back to article Supreme Court to rule on whether US has right to data stored overseas

The US Supreme Court has agreed to hear a dispute over whether Microsoft should release personal emails stored in Ireland to America's federal government. In 2014, the US Department of Justice took Microsoft to court because the software giant refused to give up emails stored on its data centres in Ireland, which would …

Page:

  1. d3vy

    "This is an important case that people around the world will watch."

    Watch and laugh I expect.

    What do they plan to do if MS say "no you can't have it"... invade?

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Sanction Microsoft in the US, I'd expect.

      1. d3vy

        "Sanction Microsoft in the US, I'd expect"

        Very well and good, but surely the law in Ireland will override that and if that law prohibits the extraction of data to the US* then they cant really do anything...

        * I seriously doubt that there are any laws that prohibit this, if anything I'd expect we** have agreements in place to allow it.

        ** Thats the collective we, Im not in Ireland.

    2. Anonymous Coward
      Anonymous Coward

      Microsoft with this case (and EU law) in mind have already designed their security so that to obtain access to cross border data requires local approval. So if Microsoft US requested say Irish data, and it was illegal under Irish law then the local approver would simply refuse. So even if Microsoft loose, then the DOJ are not likely to get data like this. Also you can bring your own encryption keys that are stored on Thales HSMs that not even Microsoft have access to...

      So worst case they will get fined.

    3. Ian Michael Gumby
      Boffin

      @d3vy ... WTF?

      Seriously you need to think about the issue.

      US citizen data taken offshore to Ireland. This would be similar to either German bank data laws or Swiss Data Laws concerning how to handle data.

      What we should expect is that the rights of the country of origination will prevail.

      Think of it this way. UK data is going to be placed under new rules/regs starting next year. Imagine if Google moved that data in to the US and told you that your data is no longer protected under UK laws because it now resides in the US?

      1. Doctor Syntax Silver badge

        Re: @d3vy ... WTF?

        "US citizen data taken offshore to Ireland."

        Do we know that (a) the data subject is a US citizen and (b) that the email in question did not originate in the EU?

        Do we know why the DoJ didn't use the existing international agreement to get an Irish warrant? Could it be that they don't have a prima facie case that would stand up in an Irish court?

        "Imagine if Google moved that data in to the US and told you that your data is no longer protected under UK laws because it now resides in the US?"

        Then Google could be fined up to 4% of global turnover. It wants to do business in Europe and must, therefore abide by European law - and exactly the same applies to Microsoft.

        1. tfewster
          Facepalm

          Re: @d3vy ... WTF?

          Yep, it's an EU citizen

          https://www.theregister.co.uk/2016/07/14/microsoft_wins_landmark_irish_warrant_case_against_usa/

          And the DOJ have had 3 years to get an Irish warrant, but continued this fight - Which, of course would have put and en to MS & Google cloud services in the EU if the DOJ had won.

          IIRC, in another case Google migrated a US citizens data to Ireland but gave it up to the DOJ as that move was for their convenience rather than to move the data out of US jurisdiction

          1. Adam 1

            Re: @d3vy ... WTF?

            > And the DOJ have had 3 years to get an Irish warrant, but continued this fight

            What is their angle. I would get if it was some backwater country under a military junta every other week, or if it was an openly hostile Iran or North Korea or something, but Ireland? Just fax the form just to them and as long as there are reasonable standards met, the cd with the data will be in the post (metaphorically). You wouldn't tolerate the argument in reverse. That should tell you something.

      2. Aitor 1

        Re: @d3vy ... WTF?

        If you are in Ireland, the irish law should prevail, anything else is ridiculous.

        Same way the other way arround.

        The only thing to consider is that there are agreements to respect each others individuals and companies rights, but no obligations that would trump on local law.

      3. d3vy

        Re: @d3vy ... WTF?

        @Ian

        "US citizen data taken offshore to Ireland. This would be similar to either German bank data laws or Swiss Data Laws concerning how to handle data."

        Where to start?

