0 Members and 2 Guests are viewing this topic.
By Woody LeonhardMicrosoft is currently fighting a federal search warrant demanding that the company release emails stored in Ireland.Here's why you should be extremely concerned by a U.S. court's actions — and what you can do about it.I'll start with a brief history of the case.In December 2013, having been shown probable cause, Magistrate Judge for the Southern District of New York James Francis issued a search warrant ordering Microsoft to disclose the contents of a specific @msn.com email account. (A copy of the warrant and related documents discussed below are posted on the Electronic Frontier Foundation's site.)While preparing to comply with the warrant, Microsoft discovered that only the account holder's name, email address, country, and similar information were stored in Microsoft's U.S.-based servers. The true subjects of the search — the emails — actually sat in a server in Dublin, Ireland (most likely because the person who set up the account told Microsoft that he or she lived outside the U.S.).As required by the warrant, Microsoft disclosed the details of the account to federal investigators/attorneys — but it refused to divulge the content of the emails because, according to Microsoft, it was outside the jurisdiction of U.S. courts.Microsoft filed a motion to quash, but on April 25, Judge Francis denied the motion (EFF posting).Microsoft then appealed (EFF posting), stating in effect that a U.S. magistrate judge didn't have authority to issue a search warrant for items stored overseas. The introduction to Microsoft's appeal stated:"The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act (ECPA) that, on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. … Congress has not authorized the issuance of warrants that reach outside U.S. territory."At that point, an array of companies and organizations — the Electronic Frontier Foundation, Verizon, AT&T, Apple, Cisco, and Infor, among others — filed amicus briefs supporting Microsoft's position. U.S. Attorney Preet Bharara weighed in (EFF posting) for the government's side.In late July, District Court Judge Loretta Preska turned down Microsoft's appeal (Reuters report) and held Microsoft in contempt for refusing to comply with the search warrant. In its forceful reply (EFF posting), Microsoft stated that private, locked emails were the property of the company's customers — not Microsoft. The emails were protected by personal-privacy rights. It went on to say:"If this Court rules that the U.S. Government may unilaterally reach into foreign countries and expose their citizens' personal digital letters, the United States and its citizens cannot complain when foreign governments do the same to email content stored here."In November, Apple, Oracle, IBM, HP, and other organizations with irons in the same online-data fire petitioned the European Union for help. Ireland, which obviously should have some say in the matter, specifically asked the European Commission to file a brief supporting Microsoft's appeal, according to a MerrionStreet report. That article quotes Irish European Affairs and Data Protection Minister Dara Murphy:"By seeking direct access to data held in the E.U. through the U.S. judicial system, existing legal mechanisms for mutual assistance between jurisdictions may be being effectively bypassed. There are fundamental issues at stake here as regards the protection of personal data that is held within the European Union."On Dec. 8, Microsoft took its appeal up the ladder to the U.S. Second Circuit Court, where the case stands for now. It could eventually end up in the U.S. Supreme Court.What this conflict means to U.S. citizensMany Americans might view this case as primarily an issue for Europeans. But that's far from the case. In a Dec. 8 blog post, Microsoft General Counsel Brad Smith adroitly turned the problem around — what if German authorities targeted an American citizen who stored personal information in a U.S.-based German bank? His example:"Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei."The Microsoft warrant brings up numerous long-term implications. For example, if the Feds prevail, what would stop a judge outside the U.S. from compelling Microsoft to hand over the contents of your Outlook.com account? Citing the Microsoft case, could officials in, say, Singapore, South Korea, Taiwan, or any other country you care to name force Apple into recording your iPhone conversations?In other words, are you willing to subject yourself to any analogous "probable-cause" requirement issued by any country on the planet?In my opinion — and the opinion of many others who value privacy — that way lies madness. Even given the constitutional complexities of the case — which Orin Kerr explains in detail in a Washington Post article — the net result is another self-inflicted wound for the U.S.What might be the proper process for obtaining evidence from offshore servers? Perhaps something similar to the legal remedy for suspected criminals who flee the U.S. — an extradition request to the foreign government.A potential sucker punch for American businessesOne of the hotly debated, potential consequences of the Microsoft warrant is its effect on global businesses based in the U.S. For example, a final court decision that goes against Microsoft could drive Europeans to use E.U.-based email services. European privacy laws are almost universally stricter than their U.S. equivalents.Based on the Snowden revelations, it seems obvious that the Feds have already shown a crass disregard for the rights of all non-American citizens, further alienating potential customers for U.S.-based Internet services. A judgment against Microsoft would only add fuel to the fire.Some non-U.S. companies are already challenging international businesses such as Microsoft and Apple. Germany's Deutsche Telekom, for example, is expanding its local Web-services offerings. According to a European Communications report, the company announced a partnership with Cisco, stating, "We will be able to offer simple and cost-effective cloud services in compliance with our strict data protection regulations in Germany and Europe."Whatever legal arguments U.S. courts eventually apply, the decisions most likely won't take global data-security trends into consideration. Governments all over the world are adding regulations designed to keep local data local. A judgment against Microsoft will only accelerate that trend.What you can do to call off the data dogsAs is too often the case lately with broken policies, the right path to clarifying stored-data security is not with the courts but with the U.S. Congress. Specifically, it should make changes to the Stored Communications Act, 18 USC 2703. In his Washington Post article, Orin Kerr puts it this way:"In a perfect world, I think the statute would distinguish between people in the U.S. who use U.S. providers that just happen to store their contents on servers abroad (those e-mails should be obtainable with a U.S. warrant) and people abroad whose providers store e-mails abroad but also have an office in the U.S. (those e-mails should be obtained through MLATs [the usual process whereby the U.S. government requests assistance from another government]). The current statute doesn't draw that line. But I think it should."There's no direct way, short of hoisting a picket sign and marching in front of the Second Circuit courthouse, that typical computer users can make our opinions known to the judiciary — but there are other avenues to express your views.First, get the word out to others you know. I'm amazed at how many people read the headlines, see that Microsoft is fighting for data privacy, then scoff and move on to the next story. This is an important issue — right up there with net neutrality — that should be discussed and understood by everyone who uses email.Second, if you're a U.S. citizen, notify your congresspersons. The Senate website has complete instructions for emailing or snailmailing senators; the House site has help for finding your congresscritter. Also, the sites for specific representatives usually include links for sending email.When you write, tell your congressional representatives that you're disturbed by the course of Second Circuit case 14-2985-CV. Tell them that they should consider amending 18 USC 2703 to clearly delineate the legal distinctions of domestic and international email. You can point to Orin Kerr's aforementioned article — or to this one.If you've been following my writings over the years, you know I'm quick to call out Microsoft for all sorts of misdeeds. In this case, however, I strongly support the company's stand.