Here is a simple explanation of what it means.
By Jeff Gould, SafeGov.
To the surprise of many, Microsoft has just won a historic court case defeating efforts by the U.S. government to seize private data held by the firm’s customers overseas. According to a U.S. Appeals Court ruling, Federal prosecutors cannot use search warrants to grab the content of email messages from data centers located outside the United States, even when these facilities are owned and operated by a U.S. cloud provider such as Microsoft.
The facts of the case are simple to state. In 2013 Federal prosecutors working on a drug case were seeking the emails of an unnamed subject stored on Microsoft servers in Dublin, Ireland. Although the existing Mutual Legal Assistance Treaty (MLAT) between Ireland and the U.S. allowed the prosecutors to ask the Irish government for this data, they decided that process was too cumbersome. Instead, they persuaded a Federal District Court to approve a warrant served directly on Microsoft, ordering it to turn over the emails. Microsoft agreed to provide the account’s metadata stored on its U.S. servers, but refused to turn over the actual content of the messages, located in Dublin, arguing that the warrant was not valid overseas. While this user has never been publicly identified, Microsoft has hinted that the individual is a “non-U.S. person”, that is, neither a citizen nor resident of the United States.
The warrant was issued under the Stored Communications Act (SCA). This 1980s-era law was intended by Congress to extend the privacy protections of the 4th amendment to the then entirely new category of “stored electronic communications”, while at the same time preserving the government’s legitimate use of warrants and subpoenas in criminal investigations. The government’s choice of a warrant rather than a subpoena was significant. Subpoenas can sometimes be used to compel individuals subject to U.S. authority to turn over items located overseas, but they require the government to inform the target. Warrants do not require such disclosure, but have traditionally been held to be enforceable only on U.S. territory.
In the physical world, the rules are clear. U.S. law enforcement officers cannot simply fly to Dublin, pound on someone’s door, and demand to search the premises. But in cyberspace frontiers become murky. In this case the government argued that SCA warrants were “hybrids” combining features of both warrants and subpoenas. The government also claimed that because its seizure of the targeted emails would only take place after Microsoft repatriated the data from Dublin to the U.S., the search would in fact be executed on American soil. The Appeals Court rejected these arguments and ordered the warrant quashed.
Law professors, prosecutors and Washington policy experts will be parsing this decision for years to come. But there is no doubt that it is a major victory for customers of U.S.-based cloud service providers, wherever they are located. We can summarize the implications of the Court’s ruling in three points:
- America’s 1980s-era laws defining privacy protection for “electronic communications” are obsolete. Congress must update them for what the Appeals Court judges very aptly name “today’s Internet-saturated reality”.
- While waiting for Congress to revise outdated legislation, prosecutors will not be allowed to improvise ad hoc workarounds that trample the constitutional rights of cloud users to protection from unreasonable government search and seizure. The Appeals Court acknowledges that its decision may create obstacles for law enforcement, but bluntly states that these “practical considerations” cannot overcome the conclusion that “an SCA warrant may reach only data stored within United States boundaries”.
- In addition to Congressional action, there is a broader need for a new international framework for the exchange of law enforcement information between countries. This framework must find the difficult balance between individual privacy rights and the legitimate interest of governments to fight crime. At the same time, it must strive for the efficiency and speed of information flow made possible by the Internet. Developing such a framework is a task that the United States must undertake in cooperation with its peers, particularly its close allies in Europe and the Asia-Pacific region.
A detailed proposal for just such a framework has been made by a pair of prominent law professors, Jennifer Daskal and Andrew Woods. Microsoft’s top lawyer, Brad Smith, has expressed support for the concept in testimony before Congress last February. A particularly innovative element to have emerged in recent debates is the idea that the data privacy rights of individuals should travel with them wherever they go, rather than being determined by the physical location of the data. Thus, U.S. prosecutors would be allowed to obtain data belonging to a U.S. citizen even though stored on a cloud server in Europe (provided of course that they can show probable cause as required under U.S. law). Similarly, European authorities could obtain the data of European citizens stored on servers in the U.S., if the requirements of European law for such searches are met. A bilateral agreement implementing this idea is currently under negotiation between the U.S. and the UK.
Beyond this possible bilateral pact, negotiating a broader multilateral agreement among nations for a new lawful data exchange framework will be a slow and complex process, fraught with political as well as technical uncertainties, and buffeted by the events of the day – events which we know are all too often violent and tragic. But the thousands of enterprises around the world that are betting their future prosperity on the dramatic strategic and cost benefits of the cloud should be reassured by the U.S. Appeals Court ruling in the Microsoft Dublin case – the rule of law established in the physical world will also prevail in the cloud.
Jeff Gould has 20 years of experience in technology publishing and IT market research. Jeff currently serves as the president of SafeGov Inc.safegoveu