        First, its not a US citizens data as others have pointed out.

        Second, We are not talking about MS, we are talking about an Irish subsidiary of MS, which is registered and operated from Ireland, For all intents and purposes its an Irish company which happens to be owned by Microsoft (for tax reasons).

        The law of the country where the servers are located trumps the law of where the users originate.

        1. Anonymous Coward
          Anonymous Coward

          Re: @d3vy ... WTF?

          The law of the country where the servers are located trumps the law of where the users originate.

          No such luck. That's actually the main issue with companies hosting their data across the border and then proclaiming they have magically acquired new rights.

          1 - you yourself are still beholden to your local legal system. NOBODY can protect you from that (because if they could they were running an operation that would by definition illegal), so if you get served with a warrant you have to cough up or face the consequences, irrespective of where you have stored your data.

          2 - a business hosting its data abroad will find that their data is still beholden to the laws of where the data originates. That's a frequent mistake made in connection with Switzerland: companies go host there and then loudly proclaim they're safe. Anyone who actually knows the laws involved will always check company ownership first.

          Getting online privacy right requires expertise in multiple disciplines. Few have.

    4. big_D Silver badge

      It isn't a laughing matter. If the US DOJ wins, it means the end of cloud services with a presence in the USA.

      The story is also a little misleading, the problem is that Microsoft USA is refusing to hand over data held on an Irish companies servers (Microsoft Ireland), which is a separate legal entity and beholden to Irish and EU law, which would make it illegal for them to hand over the data without an Irish or EU warrant.

      The whole thing is a farce, there are decades old treaties in place for doing exactly this, the DOJ just needs to work with the Irish authorities and provide the evidence before a court in Ireland and if it has any merit, the Irish court will tell Microsoft Ireland to hand over the data.

      That the DOJ hasn't done this makes it sound like they don't actually have a enough evidence to present to the court to get them to provide a warrant...

  2. Thomas Wolf

    What data did DOJ seek?

    It seems to me that if the DOJ was seeking personal data, access to it should be governed by the person(s) country of citizenship. If it’s any other data, then access to it should be governed by the countries in which the business does business. Seems straight-forward.

    1. aks

      Re: What data did DOJ seek?

      The USA want to be able to fish around in the data, without a warrent.

      Ireland have always offered access once a warrent is issued.

      The USA Supreme Court can decide whatever it likes, but Ireland doesn't have to comply. It's a sovereign country and has it's own laws and Supreme Court.

    2. aks

      Re: What data did DOJ seek?

      They're not after specific data about a specific individual but open access to the servers.

      I wonder whether if the USA Supreme Court decides that any data in the world must be made available to them that they'll have a reciprocal agreement that the Irish, British, Germans, Russians, Chinese have the same rights for data stored in the USA.

      1. Alan Brown Silver badge

        Re: What data did DOJ seek?

        "They're not after specific data about a specific individual but open access to the servers."

        There's the companion thought to this, that the US Ferals are only going for this because they haven't been able to rummage around quietly already.

        Perhaps MS have improved their security.

        1. Anonymous Coward
          Anonymous Coward

          Re: What data did DOJ seek?

          Perhaps MS have improved their security.

          Yeah. Just got a call from Hell, they have some burst water pipes after they froze..

    3. Suricou Raven

      Re: What data did DOJ seek?

      What happens when the business does business in multiple countries, with contradictory laws?

    4. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: What data did DOJ seek?

      The DoJ is not really seeking access to that data, that's not their motive. Their aim is to set legal precedent.

      If the DoJ were truly interested in the data itself data they could already have established international mechanisms for law enforcement collaboration. If there was anything to it, MS would have already been served in Ireland with a local warrant and the whole show would have ended there and then as it should, respecting sovereign borders and law.

      Instead, they chose an altogether more precarious route which could have fairly major consequences either way. If the DoJ wins this, it's game over for US service providers trying to sell services in Europe because it destroys the basis for renewing the Privacy Shield concept. I am not saying that I considered that basis valid to start with, but it makes it more clear that it's pure BS.

