Archives

Microsoft Email Disclosure Challenge

Microsoft continues to challenge the jurisdiction of federal prosecutors attempting to force the tech giant to disclose a customer’s email stored in a data center in Ireland. This objection is likely the first time a corporation has challenged a domestic search warrant seeking digital information overseas.

It’s no surprise that this case has garnered the concern of privacy groups and major US technology companies, many of which are under pressure from foreign governments worried that the personal data of their citizens is not being appropriately protected in the data centers of American companies.

On Tuesday, June 10, Verizon filed a brief that reflected many of Microsoft’s objections, and it’s expected that more corporations will chime in. The Electronic Frontier Foundation (EFF) is working on a brief supporting Microsoft. Of course, European authorities are discontent.

In a public court filing on Monday, June 9, Microsoft said that if the judicial order to surrender the email stored abroad is upheld, it “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.”

Background

The search warrant was granted by a federal magistrate judge in New York last December, as part of a criminal inquiry. Neither the identity nor nationality of the customer has been revealed. The company protested, on the grounds that the customer’s emails were stored in Dublin, and thus beyond the reach of a domestic search warrant.

Search warrants seeking information abroad are quite rare. However, Microsoft was unsuccessful in its initial objection. In June, it began lobbying for a reversal in Federal District Court in New York.

According to Peter Swire, professor at the Georgia Institute of Technology, who served on a White House advisory group on intelligence and communications technologies in 2013, “This is a policy decision as well as a legal one.”

In a criminal proceeding, the debate plays out in public court filings from the get go. That openness lies in stark contrast with intelligence data collection, conducted for years in secrecy, with minimal oversight, until Edward Snowden’s leaks demonstrated the extent of clandestine information gathering carried out by the National Security Agency.

NY Federal Court Ruling

In his ruling back in April, James C. Francis, a magistrate judge in New York federal court wrote, “Microsoft’s argument is simple, perhaps deceptively so.”

In response, Microsoft holds that the rules that apply to a search warrant in the physical world should apply online. The standard of proof for a search warrant is “probable cause” and “particularity,” meaning a person’s name and where the person, evidence or information reside.

A subpoena (i.e. the less powerful court-ordered investigation tool) requires only that the information is “relevant to an ongoing investigation.” But a subpoena, unlike a search warrant, requires that the person being investigated be informed.

In his order, Judge Francis wrote that the Electronic Communications Privacy Act (ECPA), which was passed in 1986, created an in-between category intended at the time to protect people from indiscriminate data gathering that subpoenas might allow of online communications. The result is much like a hybrid between search warrant and subpoena, thus applicable to information held in Microsoft’s overseas data center.

Critics say…

Privacy advocates are concern that if the judge’s order stands, the gates might be opened to unchecked investigations in the digital world of anyone, anywhere. Lee Tien, lawyer for the EFF commented, “United States search warrants do not have extraterritorial reach. The government is trying to do an end run.”

For its part, the Justice Department argues that Microsoft is stretching the law. In a filing, Preet Bharara, US attorney for the Southern District of New York, described the company’s analogy between physical search warrants and their digital counterparts as “misguided,” and maintained that Internet companies cannot avoid complying with a search warrant “simply by storing the data abroad.”

Bharara continued that if Microsoft were successful in this case, it would be “a dangerous impediment to the ability of law enforcement to gather evidence of criminal activity.”

While governments routinely exchange information in criminal cases through cooperative agreements called mutual legal assistance treaties, this treaty process could be “slow and laborious.”

According to Swire – largely recognized as an internet policy and privacy expert – these treaties are the appropriate mechanism for accessing information from abroad in criminal cases. Swire also noted that the Obama administration had sought increased funding for handling legal assistance treaty cases.

More cases like this to come

These days, it’s common for tech companies to store their data in a global network. Microsoft has an extensive global network of data centers including over one million computers in more than 100 data centers spread over 40 countries.

In order to combat the notion that many American tech companies are too compliant with the US government, many have begun building data centers abroad. However, this is not a good strategy if companies can be ordered to hand over data regardless of where it is stored, as Microsoft is being ordered to do.

Microsoft underscored this point, writing in its filing that the government’s position will “ultimately erode the leadership of US technology companies in the global market.”

Summary

Microsoft has been ordered to hand over email data stored in a Dublin, Ireland data center. It has currently in the process of protesting this order.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) and the Certified Information Privacy Professional/United States (CIPP/US) exams, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy expectations (CIPP/IT; II.A.)
  • Jurisdiction (CIPP/US; I.A.c.i.)
  • Electronic Communications Privacy Act – emails (CIPP/US; III.A.b.ii.1.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>