Another Judge Says The Microsoft Decision Doesn't Matter; Orders Google To Hand Over Overseas Data
from the when-reality-is-complicated,-simply-ignore-it dept
Microsoft may not have to respond to government demands for US persons' data held overseas, but it looks like everyone else (specifically, Google) will have to keep trawling their foreign data stores for US law enforcement.
The Second Circuit Appeals Court ruled US government warrants don't apply to overseas data. Courts outside of the Second Circuit are finding this ruling doesn't apply to Google's foreign data storage. The most obvious reason for this is other circuits aren't bound by this decision. The less obvious reason has to do with how Google stores its data.
As Google describes it, communications and data are in constant motion, moving in and out of the country as needed for maximum efficiency. When a warrant arrives, Google gathers everything it finds in its domestic servers but hands back a null response to data currently held overseas. Sometimes what Google hands law enforcement is nothing more than unusable digital fragments. Obviously, the government isn't happy with this new status quo.
And it is a new status quo, as is pointed out in this ruling [PDF] by a DC magistrate judge [via FourthAmendment.com]. The ruling here aligns itself with one handed down in Pennsylvania earlier this year. In that decision -- like in this one -- the judge noted Google used to capture everything requested, no matter where it was located. It's only very recently Google has refused to chase down data (and data fragments) located in servers around the world.
The process was described this way in the Pennsylvania decision:
Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google's network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.
As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
Nothing has changed here. And nothing has changed in terms of legal analysis, despite this memorandum order being issued in a DC court. The court finds Google does not effect a seizure of requested data because it simply makes a copy of it. It also points out (and Google concedes) that it does not act as a government agent when it does this, despite the only reason for Google's copying of the data is to respond to a government warrant. The court notes the Stored Communications Act does carry privacy implications, but only as far as the private entity's actions -- not the government's demands. The court's analysis states the SCA provisions only prohibits unlawful access (such as hacking) while regulating companies' responses to government demands.
The court goes on to say Google's view of its legal responsibilities is completely untenable. Because of the transitory nature of Google's data handling, it would never be able to fully comply with demands for records, no matter which country issued the order.
Finally, it must be said that the above Morrison analysis of the operative sections of the SCA has the added benefit of avoiding the bizarre results that application of the Microsoft decision to modern data networks like Google's would produce. If that decision's focus on the physical location of the data's storage were to be applied to service providers using such networks, the records and information the government would receive in response to an SCA warrant may differ significantly depending on the date on which the warrant is served. Indeed, the same warrant served on ten different days may well produce ten different results depending on where on the network the shards of responsive data are located at the moment each warrant is served. Such random results -- generated by a computer algorithm -- would serve the interests of neither privacy nor international comity.
Compounding the problem, even assuming the service provider could and would identify for law enforcement the location of the foreign-based servers on which the missing data was stored (as Google refused to do here), that knowledge would effectively be useless to the government here. By the time the government could initiate the international legal process necessary to obtain the missing data from wherever it was stored, it is entirely possible that the network would have relocated the data yet again to a server in a different country. Moreover, it is Google's position that it need not respond overseas to any such international legal requests because it is only at its headquarters in California that its data can be accessed and compiled into a recognizable electronic file. Thus, in Google's view, the only means available to obtain records and information related to a Google account is by serving an SCA warrant on its LIS team in California.
The magistrate says that's not going to work -- not under the stipulations of the SCA. In fact, it's just not going to work at all because of Google's data-handling. It may be primed for efficiency, but does little to help it comply with warrants.
To reach the conclusion advanced by Google here, the Court would need to find that a properly-issued SCA warrant requiring the disclosure to law enforcement in the United States from Google's headquarters in the United States of digital files accessible only from the United States constitutes an extraterritorial application of the SCA simply because pieces of data that make up those files were stored on a server located outside the United States at the moment in time the warrant was executed. Because such a conclusion runs contrary to the straightforward extraterritorial analysis of the SCA under Morrison detailed above, the Court finds that Google has not shown cause for its failure to produce all the records and information called for in the instant warrant within its possession, custody, or control.
In the end, the court orders Google to ignore the realities of its data flow. It may make things easier for law enforcement, but it has very little to do with keeping the government within its jurisdictional confines.
Google's LIS representatives in California can access, compile, and disclose to the government those records and information with the push of a button and "without ever leaving their desks in the United States." Microsoft, 829 F.3d at 229 (Lynch, J., concurring). Because that "entire process takes place domestically," id., Google will be ordered to comply with the warrant in full, and to disclose to the government all responsive electronic records and infonnation identified in Attachment B to the warrant within its possession, custody or control, wherever those records and information may be electronically stored.