      1. Suricou Raven

        Re: What data did DOJ seek?

        It's obviously a precedent thing, because after three years I doubt the data is of any value to an investigation.

        I'm surprised they only used a run-of-the-mill drugs case, rather than try to find some juicy child abuse imagery. MS wouldn't wan't to fight that one too hard in court, it's just terrible press.

        1. Anonymous Coward
          Anonymous Coward

          Re: What data did DOJ seek?

          I'm surprised they only used a run-of-the-mill drugs case, rather than try to find some juicy child abuse imagery. MS wouldn't wan't to fight that one too hard in court, it's just terrible press.

          The problem with CP cases is that it tends to push towards an exception status because of all the emotion and politics involved. The fact that the DoJ have indeed avoided that easy route suggests they're seeking to establish a fairly low bar for the international overreach they're trying to engineer.

          In my opinion, if we consider the current makeup of the Supreme Court and the dire state of the US Presidency I reckon the DoJ is going to win this one. If you haven't already (to remove any risk of non-GDPR compliance), I would recommend considering other facilities than, for instance, Microsoft of Google mail - going local instead also leaves some of your money in your own economy.

          In the case of Gmail, the good news is that if you know what you're doing, it's actually cheaper if you have more than 4 members of staff enrolled. Don't know about Microsoft, as we detected alleged "EU only" traffic spooling via US resources we didn't even bother trying any further.

          1. Alan Brown Silver badge

            Re: What data did DOJ seek?

            "I reckon the DoJ is going to win this one."

            If they do, it may trigger electronic trade wars which will have lots of unforseen results.

            Like the USA no longer being the hub of our communications electronic universe(*)

            (*) That's already happening, but the difference will be traffic actively routing _around_ the USA and US_based multinationals being shunned everywhere.

            1. Anonymous Coward
              Anonymous Coward

              Re: What data did DOJ seek?

              If they do, it may trigger electronic trade wars which will have lots of unforseen results.

              I know, that's exactly what is bothering me about this case. I have the impression that either side has set themselves up for an adversarial stance that will result in harm either way, which is why I had assumed this would have already somehow been settled out of sight.

              I would have held a DoJ win for unlikely until the Trump administration started messing with every legal process going and planted their nominee in a Supreme Court position that was left unfulfilled by the previous administration by frankly shocking tactics. Add to that that the Trump administration is not that friendly with Silicon Valley other than for offering service and party contributions and wants to desperately establish a grip on the legal system before the results of the Russia investigation emerge, and I recon this could end badly - with the exact consequences you predicted because the EU is not going to accept that change in law for its citizens.

              That said, there's also a Trump argument for Microsoft winning this, because if MS wins it opens the door for any organisation to put data beyond the reach of US investigators other than by normal international process. Set up a subsidiary abroad and move data there and presto, an end to all those pesky law enforcement investigations. In that case I am bettering Trump Inc would be the first to move, followed by all of Wall Street. You would basically end up legally validating the approach exposed by the Panama Papers.

              Thus, either victory is at its heart rather pyrrhic for the US.

          2. Alan Brown Silver badge

            Re: What data did DOJ seek?

            "Don't know about Microsoft, as we detected alleged "EU only" traffic spooling via US resources we didn't even bother trying any further."

            Google won't offer any guarantees whatsoever that EU data stays in the EU. (in fact they pretty much guaranteed it won't)

            If you have some documented evidence of MS pulling this, then a number of places I know would like to see it.

            1. Anonymous Coward
              Anonymous Coward

              Re: What data did DOJ seek?

              If you have some documented evidence of MS pulling this, then a number of places I know would like to see it.

              I have. Worse, the specific entity involved makes what we found even more egregious - especially since they have so far refused to take any action on these findings on account of senior level Microsoft fandom. We do privacy consulting at quite a deep level, so digging out these sort of issues is pretty much the first thing we teach anyone seeking to franchise what we're doing.

