Microsoft Fights U.S. Warrant

Justice Department Seeks E-mails Stored In Dublin
Microsoft Fights U.S. Warrant

Microsoft continues to fight a U.S. government subpoena demanding that it turn over copies of a customer's e-mails stored at a data center in Dublin.

See Also: 2016 Enterprise Security Study - the Results

"Congress has not authorized the issuance of warrants that reach outside U.S. territory," Microsoft wrote in a June 6 court filing to the U.S. District Court in Manhattan, which was made public June 9. The company warned that if the court upheld a previous ruling that U.S. courts could grant domestic investigators search warrants to access information stored overseas, it "would violate international law and treaties, and reduce the privacy protection of everyone on the planet."

Microsoft's legal maneuvers might have been unthinkable a year ago. But last summer, National Security Agency contractor Edward Snowden's leaks highlighted the volume of information that the U.S. government was surreptitiously intercepting from the likes of Microsoft, Apple, Facebook, Google, Yahoo and their peers. In light of outrage from customers around the world, technology giants are now battling for greater accountability, transparency and oversight of governments' information requests.

Last week, Microsoft general counsel Brad Smith said in a blog post that its recent legal moves represent "unfinished business on government surveillance reform." In part, Microsoft's actions are intended to reassure overseas customers that it's taking steps to safeguard their information from the U.S. government.

The latest news concerning Microsoft's legal moves was first reported by the New York Times and the Washington Post. Crucially, this case involves a criminal investigation, meaning that unlike matters of national security, accompanying court records can - and have - been made public.

Verizon Joins In

Microsoft isn't the only organization battling the U.S. government's use of search warrants to grab data stored abroad. Verizon attorney Michael Vatis on June 10 filed a friend of the court brief in support of Microsoft, warning the court that giving the U.S. government carte blanche access to data stored by U.S. businesses abroad would have profound implications for cloud computing.

"If the court were to permit the U.S. government to obtain, in a manner contrary to both U.S. and foreign law, customer data stored abroad, it would have an enormous detrimental impact on the international business of American companies, on international relations, and on privacy," Vatis wrote.

The Electronic Frontier Foundation, a privacy rights group, plans to file a friend of the court brief in support of Microsoft in the next couple of days, a spokesperson says.

A spokesperson for Ireland's Office of the Data Protection Commissioner says her office has "no comment to make on this matter."

The Dispute's Origins

This legal tussle was first sparked when the U.S. government in December 2013 filed a search warrant related to a criminal investigation seeking data stored in a Microsoft data center in Ireland. In particular, investigators from an undisclosed U.S. agency sought information related to the Microsoft customer's e-mail account, including copies of all messages sent and received with the account, online session access times and duration, as well as records of any payment cards associated with the account.

The identity and nationality of the Microsoft customer being investigated remains under seal.

In April, U.S. Magistrate Judge James Francis rejected a request from Microsoft to quash the December 2013 search warrant, ruling that e-mail providers - including Microsoft and Google - must comply with valid warrants from the U.S. government that require that they turn over any e-mails or customer information stored overseas. Otherwise, the federal judge wrote in his ruling, "the burden on the government would be substantial, and law enforcement efforts would be seriously impeded."

On June 6, Microsoft filed its objection in the U.S. District Court for the Southern District of New York, asking the court to dismiss Judge Francis's ruling and quash the December search warrant. Oral arguments in the case are scheduled to be heard July 31. After the court makes its decision, however, there could be further appeals.

Caspar Bowden, an independent privacy researcher and former chief privacy officer at Microsoft, told Britain's Guardian newspaper the case could have repercussions for U.S. businesses trying to compete abroad. "This judgment increases the apprehension EU citizens will feel that their data is not protected under U.S. law," he said. "If the U.S. cloud industry was worried before about lack of confidence of foreign customers, this judgment just upped the ante very considerably - subject of course to any appeals."

Limits of Search Warrants

Microsoft attorney Brad Smith said in his blog post that the company wants U.S. courts to "recognize that U.S. search warrants end at U.S. borders."

"We're concerned about governmental attempts to use search warrants to force companies to turn over the contents of non-U.S. customer communications that are stored exclusively outside the United States," he said. "The U.S. government wouldn't stand for other governments seeking to serve search warrants within American borders to seize the content of U.S. citizens' e-mails without going through U.S. legal process. Why should it expect other governments to react any differently?"

Microsoft is one of a number of technology companies that's been urging Congress to overhaul the Electronic Communications Privacy Act of 1986 for the cloud computing era, starting with strengthening the privacy protections afforded to consumers' digital communications. Under current U.S. law, government investigators must obtain a search warrant to access any e-mails that are less than six months old. Such warrants must be issued by a judge, and require probable cause. But to obtain for older messages, as well as opened e-mails, the government says it only requires a subpoena, which doesn't require the approval of a judge, and can be gained if there's any reasonable possibility that information being sought will be relevant to an investigation.

Nature of Court Order

But Judge Francis, in his April ruling, wrote, in what appears to be the first such judgment, that court orders obtained under the Stored Communications Act - of the type received by Microsoft in December - are a hybrid between a search warrant and a subpoena. On the one hand, the orders needed to be obtained from a judge, and based on probable cause. But on the other, such orders don't get executed in person - for example, by FBI agents at a data center in Ireland. "It is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question," he wrote.

Microsoft and privacy rights groups have warned, however, that if Francis's ruling gets upheld, then there will be little oversight of government investigations that cross borders. "United States search warrants do not have extraterritorial reach," Lee Tien, a lawyer for the Electronic Frontier Foundation, tells The New York Times. "The government is trying to do an end run."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network