In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched -- at least not by the government. Once it's all packaged up locally, the local boys can access it without fear of a suppression challenge.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, doj, ecpa, international data, privacy, sca, subpoena, warrant
Companies: google, microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Turnabout is fair play
In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched -- at least not by the government. Once it's all packaged up locally, the local boys can access it without fear of a suppression challenge.
By that argument any other country that google has offices in could also order the company to hand over US based data by claiming that the company isn't demanding foreign-located information, but merely local, and the US person(s) involved wouldn't have grounds to object because the 'collection' took place entirely within the country.
As for the 'It's not the government doing it, it's entirely Google', that's complete and total garbage. Google is only performing the action under order of the government. If the government couldn't do it itself, forcing someone else to do it and then pretending that they're doing it entirely on their own is absurd, and ignores the limits of the law entirely though sleazy reasoning. If the government forces someone to do something then they are acting on the government's behalf when they do it.
[ link to this | view in chronology ]
Government has a point...
In light of the Microsoft case, I'd say Google has every right to withhold that information, but it does seem a bit like Google does say it is above the law... which I'm also not about.
Quite literally a convoluted network management solution of a company (regardless of how justified or efficient) is no better than the NSA saying "we cant tell how many people's privacy we are tromping on because we will violate people's privacy to find out".
I'm a fan of accountability and the police doing the right thing (like requesting warrants). It is rulings like this that makes officer's bend the law and do parallel construction and other nefarious backroom hacking... That helps no one. Just saying...
[ link to this | view in chronology ]
Re: Government has a point...
I suppose Google does have the means to comply with the order, by simply changing how it manages data. The question is, does it have to change how it manages it's data so that it can comply?
That question isn't just an abstract question about network management, it implicates a lot of other very concrete aspects of law. For instance, a person can set up their finances so all their income is earned in the name of and goes to an overseas trust which buys what it's trustees (who happen to be the person in question and a couple of people he employs for the purpose of agreeing with his decisions) tells it to and lets the trust's beneficiary (also the person in question) use it. That way the person has no income and no assets in the US and none of the trust's income is under US jurisdiction, so they don't have to pay US income tax on anything. That person can easily change their finances to bring all of their income under US jurisdiction. Assuming that the trust arrangement is legal, is that person then obligated to change their finances so the US can collect income tax from them?
The question's the same in both cases. I do things in X way. The government orders me to give it something it's entitled to ask me for. As it stands I'd only have to turn over A to comply with their order, but if I stop doing things X way and do them Z way instead then I'd have to turn over B, C, and D in addition to just A. Both X and Z are perfectly legal ways of doing things. The government would prefer I turn over A, B, C, and D. Am I obliged to change how I do things to suit their preference, or am I entitled to turn over only A and tell them to go pound sand as far as B, C, and D go until they can get the law changed to make doing things X way no longer legal?
[ link to this | view in chronology ]
Re: Re: Government has a point...
* More generally, they could set it up so a user's key is never in their home country.
[ link to this | view in chronology ]
Re: Re: Re: Government has a point...
[ link to this | view in chronology ]
Re: Re: Re: Re: Government has a point...
US courts have always had a tendency to regard the rest of the world as fair game, while regarding all actions on US soil as immune from any foreign action.
This is the sort of attitude that is common an acceptable in 5 year old children ...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Government has a point...
Also common in childish adults.
[ link to this | view in chronology ]
Sad day to be an LEO
Google would likely be in breach of EU law, although to be said, it's not totally clear what's meant by a "Person's data". It might be an eMail or bank record but then again it might be an mp3 track stored in a cloud somewhere.
More food for thought; a lot of organisations that handle personal, sensitive or restricted data quite often prevent anyone within their organisation from having actual sight of the data, and that can include the hard-core admins. It's only when data enters or exits their platform that data becomes plaintext, or meaningful. And that perimeter can be on someone's application or browser in an entirely different jurisdiction.
[ link to this | view in chronology ]
Re: Sad day to be an LEO
The loophole is the hardcore admins can be ordered by their local jurisdiction to reconfigure things so that data is visible. As is the implication in this case with Google: "Your current methods are not favorable to us, so change them so they are favorable, or else."
Is it political suicide? In the US I'd wager not, and sadly, that is becoming my default opinion for every nation around the world. As nations have woken up to the idea that they can use the technology to control their populous without fear of penalty, they are increasingly becoming more tyrannical in how they shape it's policy.
