Appeals Court Upholds Its Denial Of DOJ's Demand For Microsoft's Overseas Data
from the go-bother-some-legislators,-kid dept
After being handed a loss in its judicial quest to force Microsoft to hand over data held in Ireland, the DOJ asked the Second Circuit for a rehearing of its July decision. At the center of the case is the DOJ's belief that it should be able to force US companies to turn over data/communications contained in overseas servers.
The government wants to have it both ways with its warrants for electronic data. On one hand, it analogizes data demands as being no different than digging through a filing cabinet found in a house it's searching. It argues that data held in servers/devices should be treated no differently than the personal papers the founding fathers tried to protect with the Fourth Amendment.
Then it argues that even if the "filing cabinet" isn't located on the premises it has a warrant to search, it should be able to access the contents of that cabinet. This, from Microsoft's motion to dismiss, explains what the government is truly asking for, using the sort of physical world comparisons the DOJ understands.
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad.
In its original decision, the Appeals Court pointed out that Congress clearly didn't intend the wording of the Stored Communications Act to cover foreign data centers, no matter what sort of twisted, hybrid paperwork the feds served Microsoft in hopes of routing around territorial limitations. The court noted, as it often does, that if the DOJ wanted its half-warrant/half-subpoena to both skirt mutual assistance treaties and the court's interpretation of the SCA, then it needed to approach Congress directly and get the SCA updated/amended.
And, indeed, the DOJ has done exactly that. It's seeking legislation specifically targeting the terroritorial limitations in the SCA that prevent it from doing what it wants to. But in the meantime, the DOJ thought the court should take another swing at it. The Second Circuit has decided to pass on this opportunity. But it has issued an affirmation [PDF] of its original ruling, with some additional dissenting voices appended.
An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
Tuesday's 4-4 vote by the 2nd U.S. Circuit Court of Appeals in Manhattan let stand a July 14 decision that was seen as a victory for privacy advocates, and for technology companies offering cloud computing and other services worldwide.
But the dissenting judges said that decision by a three-judge panel could hamstring law enforcement, and called on the U.S. Supreme Court or Congress to reverse it.
"The panel majority's decision does not serve any serious, legitimate, or substantial privacy interest," Circuit Judge Jose Cabranes wrote in dissent.
The opinion doesn't tell the DOJ anything it didn't tell it previously, other than that the court is evenly divided. The decision reiterates points the DOJ didn't like the first time around. And, once again, it directs the DOJ's efforts at legislators, while also pointing out the dissent's similar willingness to interpret the law in ways Congress never intended.
The position of the government and the dissenters necessarily ignores situations in which the effects outside the United States are less readily dismissed, whichever label is chosen to describe the “focus” of the statute. For example, under the dissents’ reasoning (as we understand it), the SCA warrant is valid when (1) it is served in the United States on a branch office of an Irish service provider, (2) it seeks content stored in Ireland but accessible at the U.S. branch, (3) the account holding that content was opened and established in Ireland by an Irish citizen, (4) the disclosure demanded by the warrant would breach Irish law, and (5) U.S. law enforcement could request the content through the MLAT process. This hardly seems like a “domestic application” of the SCA.
Rather, we find it difficult to imagine that the Congress enacting the SCA envisioned such an application, much less that it would not constitute the type of extraterritorial application with which Morrison was concerned. Indeed, calling such an application “domestic” runs roughshod over the concerns that undergird the Supreme Court’s strong presumption against extraterritoriality, and suggests the flaw in an approach to the SCA that considers only disclosure.
The DOJ's flawed approach is also its most common approach. It seems genuinely baffled/irritated when its requests -- and its interpretation of the law -- are challenged. It views laws that don't allow it to do what it wants to do as broken. Rather than view limits in laws as guidance to help keep it aligned with Constitutional rights, it tends to do what it wants and let the courts sort it out.
Sure, the judicial process isn't exactly speedy, but it has better odds and a faster turnaround time than guiding legislation through multiple Congressional hoops. And it will continue to play the odds because not every service provider has the resources or legal acumen to fight back against unlawful demands.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, doj, ireland, overseas, privacy, second circuit, subpoena, warrant
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Microsoft and it's various resellers here in Canada are constantly trying to convince us to move all our servers and workstations to the cloud. The number one selling feature, from an email just yesterday:
This is a big deal. A major theme of the NSA spying, Gitmo and drone killing debates in the US is "How Dare They Do It To AMERICANS!" The subtext being that doing it to non-Americans is acceptable. No-one believes that foreign-owned data has any legal protection whatsoever against otherwise unlawful search and seizure once it enters the US. No-one believes that it won't be mined by American security contractors "because terrorism" to give an advantage to American industry.
If Microsoft were to lose this fight they'd lose much of their overseas cloud hosting business.
[ link to this | view in chronology ]
Much worse than that
It's much worse than that. Currently most country's (including the EU*) laws lets US companies do business as long as they keep data in country. If Microsoft lost this fight it would be a perfect excuse to kick all US companies out.
Keep in mind, that cording to Irish/EU data privacy laws Microsoft can not legally share that data with law enforcement without an Irish warrant. Meaning, the US is trying to force Microsoft to violate Irish/EU law.
