Microsoft to Appeal E-Mail Ruling

Judge Upholds U.S. Request for Messages Stored in Ireland
Microsoft to Appeal E-Mail Ruling

A U.S. federal court judge has upheld a warrant requiring Microsoft to give the Justice Department, as part of a criminal investigation, copies of e-mails being stored at a data center in Dublin.

See Also: Data Center Security Study - The Results

After a two-hour hearing on July 31, Judge Loretta A. Preska of the United States District Court for the Southern District of New York rejected Microsoft's move to have the U.S. warrant dismissed. Instead, she ruled that Microsoft must comply with the warrant, which orders it to surrender copies of a customer's e-mails that are stored in Ireland. "It is a question of control, not a question of the location of that information," Preska said.

But she immediately suspended her ruling because Microsoft said it planned to take the case to the Second U.S. Circuit Court of Appeals.

Microsoft general counsel Brad Smith said in a statement July 31 that the company will continue to fight the warrant. "The only issue that was certain this morning was that the District Court's decision would not represent the final step in this process," he said. "We will appeal promptly and continue to advocate that people's e-mail deserves strong privacy protection in the U.S. and around the world."

A Long Battle

Microsoft has contested the subpoena since receiving it in December 2013. In April, U.S. Magistrate Judge James Francis rejected Microsoft's initial move to have the subpoena quashed, ruling that the company must comply with valid U.S. government warrants, even for information stored overseas. Otherwise, he said, "the burden on the government would be substantial, and law enforcement efforts would be seriously impeded."

But Microsoft lawyer Joshua Rosenkranz argued in court July 31 that allowing U.S. warrants to be executed overseas would be granting the government an "extraordinary power," the Guardian newspaper reported.

Assistant U.S. Attorney Serrin Turner, however, told the court that the subpoena was only for documents being controlled by Microsoft and didn't amount to a search being conducted in Ireland, according to the Guardian. "It makes no sense for Congress to make the government go on a wild-goose chase ... when the provider is sitting here in this country and can access the data at the touch of a button," Turner said.

Ruling Sets Precedent

Ultimately, Preska upheld the magistrate judge's April ruling. Legal experts say this case appears to be the first time U.S. investigators have been allowed to obtain cloud-based data stored by a U.S.-based company abroad, without having to appeal to local prosecutors, comply with local laws or respect related treaties that the United States might have in place with that country.

AT&T, Cisco and Verizon have publicly disagreed with the Obama administration's attempt to access data stored overseas, filing amicus briefs in support of Microsoft. Verizon, for example, said that giving the U.S. government access to e-mails overseas could trigger a "dramatic conflict with foreign data protection laws" as well as "dramatically increase the harm to American businesses" that's already resulted after Edward Snowden's leaks revealed the extent to which U.S. intelligence agencies routinely intercept foreign data.

EU Sounds Warning

The European Commission, meanwhile, has said it expects any company that does business inside Europe and works with Europeans' data to comply with EU privacy and data protection laws. "Companies operating on the European market need to respect the European data protection rules - even if they are located in the U.S.," Mina Andreeva, European Commission spokeswoman for justice, fundamental rights and citizenship, told the BBC in April.

"The commission's position is that this data should not be directly accessed by or transferred to U.S. law enforcement authorities outside formal channels of cooperation, such as the mutual legal assistance agreements or sectoral EU-U.S. agreements authorizing such transfers," she said. "Access by other means should be excluded, unless it takes place in clearly defined, exceptional and judicially reviewable situations."

Fourth Amendment Questions

Before Preska's ruling, Microsoft's Smith laid out the company's case in a July 29 Wall Street Journal op-ed piece. "Microsoft believes you own e-mails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail," he wrote. "This means, in our view, that the U.S. government can obtain e-mails only subject to the full legal protections of the Constitution's Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores."

A June amicus brief filed by privacy rights group Electronic Frontier Foundation likewise argued that U.S. warrants shouldn't allow the government to "seize" overseas e-mails. "The Fourth Amendment protects from unreasonable search and seizure," foundation staff attorney Hanni Fakhoury said. "You can't ignore the 'seizure' part just because the property is digital and not physical. Ignoring this basic point has dangerous implications - it could open the door to unfounded law enforcement access to and collection of data stored around the world."

Risk of Repercussions

Microsoft's Smith likewise warned in his op-ed piece that giving the U.S. government access to the e-mails stored in Dublin - he said the request relates to a narcotics investigation - would likely lead overseas law enforcement agencies to seek access to U.S. citizens' e-mails. "If the U.S. government prevails in reaching into other countries' data centers, other governments are sure to follow," he said. "One already is. Earlier this month, the British government passed a law asserting its right to require tech companies to produce e-mails stored anywhere in the world. This would include e-mails stored in the U.S. by Americans who have never been to the U.K."

Smith was referring to the controversial Data Retention and Investigatory Powers Bill, which the U.K. government fast-tracked through Parliament. The new law requires U.K. telecommunications providers to retain information relating to their customers' e-mails, texts and calls for 12 months for potential access by law enforcement and intelligence services.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network