough get broken all the same.

      The general rule is this... I a business has an office that country then that business office itself is subject to the laws of that land, but not the rest of the company where other offices are located. This includes things like this... the US Gov really can legally issue a warrant or subpena for anything they want including Pluto. The issue is that if it contradicts laws for that office in that land then the business is obliged to follow the laws of that land. Now if the data is held on server on US soil... that's fair game and can be enforced.

      Despite this, you will still see governments go ahead and force their way through like criminals anyways because what is a business gonna do? Hire an army and protect their assets? Are the citizens going to do anything?

      So in short despite what the laws and treaties say... if you are a business, you can be quickly screwed and bullied by any country in the world in which you have an office. Governments are every bit as criminal as your local thugs, its just that these thugs have the backing of most of the citizens... well usually.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2014 @ 11:52am

    But Bing still doesn't use HTTPS. Nice going, Microsoft.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2014 @ 12:40pm

      Re:

      -----BEGIN PGP MESSAGE-----
      Version: GnuPG v2.0.22 (MingW32)

      KAQgAs6EgKY0PvjivQsHULzKZWW/nCNnEFHCC2BNyd7O+yTGWcTqyBPbMnztCIYB
      9fm+n6lx1O47v56nMhix7wqhotK Qw6iGqZOcATt0bgrfJRKVhJdQ+7Ez53QXO5MS
      pgai9poUBQMyWodNE6S3DpDOgXo9IVb+ZoJQmMDnDD/xzEqGpA7o76KWp/zv4BR
      GQDkIG/J/ZKYLte09Hbs36dGhWevTGaSyXtzBBWZXwWVbpPj76a3d/1lfIoBMchs
      qRSxAQP1kI9FDLCLgoqE2/1Bwhs/E4gmfJ3d 14A+ivDRzhiEbGLDDuus8JtNYfUb
      qTr/Mr/FoGQMyNjDm5Tp8x4vC4ttK1AcHaFb7VGdU/hof04AV11nPzMgOEazsHse
      -----END PGP MESSAGE-----

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2014 @ 3:03pm

      Re:

      Apparently you haven't actually tried since Bing does use https if you use https...

      link to this | view in chronology ]

      • icon
        Easily Amused (profile), 12 Jun 2014 @ 8:33am

        Re: Re:

        He means it doesn't default to https. as it (and most everything online in a properly configured world) should do.

        link to this | view in chronology ]

        • icon
          The Wanderer (profile), 13 Jun 2014 @ 5:14am

          Re: Re: Re:

          And apparently there's a reason for that. My (slightly outdated) version of HTTPS Everywhere doesn't automatically convert Bing to HTTPS, and lists it as "Partial, buggy" - meaning that although some parts of the site work via HTTPS, others don't, and the result breaks some of the site's functionality.

          So they'd have more work to do than just rewriting the protocol specifiers in their HTML (and HTML generators) - possibly considerably more. For all we know, they might be working on doing that right now...

          link to this | view in chronology ]

  • icon
    Geno0wl (profile), 11 Jun 2014 @ 11:56am

    The DoJ doesn't care about economic impacts to the technology world. They have made that abundantly clear.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 11 Jun 2014 @ 12:21pm

      Slight fix for accuracy

      The DoJ/NSA doesn't care about economic impacts to any US industry/company other than themselves. They have made that abundantly clear.

      link to this | view in chronology ]

  • icon
    Frankz (profile), 11 Jun 2014 @ 12:20pm

    How far does this extend?

    Where do you draw the line with this, though?
    How many US companies would take advantage, and deliberately hide data in off-shore servers just to keep it away from US government/regulators?

    link to this | view in chronology ]

    • identicon
      Michael, 11 Jun 2014 @ 12:28pm

      Re: How far does this extend?

      If you think it is such a good idea, remember that it can easily be flipped on it's head. If US law can force MS into giving up emails in another country, laws in other countries can force MS to give up emails in the US.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2014 @ 12:53pm

      Re: How far does this extend?

      About the same number of companies that hide money in off shore subsidiaries to avoid tax.

      link to this | view in chronology ]

  • identicon
    jackn, 11 Jun 2014 @ 1:26pm

    "Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations. "

    Verizon, go figure. They should read the text they release beforehand.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2014 @ 1:39pm

    So, the government can go shopping for warrants now

    So, if every other nation decided to go with that same logic, that means if a government wants to get at digital emails/evidence, all they need to do is go to the country with the weakest privacy laws. Get a judge to sign off on a warrant there, and you can collect whatever digital information you want from anywhere in the world?

    Yeah, that's just insane.

    link to this | view in chronology ]

    • icon
      The Wanderer (profile), 13 Jun 2014 @ 5:17am

      Re: So, the government can go shopping for warrants now

      Well, there's an argument to be made that the only reason the USA could do this to Microsoft is because Microsoft is an American company, operating out of America - albeit with offices and so forth in other countries as well.

      Even if we don't go that far, there's also an argument to be made that only a country where Microsoft has a business presence could do this to Microsoft, and the worst penalty that could be applied if Microsoft refuses is to deny Microsoft permission to operate or otherwise do business in that country. That might still result in "any country in the world" being able to do it, but it would at least be a sufficiently logical-sounding limitation that courts - including international ones - might sign off on it...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2014 @ 4:55pm

    What about banking?

    What about banking?

    I would be most concerned about banking, when it comes to these privacy issues.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2014 @ 8:01pm

    Another fine piece of "journalism" from Mr Masnick. This is a clear cut case of seeking information, and not search.

    Most likley it has something to do with potentially opening doors to tax fraud using off shore stuff then protecting customers. After all, it was none other then shyster Bill Gates who whored himself out to NSA with Windows 95 backdoors.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.