*EU has a data sharing agreement that says US companies can keep EU data in the US, but if this court decision went the other way it would probably have been canceled.
[ link to this | view in chronology ]
Re: Much worse than that
[ link to this | view in chronology ]
Re:
That, or they'd restructure the companies so that it's an "unrelated" Canadian company running the data centres. ...a company which happens to have licensed the name "Microsoft", and pays royalties to Microsoft USA to advertise their services.
[ link to this | view in chronology ]
Re:
On the subject of only spying on non-Americans.
I'll just remind everyone of this excellent 19 minute TED talk from a few years ago when the Snowden leaks broke.
Mikko Hypponen: How the NSA betrayed the world's trust — time to act
I love how at 3:20 into the talk he mentions that the NSA is only spying on "foreigners". He talks to the audience, "I'm a foreigner", "you're a foreigner". In fact, 96 % of the population of the planet is a "foreigner".
[ link to this | view in chronology ]
Re:
separate issue is ms boloney argument that when you see through window an fbi agent with warrant in his hand for search of your suitcase, you just can move that suitcase across the street to invalidate warrant.
finally, this is en banc case. meaning that whole set of judges reconsiders previous judgment of only three of their fellows judges.stage is set for the supremes.
[ link to this | view in chronology ]
Re: Re:
This might not make a difference for strictly American cloud servers, where Microsoft or Amazon moves and duplicates your data between server farms in different states.
But if the data is in Ireland or Canada - with privacy laws or marketing specify that the data does NOT get moved or duplicated to the US - then the agent's American warrant is invalid. He needs one from an Irish or Canadian judge.
Should the US Supreme Court rule otherwise it'll make little difference. Microsoft and Amazon will adjust their cloud hosting ownership to be answerable only to those countries' laws. They'll HAVE to, or lose all business in those countries.
[ link to this | view in chronology ]
Re:
Follow-up: New Trump Executive Order Says Federal Agencies Should Exclude Foreigners From Privacy Protections
Apparently that Executive Order was issued the same day I wrote the above post.
[ link to this | view in chronology ]
Re:
If a company migrates to a Canadian arm of an american cloud provider. This change makes that move one that puts companies in a legal quagmire.
[ link to this | view in chronology ]
Well, yeah...
It is. It's called "espionage". Mickeysoft does it as well.
[ link to this | view in chronology ]
"Filing cabinet"
How does this work for physical papers? If they had searched Microsoft in America and found reference to a document held in the Dublin office, could they require the Dublin office to produce that document?
[ link to this | view in chronology ]
Re: "Filing cabinet"
The interesting part about this case is that the EU and US have procedures especially designed for just that scenario. Except, in the US E-Mails are considered "abandoned" after a time so they don't need a warrant to force MS to turn them over. The EU and most of the world see this as crazy, and want to see actual probable cause first.
Yes, I realize the US law that declares E-Mail to be "abandoned" seems to violates the 4th amendment. Funnily enough, US law enforcement doesn't really care about that...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ides for storing private information on cloud servers
What if each "page" of information were stored on two servers. (By page, I mean an arbitrary sized block of bytes, like 4K bytes or something.)
Suppose a 4K page were stored as two 4K pages on two different servers. Each server located in a different country. In order to reconstruct that 4K page, you must get the two pages from the two servers and XOR them together.
Now Big Brother wants that 4K page of data. They could compel by force of law the production of the 4K page stored in this country. But they could not compel the production of the other 4K page that must be combined with it to get plain readable information.
An alternate implementation is to store an encrypted 4K page in the country, but store the key for it out of country. Or better, store multiple parts of the key, using the above technique, which must be XORed together to form the actual decryption key. That way even the plain decryption key isn't stored in any single country.
Redundant copies of the decryption key could be stored in two parts in various combinations of pairs of countries. For example the decryption key for a page could be produced by getting two parts from:
country A and B
country C and D
country C and B
country A and D
etc
Just an idea to keep Big Brother busy.
[ link to this | view in chronology ]
Re: Ides for storing private information on cloud servers
I have been using something similar for quite a few yrs now.
Holding half a key in my mind and the other half in a USB key fob. And I have no idea what the half key is that's held inside the fob. It would be nice to have a mechanism to backup the key that's inside the fob, in as you say, 2 or more parts and in 2 or more countries.
[ link to this | view in chronology ]
Re: Re: Ides for storing private information on cloud servers
[ link to this | view in chronology ]
Re: Ides for storing private information on cloud servers
This would actually be quite easy on an architecture like Freenet. I haven't looked at it in a while, so I don't exactly remember the protocol spec. But my guess is, that all you would have to do is look up the country code on localhost, and the country code of a few randomly selected upload targets, and do an XOR. Everything else is already native to the framework.
There is some question in my mind as to whether the fed actually understood what they were doing. On one hand this precedent will really put a lot of load on international law enforcement bodies. On the other hand that might be intentional. In order to create a greater dependency of foreign states on U.S. intelligence gathering.
IOW, this may have been designed to make the U.S. the reserved intelligence resource of the rest of the world. Much like the dollar is the reserve currency of the rest of the world. If everybody is compelled to trade data, the guy with the most data wins.
[ link to this | view in chronology ]