              It is not just Microsoft, by the way. We found fun stuff when examining the service of another alleged "EU based" service of US origin too, but at least that was just an inactive potential.

              Happy to organise a day session for your audience. If I tell you that we scare lawyers with this stuff there will be at least 3 people here who will instantly know who I am :).

    6. veti Silver badge

      Re: What data did DOJ seek?

      What if "citizenship" is part of the data that you're looking for?

      Besides, legal discrimination on grounds of citizenship is unconstitutional in itself. Check the 14th amendment.

      1. Alan Brown Silver badge

        Re: What data did DOJ seek?

        "legal discrimination on grounds of citizenship is unconstitutional in itself. Check the 14th amendment."

        And yet it's not only routine in the USA, it's condoned by most levels of government.

        A bit like the 15th amendment is widely ignored.

  3. Mark 85

    So, if the DoJ wins, than corporations like MS will probably lose customers in Europe and elsewhere ? If MS wins, then they don't lose customers but also don't dare ever to move any data to the US.

    Whatever happened to law enforcement following law. treaty agreements, and practice to get evidence from another country?

    1. A Non e-mouse Silver badge

      It's issues such as this (and the EU ruling that Safe Harbour wasn't very safe) that's prompted companies such as Microsoft to start operating services in Europe via arms length companies. E.g. In Germany, the data centres are run by T-Systems. See Ars.

      1. Anonymous Coward
        Anonymous Coward

        that's prompted companies such as Microsoft to start operating services in Europe via arms length companies. E.g. In Germany, the data centres are run by T-Systems.

        Ah, a couple of caveats here.

        (1) It depends on how the contracts have been structured if that isolation has any actual value (especially since Microsoft vs DoJ may end up rewriting the legal landscape involved)

        (2) As T-Systems is running Microsoft code it probably is exposed via yet-another-zero-day already, either accidentally or deliberately.

        (3) this "isolation" has as yet not been tested in court. At present it's still only theory.

        As stated before, it is in my opinion clear that the DoJ is seeking to set precedent. Once they have that precedent (which is likely unless, of course, the IT industry quickly book lots of the Trump venues that are presently losing business hand over fist*)...

        * You say cynic, I say realist..

    2. Anonymous Coward
      Anonymous Coward

      Whatever happened to law enforcement following law. treaty agreements, and practice to get evidence from another country?

      As soon as the authorities in the US granted themselves free and open access without a warrant to their own citizens data, and they noticed that the UK were doing the same, it seemed only logical to help themselves to anybody's data anywhere in the world.

  4. Christoph

    "We have the legal right to take it because we are the biggest bully in the playground."

    1. bombastic bob Silver badge
      Devil

      "We have the legal right to take it because we are the biggest bully in the playground."

      That's why we have courts, elected legislators, and written constitutions, to put the reigns on an otherwise power-hungry out-of-control oppressive gummint. Mostly it works, but sometimes you end up with cases like THIS one where it's not so clear, and is likely to go too far if you don't stop it NOW.

      HOPEFULLY the Supreme Court "gets it right". This will be a nice test. There are details about this case that I do not know, and no doubt all of that will be included in the decision (which is generally made public).

      From what it sounds like, the D.O.J. is going on a fishing expedition. Otherwise, wouldn't an Irish court tell Microsoft to "cough it up" ? Then this would have been over with and done.

      anyway, the actual decision should be an interesting read.

      1. Charles 9

        Unless the Irish court is not cooperating, in which case it's this way or bust.

        1. Doctor Syntax Silver badge

          "Unless the Irish court is not cooperating"

          I've never read anything which suggested that the Irish courts have ever been approached. There are mechanisms for doing that. If they haven't been used this ought to be a fact to be taken into consideration - was it an oversight on the original prosecutor's part or a lack of a case to be put before such a court?

          If push comes to shove it's unlikely that the Irish courts are going to be receptive to attempts to go above their heads and trample on Irish sovereignty.

