Microsoft Defending Data Privacy
In 2013 Microsoft were issued a Search and Seizure Warrant for data associated with an e-mail address. Microsoft’s GCC (Global Criminal Compliance) team responded with data that was collected from US systems, but refused to disclose data that was located on servers hosted by an Irish Microsoft entity on systems physically located in Ireland. Microsoft and the Department of Justice now wait for the Supreme Court to see who was right.
Microsoft contested the warrant, wanting to avoid being compelled to fulfill the search and seizure.
Whilst the United States District Court for the Southern District of New York reaffirmed the warrant, the United States Court of Appeals for the 2nd Circuit agreed with Microsoft and annulled the warrant.
The Department of Justice, however, insisted on the legality of the warrant and asked the United States Court of Appeals for the 2nd Circuit for a rehearing. When this was rejected, the Department of Justice petitioned the Supreme Court for a review.
Presently, we are waiting for the Supreme Court to review the case in February 2018.
Arguments
The Department of Justice believes that the 1986 Stored Communications Act (Wikipedia, Federal Privacy Council) allow it to issue search and seizure warrants for data held by a company – regardless of whether this data is located in the United States or not.
Provided that the company that is being issued the warrant is within the United States, and that this company has technical control over the data that is being sought, then the company has no grounds for objecting the warrant.
“It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.”
“Neither may the witness resist the production of documents on the ground that the documents are located abroad. The test for production of documents is control, not location.”
“If the party subpoenaed has the practical ability to obtain the documents, the actual physical location of the documents – even if overseas – is immaterial.”
Furthermore, the Department of Justice thinks that:
“… a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer.”
“In this case, no such exposure takes place until the information is reviewed in the United States, and consequently no extraterritorial search has occurred.”
Consequence
The 2014 judgement by the United States District Court for the Southern District of New York observed that:
“Moreover, Google has reportedly explored the possibility of establishing true “offshore” servers: server farms located at sea beyond the territorial jurisdiction of any nation.”
You can find the full paper by Steven R. Swanson on SSRN.
Google might just have been thinking about cheap power and cooling (the above article predates the warrant by about 2 years), the possibility of foreign powers invading each other’s data sovereignty was enough to motivate some actors into action.
Microsoft may not have taken to the seas, but did eliminate the one thing that exposes them to the Stored Communications Act: “control regardless of the location”.
Sept. 21st, 2016, Microsoft announced that they are offering European customers:
“… a physically and logically separate cloud instance with customer data remaining in Germany under the management of a data trustee.” (source)
“Customer data in these new datacenters, in Magdeburg and Frankfurt, is managed under the control of a data trustee, T-Systems International, an independent German company and subsidiary of Deutsche Telekom.” (source)
So regardless of whether the Supreme Court upholds the United States Court of Appeals for the 2nd Circuit decision to vacate the warrant, or whether it upholds the warrant issued by the United States District Court for the Southern District of New York, in both cases Microsoft wins.
Perhaps motivated by similar concerns, customers and partners have worked with Qualys to put in place similar services: “Airbus Defence and Space introduces vulnerability and compliance analysis service” (source).
Timeline
Dec. 4th, 2013: Warrant issued to Microsoft by United States District Court for the Southern District of New York (source).
Apr. 25th, 2014: Motion to quash warrant denied by United States District Court for the Southern District of New York (source).
Jun. 6th, 2014: Microsoft object United States District Court for the Southern District of New York’s decision (source).
Jul. 9th, 2014: Department of Justice file in favor of upholding warrant and United States District Court for the Southern District of New York’s judgement (source).
Jul 24th, 2014: Microsoft respond to Department of Justice filing to United States District Court for the Southern District of New York (source).
Dec. 8th, 2014: Microsoft motion for reverse of United States District Court for the Southern District of New York’s judgement (source).
Mar. 9th, 2015: Department of Justice brief United States Court of Appeals for the 2nd Circuit in favor of affirming United States District Court for the Southern District of New York’s judgement (source).
Jul. 14th, 2016: United States District Court for the Southern District of New York’s judgement reversed and warrant quashed by United States Court of Appeals for the 2nd Circuit (source).
Oct. 13th, 2016: Department of Justice petitions United States Court of Appeals for the 2nd Circuit for a rehearing (source).
Jan. 24th, 2017: Department of Justice request for rehearing rejected by United States Court of Appeals for the 2nd Circuit (source).
Jun. 17th, 2017 Department of Justice petitions Supreme Court (source).
Oct. 16th, 2017 Supreme Court agrees to review case (source).
Dec. 20th, 2017 Supreme Court schedules argument for Feb. 27th, 2018 (source).
Jan. 11th, 2018: Microsoft submit brief to Supreme Court (source).
Further Reading
See the French CEIS whitepaper “USA V. Microsoft : quel impact ?”
Image credit: @ceis_strat on Twitter.