Government Seeks Do-Over On Win For Microsoft And Its Overseas Data

from the please-please-please-let-me-get-what-I-want dept

Mon, Oct 17th 2016 2:26pm — Tim Cushing

The DOJ wants the Second Circuit Court of Appeals to revisit the decision it handed down in July -- the one that's preventing it from forcing Microsoft to hand over data stored on its servers in Ireland. The DOJ hoped the court would read the Stored Communications Act as applying to the location of the company served with the data request, rather than the actual location of the data. The Appeals Court disagreed with the lower court's finding -- one that dragged in the Patriot Act for some reason -- pointing out that the purpose of the SCA was to protect the privacy of communications, not to facilitate the government in obtaining them.

The government has filed a petition [PDF] for a rehearing of the case, obviously in hopes of a reversal. Jennifer Daskal of Just Security has posted several reasons why the DOJ's desired interpretation of the Stored Communications Act is dangerous, along with other problems arising from this decision.

To begin with, the decision raises new logistical issues, both for the government and the private companies served with these warrants.

According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”

The court's interpretation of the SCA theoretically means Google will never again have to turn over requested emails to law enforcement.

Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.

That being said, Daskal points out that the government also feels that just because it has a warrant, it should be able to demand the production of communications wherever, whenever. This flat assertion that warrants trump privacy in every case is every bit as one-sided as the DOJ's theory that Google now has the option to rebuff warrants at its sole discretion.

The DOJ's fears aren't entirely unfeasible. Companies that sell their communications tools with privacy-heavy sales pitches could simply offshore their data storage to put it out of reach of SCA-citing warrants, turning the 2nd Circuit's ruling into a middle finger to US law enforcement.

If this is going to be fixed in any sort of way that doesn't turn this into a one-sided victory for service providers or the government, it's probably going to need to be through legislation. The court's revisitation of the issue (courts have generally been favorable to rehearing requests from the US government) may come to that very conclusion.

Indeed, the DOJ has already begun pushing for a legislative solution, albeit one that heavily favors the government. The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.

As Daskal notes, Congress is better off addressing this issue sooner rather than later. Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.

Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.

Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.

Unfortunately, Congress doesn't really have a great track record when it comes to legislative fixes for tech issues. We have a more technologically-adept set of legislators than we've ever had previously, but there are still many who won't see the forest of implications for the law enforcement trees. But the situation may become much, much worse if left unattended.

Microsoft-14-2985-United-States-Appellee-Petition (PDF)Microsoft-14-2985-United-States-Appellee-Petition (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, electronic surveillance, ireland, jurisdiction, stored communications, warrant
Companies: microsoft

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Wyrm (profile), 17 Oct 2016 @ 2:43pm

And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause.

Classic case of "do as I say, not as I do"?
[ link to this | view in chronology ]
Pixelation, 17 Oct 2016 @ 2:53pm

New NSA tagline
All your data are belong to us!

A few years back, I would have said that was strictly the Chinese government. It's pretty depressing.
[ link to this | view in chronology ]
- JBDragon (profile), 18 Oct 2016 @ 8:24am
  
  Re: New NSA tagline
  Who shouldn't China, or Russia, or even France just do the same thing and say, here's our warrant, we want access to Microsoft's or Apple's, or whoever's servers in the U.S. Should they get that right? It's the same thing the U.S. Government is trying to pull after all.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2016 @ 2:57pm

>Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.

There is a simple way (currently in the process of implementation) to make sure there are no such countries.
[ link to this | view in chronology ]
streetlight (profile), 17 Oct 2016 @ 3:02pm

Mutual Legal Asistance Treaties?
The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.

Not sure what these are but if they're real, legally binding treaties approved by the Senate and with foreign countries then the foreign countries need to approve a new treaty as well as the U. S. Senate. Could be tricky.
[ link to this | view in chronology ]
- Arthur Moore (profile), 17 Oct 2016 @ 3:46pm
  
  Re: Mutual Legal Asistance Treaties?
  It's actually worse than that. The EU has, historically, relaxed it's privacy protections when dealing with US companies. The NSA leaks have caused them to now lean towards a "all EU data must be on EU soil" policy.
  
  The big problem with this lawsuit is the data is on EU soil, but the US wants access to it without going through the EU. If the US wins the EU may go one step further and everything to be under the control of an EU company. A company that the US can not compel to divulge data.
  