      2. big_D Silver badge

        This case is very clear. The data is held in Ireland and subject to Irish law and there have been treaties in place for decades to allow the DOJ to apply for access to the data.

        The DOJ said screw that, we don't have enough to get a warrant, so we'll force Microsoft to break the law.

  5. oiseau
    Flame

    If it's in Ireland ...

    I'm not a lawyer, much less a person knowledgeable in constitutional matters and could be simplifying things a bit, but ...

    Isn't this an issue where just plain common sense applies?

    You see, unless I missed something really important recently, Ireland is still a sovereign state.

    I really cannot see what in f*cks' name the US Supreme Court has to do with respect to whatever goes on in Ireland.

    Isn't it enough with the crap they deal/have dealt to their own citizens at home?

    I think that if the servers are located in Ireland and belong to a company working in Ireland, under Irish law and Irish regulations, I'd say that the servers (and whatever is held inside them) fall exclusively under Irish jurisdiction.

    More so if the 'whatever' held in the servers belongs to Irish citizens.

    All this unless some Irish court decides otherwise (which I think is a bit of a strech) or there's already a provision in place for events such as this.

    It's not impossible, strange things happen these days.

    It could also be that MS backs up their overseas servers in US facilities and this is so, then it would seem to be another matter altogether.

    Cheers.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it's in Ireland ...

      In this case yes.

      The other Google case is less clear. The data was uploaded by a US customer to Google in the USA who happened to ship it around the world to different data centers for load balancing / cost saving / redundancy reasons that the user had no idea about. When a warrant was served the data happened to be outside the USA so they refused the warrant.

      Does this mean that the US have to get a warrant for where the data is at exactly that time?

      If Google move the data between the warrant being issued and executed is that contempt?

      Does Google have to inform the US DOJ everytime data is moved?

      Does Google have to get an export license every time it moves US customer data?

      Can users store different bytes of the data stream in different countries to stop any investigation?\

      Do you feel the same about any of the above if the "customer" is Enron or GoldmanSachs rather than Wikileaks?

      1. Anonymous Coward
        Anonymous Coward

        Re: If it's in Ireland ...

        The other Google case is less clear. The data was uploaded by a US customer to Google in the USA who happened to ship it around the world to different data centers for load balancing / cost saving / redundancy reasons that the user had no idea about. When a warrant was served the data happened to be outside the USA so they refused the warrant.

        Ah, but this is one of the gotcha's of most Data Protection laws. If you are an entity in country X and you elect to store your data in country Y, your data is actually considered still to be under the jurisdiction of country X. You can only affect that "connection" if you create a separate legal entity/subsidiary in country Y which hosts that data, that's the first layer of isolation. This is also why Microsoft GERMANY (or any other non-US subsidiary) should host data with T-Systems, not MS US.

        But that's not where legal leverage ends, so I'm watching this case with interest. Its outcome will tell us a lot about the current state of US law. At present, it's not looking good.

    2. Cynic_999

      Re: If it's in Ireland ...

      "

      You see, unless I missed something really important recently, Ireland is still a sovereign state.

      I really cannot see what in f*cks' name the US Supreme Court has to do with respect to whatever goes on in Ireland.

      "

      It is Microsoft, a U.S. company that has been ordered to provide the data. The question is a valid one - does US law apply to data that is being held by a U.S. company, even if that data is physically located elsewhere?

      The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office. That's assuming that nobody in Microsoft U.S. has admin access to the Irish servers and so could just help themselves if they were so inclined.

      1. Orv Silver badge

        Re: If it's in Ireland ...

        Yes, exactly. It's tricky because there's potential for mischief on both sides. If it's ruled that the US can't get access to the data, every major corporation that's engaging in shady practices will move their email servers offshore, making their email correspondence unavailable as evidence in US investigations and trials. It'll be a lot like hiding money in foreign bank accounts.

        1. Doctor Syntax Silver badge

          Re: If it's in Ireland ...

