Microsoft Dublin Datacenter Case Getting Supreme Court Review
The U.S. Supreme Court today ordered a review of an appellate court's ruling in favor of Microsoft in a search-warrant case involving Microsoft's cloud services.
In July of last year, the Court of Appeals for the Second Circuit determined that Microsoft did not have to turn over e-mails stored at its datacenter in Dublin, Ireland in response to a U.S. warrant. Microsoft had been ordered to turn over the data by authorities pursuing an unnamed person suspected of illegal drug activities. Lower courts had consistently told Microsoft to hand over the data until Microsoft won its appeal last year. Microsoft's appeal had been backed by other cloud service providers, including Apple, AT&T, Cisco and Verizon.
Microsoft's current stance is that "U.S. federal or state law enforcement cannot use traditional search warrants to seize emails of citizens of foreign countries that are located in data centers outside the United States," according to Brad Smith, president and chief legal officer at Microsoft, in an announcement today.
Microsoft also doesn't agree with the government's view that the service provider owns the e-mail data, "which would cause people to lose their rights when they go online," Smith noted.
Current U.S. laws associated with the 1986 Electronic Communications Privacy Act are outdated and inadequate in the cloud computing world, and weren't intended for use outside the United States, Smith contended. For its part, Microsoft is backing a congressional effort to address "cross-border data access" issues. The effort, International Communications Privacy Act of 2017 (S.2986), sponsored in the Senate by Orrin Hatch, defines how such warrants should be processed. It permits search warrants "only if the foreign government does not have a Law Enforcement Cooperation Agreement with the United States or, if it does have such a Law Enforcement Cooperation Agreement, the foreign government does not object to disclosure."
A Law Enforcement Cooperation Agreement means a mutual agreement or treaty, or it can be an executive agreement between the United States and "one or more countries," according to S.2986.
The bill was introduced last year and was referred to the Senate Judiciary Committee. There's also an identical bill in the House (H.R.5323).
Microsoft, being a U.S.-based company, has to follow U.S. laws, but the bill, if passed, would free service providers in general, including Microsoft, from having to side with one government over another in cases where the data are stored abroad, an important consideration for cloud service providers. The bill mostly seems to be a clarifying measure. It seems to streamline search warrants even when the U.S. government doesn't have a Law Enforcement Cooperation Agreement in place with a foreign government, although it's unclear how such warrants would be enforced.
Microsoft regularly complies with U.S. law enforcement requests for domestic data, with some challenges. However, this case could prove important for Microsoft and other service providers to gain trust internationally, especially in Europe, where data sovereignty and privacy issues are more greatly pursued than in the United States.
The case is known as United States v. Microsoft Corp., 17-2.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.