  This actually wouldn't be too big of a deal for Microsoft and other big companies. Sure it wouldn't be easy, but they'd basically set up subsidiaries in the EU to deal with it. The problem is any US company that stores user data would be required to have an EU subsidiary with at least one employee. Not exactly easy for things like a one man startup.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Oct 2016 @ 4:09pm
    
    Re: Re: Mutual Legal Asistance Treaties?
    Given the US government attitude, a subsidiary would still be under control of its US parent, and so its parent could compel it to produce the data. The law of unintended consequences could do severe damage to US companies.
    It is also worth reminding people that Linux encryption development used to be carried out outside the US because of US laws, and so Linux and other FLOSS software can export development of parts of it by simply leaving the development up to foreign hackers. This could be the big advantage of the anarchistic overall development model.
    [ link to this | view in chronology ]
- Anonymous Coward, 18 Oct 2016 @ 7:42am
  
  Re: Mutual Legal Asistance Treaties?
  But one case mentioned could easily be fixed:
  > foreign governments cannot because they lack jurisdiction over the US-based employees that control the data.
  
  The USA can change its own laws to allow this, without any new requirements on foreign governments. I.e., compel American employee to respond to a foreign requests that were initiated by American courts/police via MLATs.
  [ link to this | view in chronology ]
ECA (profile), 17 Oct 2016 @ 3:02pm

REALLY?
you want our government to force its LAWS into another nation, and HACK a friendly nations PRIVATE servers, for a case of Corporate fraud??
YES, the word hack is correct, as it would involve the LAWS the USA has created.
WE HAVE NO rights against another nations LAWS.
We have no rights invading another nations computers.
We have NO rights invading PRIVATE servers of a company in ANOTHER NATION..

IF we had ANY OF THESE RIGHTS, why arent we investigating the BANK SERVERS IN THIS NATION, and following what the corps are DOING IN THIS NATION??
[ link to this | view in chronology ]
- Anonymous Coward, 17 Oct 2016 @ 3:23pm
  
  Re: REALLY?
  why arent we investigating the BANK SERVERS IN THIS NATION, and following what the corps are DOING IN THIS NATION??
  
  Because whenever a government and its friends mess up a country, they find an external enemy to blame.
  [ link to this | view in chronology ]
- Padpaw (profile), 18 Oct 2016 @ 12:48am
  
  Re: REALLY?
  The most heavily corrupted government comes to mind. A few bribes here and there and they ignore any crimes committed by said bribers.
  [ link to this | view in chronology ]
That One Guy (profile), 17 Oct 2016 @ 3:55pm

All none of them
Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.

Given how little the USG respects the privacy of US citizens I'm not sure if there are any other countries that would qualify for this position.

A more accurate line would perhaps be:

Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries just as concerned about US privacy protections will be sure to utilize the same tactics.
[ link to this | view in chronology ]
afn29129 (profile), 17 Oct 2016 @ 4:35pm

Compeling
So the DOJ would seek to compel Microsoft to ex-filtrate the data from Ireland. I haven't seen anyone consider of comment that such an act might be against the some Ireland law. I mean can the US government force someone to break the law?
[ link to this | view in chronology ]
- MadAsASnake (profile), 18 Oct 2016 @ 5:47am
  
  Re: Compeling
  Very likely to be in violation of EU data protection laws - which will have a Irish variant.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Oct 2016 @ 6:34pm

If only the DOJ went after Secretary of States like it does Microsoft
If only the DOJ would go after government leaders like it does American citizens, we would have justice.
[ link to this | view in chronology ]
Tin-Foil-Hat, 17 Oct 2016 @ 7:20pm

Be careful what you wish for
If the feds win this case the US will get requests for the same thing from other countries. Even though they can and will refuse to hand US stored data to governments that request it, it will eventually turn into a real pain in the ass at the very least.
[ link to this | view in chronology ]
- That One Guy (profile), 17 Oct 2016 @ 9:59pm
  
  Re: Be careful what you wish for
  Even though they can and will refuse to hand US stored data to governments that request it,
  
  You're kidding right? The NSA hands out US data to other spy agencies like it's candy and every day is halloween, when the other agencies aren't handing them US data in return.
  [ link to this | view in chronology ]
  - Tin-Foil-Hat, 18 Oct 2016 @ 6:37am
    
    Re: Re: Be careful what you wish for
    That is sharing between spy agencies. It's more of what appears to be a long standing quid pro quo arrangement between allies. What happens when Russia or China show up with a warrant?
    [ link to this | view in chronology ]
Ninja (profile), 18 Oct 2016 @ 6:49am

If the data is offshore and is needed then work with the country in question to get the data via legal means. It's very, very simple.
[ link to this | view in chronology ]
Andy, 20 Oct 2016 @ 12:03am

Blowback
Do this congress give the doj what it wants and then cry when Iran manages to get any information on any American citizen using social media, with the protection of social media entities like google not being allowed to notify anyone including congress.
[ link to this | view in chronology ]