Just because you can shift the location of data doesn't mean that you'll be able to. If anything will kill the internet, (or at least the modern version of it), it will be the governments of the world abusing it to the point that it's only primary use in practice will be for spying on and controlling the lives of citizens.
[ link to this | view in chronology ]
Re: Re: Re: Government has a point...
[ link to this | view in chronology ]
Re: Government has a point...
[ link to this | view in chronology ]
Re: Government has a point...
Bull. Google said no such thing.
[ link to this | view in chronology ]
Re: Government has a point...
Courts no more "make" cops break the law than they do any other criminal.
[ link to this | view in chronology ]
Re: Government has a point...
[ link to this | view in chronology ]
The data is available to and generally controlled by the US parent company. What physical device it is on should not be material. Otherwise all US companies would just offshore all IT operations and nake all of their business records out of bounds.
[ link to this | view in chronology ]
Re:
Google is a multinational company with offices and doing business in more than 40 countries around the world. It has product research and development operations in cities around the world. They are subject to the laws of those countries just as much as to American law.
Sure, American law will likely set the standard for how Google responds to one country's request for data beyond it's borders. And then other countries will expect no less.
An American company or person has upset authorities in Turkey? Their court will be able to demand international data - including on American servers - too.
[ link to this | view in chronology ]
Time to re-incorporate in another country
That the US has a particularly disturbing history of extra-territorially imposing its laws on other countries and citizens of other countries is cause for concern.
Better for Google, et. al. to re-incorporate in another country, change the composition of its Board to be majority non-American (and have no American C-level executives).
[ link to this | view in chronology ]
Awesome video on the leftist victim mentality
https://www.youtube.com/watch?v=9BW0kU_wc2U
[ link to this | view in chronology ]
Re: Awesome video on the leftist victim mentality
Take your "my side is better than your side" flap trappy garbage and hit the road, dickhead.
[ link to this | view in chronology ]
Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Re: Awesome video on the leftist victim mentality
I thought the post was rather insightful, irrespective of your "cognitive dissonance", which I don't think applies here.
[ link to this | view in chronology ]
Re: Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Re: Awesome video on the leftist victim mentality
Imagine, just for a moment, Techdirt without censoring. When two different opinions, or even three, are allowed to be displayed without the fear based censorship displayed above.
When you hide the dissent, and display only the vitriol, you damage your own cause.
I would also respectfully point out that if you had a point, you would just present it, and not have to resort to either nasty language or humor. You have no argument to present, right, that's why you go this route. I believe your behavior is exactly consistent with the original poster's message - you are a leftist, you have nothing to say, so you resort for to rhetorical violence, and later to physical violence, like Berkeley and others.
[ link to this | view in chronology ]
Re: Awesome video on the leftist victim mentality
It's a shame people had to get hurt in the crossfire of ideas. Good thing none of them were inveterate NRA supporters or the irony would be palpable. Almost like the irony of voting away people's healthcare then needing your own government-handout healthcare to save your life...
[ link to this | view in chronology ]
Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Awesome video on the leftist victim mentality
[ link to this | view in chronology ]
Re: Re: Re: Re: Awesome video on the leftist victim mentality
Shouldn't we do the same thing for knives? And motor vehicles? What about hammers?
[ link to this | view in chronology ]
What's to keep some Chinese lawyer presenting a demand--blessed with all the forms of Chinese legality that good money can bribe--demanding the trade secrets of some American company, because, after all, part of those secrets might have once resided on a server in Hong Kong?
Google needs to clarify their own jurisdiction; and if the intent is to maintain the data outside the U.S. (as EU laws may require), then having it "sometimes in the U.S." isn't going to be a workable solution.
[ link to this | view in chronology ]
Re:
This is going to bite them so hard. The moment it's an EU citizens data in question Google is going to face massive EU fines. Except, if they don't comply they're in contempt in the US.
This is exactly the reason why Microsoft has refused to turn over the data. They know that the moment they do so the EU will burn them alive.
[ link to this | view in chronology ]
Different laws for different people
[ link to this | view in chronology ]
They could treat it like foreign profits...
OTOH, Google may very consciously keep foreign data out of the US, whether due to foreign regulations or simply because there is no business need to know. In cases where the data has never been "in" the US, I find it hard to see where the US can claim jurisdiction.
This approach addresses the shell-game (where is the data at the moment the order is served?) that the PA and DC courts are worried about, while still maintaining jurisdictional boundaries. The order would be valid if the data was ever in the US, but not if it was walled away from the US on an ongoing basis.