          " If it's ruled that the US can't get access to the data"

          There are existing procedures, internationally agreed, for getting this by applying for a warrant in Ireland. For reasons best known to themselves the US have decided to to use this.

          Was it ignorance of the availability of this route by whoever started this, or arrogance or indolence, then coupled by an unwillingness to retreat? Or did they not have sufficient cause to apply for a warrant and have decided to trample Ireland's sovereignty to make up for it?

          Ideally the Supremes will simply tell the DoJ to go and use the existing procedures. If they don't then it will become more and more difficult for data-hungry US corporations to do business with the rest of the world.

          1. Anonymous Coward
            Anonymous Coward

            Re: If it's in Ireland ...

            For reasons best known to themselves the US have decided to to use this.

            I presume you mean declined :)

            Was it ignorance of the availability of this route by whoever started this, or arrogance or indolence, then coupled by an unwillingness to retreat?

            I think the reasons are far more nefarious, and this started to surface with DoJ vs Apple. It appears that people high up at the DoJ appear to have decided that they are better placed to write law than Congress, so they are attempting to rewrite law via precedent.

            In "normal" circumstances I would expect the Supremes to slap this down with a handbag (They're the Supremes, after all), but their makeup (sorry) as well as the Presidency have made some unprecedented shifts which may result in decisions that break the traditional separation of justice and politics. I am a lot less certain of the outcome as I would have been under the previous presidency.

        2. oiseau
          Stop

          Re: If it's in Ireland ...

          "It'll be a lot like hiding money in foreign bank accounts."

          Hmmm ...

          Yes.

          Like it is not something that has been happening (at least) since the mid 1940's.

          And as of late, has anyone heard of the 'Panama Papers' thing?

          *Every* major transnational corporation does it (hiding money) and has been doing it for ages.

          Of course, the hidden data associated to this practise is *also* hidden and/or moved around.

          But, you surely understand that it's not *them* they are after.

          Cheers.

      2. DavCrav

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office."

        I'm sorry? So if head office says "go out and kill a bunch of people", you could hardly refuse it? If it is a crime in Irish law, I would imagine that excuse won't go down well in their court.

        "That's assuming that nobody in Microsoft U.S. has admin access to the Irish servers and so could just help themselves if they were so inclined."

        If they want to commit a crime in Ireland then that's their business. Accessing a computer to perform illegal acts is still a crime. Whether the US would extradite is one thing, but local Microsoft employees would be in the dock for abetting a crime.

      3. Anonymous Coward
        Anonymous Coward

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office"

        On the contrary, local employees would be expected to refuse a request if it in anyway risked contravention of local laws. It's illegal to ask an employee to break the law. And there would be little Microsoft US could do about it unless they want to break EU employment laws and pay out compensation. And still not get the data.

        1. d3vy

          Re: If it's in Ireland ...

          "On the contrary, local employees would be expected to refuse a request if it in anyway risked contravention of local laws. It's illegal to ask an employee to break the law. And there would be little Microsoft US could do about it unless they want to break EU employment laws and pay out compensation. And still not get the data."

          This actually follows on nicley from a comment I just posted about MS ie being a seperate legal entity.. it has its own directors who are legally responsible for ensuring that MS IE does not contravene any laws... If they just handed the data over without a valid warrant the Management of MS IE could be looking (at best) at a hefty fine or (at worst) prison time.

      4. Alan Brown Silver badge

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office. "

        They can if it's illegal under irish law.

        Head office might rail about it, but if they sack the refusniks they'll not only be in trouble for attempted illegal activities, they'll also be in deeper trouble for unjustified dismissal.

      5. Red Bren

        Re: If it's in Ireland ...

        "The fact is that Microsoft U.S. could tell its Irish office to send over the data, and the Irish office could hardly refuse to obey an instruction from head office."

        If the US parent company instructs its offshore subsidiary to break local law, wouldn't the local management threaten to resign, sue for constructive dismissal and inform the local authorities? It would then be difficult for the parent company to find new management, when their first task would be to break the law while the local authorities were watching.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like