Government Seeks Do-Over On Win For Microsoft And Its Overseas Data
from the please-please-please-let-me-get-what-I-want dept
The DOJ wants the Second Circuit Court of Appeals to revisit the decision it handed down in July -- the one that's preventing it from forcing Microsoft to hand over data stored on its servers in Ireland. The DOJ hoped the court would read the Stored Communications Act as applying to the location of the company served with the data request, rather than the actual location of the data. The Appeals Court disagreed with the lower court's finding -- one that dragged in the Patriot Act for some reason -- pointing out that the purpose of the SCA was to protect the privacy of communications, not to facilitate the government in obtaining them.
The government has filed a petition [PDF] for a rehearing of the case, obviously in hopes of a reversal. Jennifer Daskal of Just Security has posted several reasons why the DOJ's desired interpretation of the Stored Communications Act is dangerous, along with other problems arising from this decision.
To begin with, the decision raises new logistical issues, both for the government and the private companies served with these warrants.
According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”
The court's interpretation of the SCA theoretically means Google will never again have to turn over requested emails to law enforcement.
Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.
That being said, Daskal points out that the government also feels that just because it has a warrant, it should be able to demand the production of communications wherever, whenever. This flat assertion that warrants trump privacy in every case is every bit as one-sided as the DOJ's theory that Google now has the option to rebuff warrants at its sole discretion.
The DOJ's fears aren't entirely unfeasible. Companies that sell their communications tools with privacy-heavy sales pitches could simply offshore their data storage to put it out of reach of SCA-citing warrants, turning the 2nd Circuit's ruling into a middle finger to US law enforcement.
If this is going to be fixed in any sort of way that doesn't turn this into a one-sided victory for service providers or the government, it's probably going to need to be through legislation. The court's revisitation of the issue (courts have generally been favorable to rehearing requests from the US government) may come to that very conclusion.
Indeed, the DOJ has already begun pushing for a legislative solution, albeit one that heavily favors the government. The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.
As Daskal notes, Congress is better off addressing this issue sooner rather than later. Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.
Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.
Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.
Unfortunately, Congress doesn't really have a great track record when it comes to legislative fixes for tech issues. We have a more technologically-adept set of legislators than we've ever had previously, but there are still many who won't see the forest of implications for the law enforcement trees. But the situation may become much, much worse if left unattended.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, electronic surveillance, ireland, jurisdiction, stored communications, warrant
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Classic case of "do as I say, not as I do"?
[ link to this | view in chronology ]
New NSA tagline
A few years back, I would have said that was strictly the Chinese government. It's pretty depressing.
[ link to this | view in chronology ]
Re: New NSA tagline
[ link to this | view in chronology ]
There is a simple way (currently in the process of implementation) to make sure there are no such countries.
[ link to this | view in chronology ]
Mutual Legal Asistance Treaties?
Not sure what these are but if they're real, legally binding treaties approved by the Senate and with foreign countries then the foreign countries need to approve a new treaty as well as the U. S. Senate. Could be tricky.
[ link to this | view in chronology ]
Re: Mutual Legal Asistance Treaties?
The big problem with this lawsuit is the data is on EU soil, but the US wants access to it without going through the EU. If the US wins the EU may go one step further and everything to be under the control of an EU company. A company that the US can not compel to divulge data.
This actually wouldn't be too big of a deal for Microsoft and other big companies. Sure it wouldn't be easy, but they'd basically set up subsidiaries in the EU to deal with it. The problem is any US company that stores user data would be required to have an EU subsidiary with at least one employee. Not exactly easy for things like a one man startup.
[ link to this | view in chronology ]
Re: Re: Mutual Legal Asistance Treaties?
It is also worth reminding people that Linux encryption development used to be carried out outside the US because of US laws, and so Linux and other FLOSS software can export development of parts of it by simply leaving the development up to foreign hackers. This could be the big advantage of the anarchistic overall development model.
[ link to this | view in chronology ]
Re: Mutual Legal Asistance Treaties?
> foreign governments cannot because they lack jurisdiction over the US-based employees that control the data.
The USA can change its own laws to allow this, without any new requirements on foreign governments. I.e., compel American employee to respond to a foreign requests that were initiated by American courts/police via MLATs.
[ link to this | view in chronology ]
REALLY?
YES, the word hack is correct, as it would involve the LAWS the USA has created.
WE HAVE NO rights against another nations LAWS.
We have no rights invading another nations computers.
We have NO rights invading PRIVATE servers of a company in ANOTHER NATION..
IF we had ANY OF THESE RIGHTS, why arent we investigating the BANK SERVERS IN THIS NATION, and following what the corps are DOING IN THIS NATION??
[ link to this | view in chronology ]
Re: REALLY?
Because whenever a government and its friends mess up a country, they find an external enemy to blame.
[ link to this | view in chronology ]
Re: REALLY?
[ link to this | view in chronology ]
All none of them
Given how little the USG respects the privacy of US citizens I'm not sure if there are any other countries that would qualify for this position.
A more accurate line would perhaps be:
Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries just as concerned about US privacy protections will be sure to utilize the same tactics.
[ link to this | view in chronology ]
Compeling
[ link to this | view in chronology ]
Re: Compeling
[ link to this | view in chronology ]
If only the DOJ went after Secretary of States like it does Microsoft
[ link to this | view in chronology ]
Be careful what you wish for
[ link to this | view in chronology ]
Re: Be careful what you wish for
You're kidding right? The NSA hands out US data to other spy agencies like it's candy and every day is halloween, when the other agencies aren't handing them US data in return.
[ link to this | view in chronology ]
Re: Re: Be careful what you wish for
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Blowback
[ link to this | view in chronology ]