[ link to this | view in chronology ]
Foreign Laws
[ link to this | view in chronology ]
Re: Foreign Laws
[ link to this | view in chronology ]
Re: Re: Foreign Laws
The data has no nationality, no. Where it's located most certainly does have an impact.
If 'it's accessible in the US' means that it's not foreign when it comes to a US court demanding it be handed over, then by that same argument foreign courts can demand that US based data be handed over because google happens to have an office there.
Be very careful opening up that can of worms, as once open it can be easily used by others in ways you might not be so happy with.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
EU Applicability
[ link to this | view in chronology ]
Yeah, OK, whatever
Look folks. If you let somebody other than yourself hold your unencrypted data (or hold the keys to your encrypted data), then you can expect those data to be given to people you don't want them given to.
That's not a US law matter, and it's not an international law matter. It's a laws of physics matter. It will happen regardless of anybody's laws.
Only idiots store anything in the cloud unencrypted if they don't want it known.
The solutiond to this are decentralization, user-managed end-to-end cryptography, and stealth technology. Where that interacts with the law is in the need to keep those things from being forbidden (or to make it impossible to enforce any laws against them).
Spending time on some doomed attempt to keep governments from forcing corporations to turn over data is a distraction.
It may actually be a useful distraction, because as long as the governments think they can get what they want by attacking Google or whoever, their attention doesn't turn to finding ways to attack the actually effective technical approaches. With some luck, you might even get them to tie themselves up in giant nets of treaties and precedents that would make it harder for them to interfere with anything actually effective once they figured out that they needed to.
But it's not useful to drink your own Kool-Aid and think that you'll ever get useful protection from Google, Microsoft, or anybody else.
[ link to this | view in chronology ]
Re: Yeah, OK, whatever
I agree with you on that. Question for you (if you don't mind): do you have any opinion about whether this solution ("user-managed end-to-end cryptography") could be or should be open source?
[ link to this | view in chronology ]
Re: Re: Yeah, OK, whatever
I'm not the person you asked, but I hope you don't mind my answering:
It would have to be; how else could you verify that it worked as intended, and didn't contain any nasty surprises?
Security through obscurity doesn't work. Strong security is reproducible and verifiable. If an E2E encryption process works, then there's no reason to hide the nature of how it works.
That's not to say there are no vulnerabilities in open-source software; of course there are. There have been some extremely serious ones found in major projects like OpenSSL, after going undetected for years. That is seriously bad news. But "it was vulnerable because it was open-source" is the wrong conclusion to draw.
[ link to this | view in chronology ]
Re: Re: Yeah, OK, whatever
[ link to this | view in chronology ]
Re: Yeah, OK, whatever
The cloud, or companies, being crap, does not excuse governments and their courts from being crap.
Everything which may be abused (which is everything), will be abused. See? I told you so. Therefore you are all idiots. All your base nao morally belong to me, apparently.
[ link to this | view in chronology ]
The court finds Google does not effect a seizure of requested data because it simply makes a copy of it.
Unless that data is copyrighted of course, in which case making a copy of it is most definitely a seizure carried out by a no-good filthy pirate...
[ link to this | view in chronology ]
Re:
Which it is, of course, because copyright is automatic. No way to avoid it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
law as written != law as intended
If I execute a search warrant on a physical property while someone has just departed with the eveidence, I won't find anything. Just because it was once in that cupboard over there does not mean it will be forever, and a warrant for that cupboard will not extent to anything that has ever been or will ever be in that cupboard.
But the existing legislation written for a physical world often do not work very well in a modern digital context. Just as searching someones pocket contents in 1917 is very, very different from searching all digital devices carried in their pockets in 2017, other laws don't translate well. You will need to update them.
You have an amorphous network of data that self-organizes, moves and copies according to current neeeds? It needs to be fair game for seizure from any government that has legal jurisdiction over part of that network. You want to obey several different legal privacy frameworks? Build different data networks, e.g. one North American, one European. As soon as the data moves automatically from one jurisdiction to another you need to submit it to both jurisdictions to avoid idiotic results as those described above, where any warrant is just a lucky grab for fragments to puzzle over, like a legalistic heartbleed exploit.
But such legal reforms need technically competent legislators, or competently advised legislators willing to *be* advised. Not to mention legislators without hidden agendas (like corruption, lobbying, thirst for power...). Since both are rare qualities, ever getting a majority having both those qualities seems unlikely.
[ link to this | view in chronology ]
Re: law as written != law as intended
[ link to this | view in chronology ]