Law's changed, now cough up: Uncle Sam serves Microsoft fresh warrant for Irish emails The US government has issued Microsoft with a new warrant to get access to emails held on the firm's Irish servers, while asking the Supreme Court to dismiss the existing legal battle. The long-running wrangle began back in 2014, when Microsoft was taken to court by American prosecutors who wanted access to suspects' emails …
I suspect trying to apply it retroactively is enough to get it thrown out of most courts.
OTOH Trump has just made himself wide open to the next "Benghazi" because the new law will also allow non-US spooks access to data held on servers in the US. What could possibly go wrong? Okay, those provisions will probably be thrown out on constitutional grounds because of the protection that the US constitution offers to US citizens (the rest are just "aliens" and fair game for spooks, scammers, etc.).
"I suspect trying to apply it retroactively is enough to get it thrown out of most courts."
Ex post facto laws are in fact banned. But I suspect (and IANAL) that this would apply to data stored overseas going forward from the date of passage. No penalties for past refusal to comply with a warrant. But from here on out; hand it over.
Devil, because that's where the details lie.
I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.
A search warrant against specific individual individuals or countries causes no problem for the Irish. It's the direct access they object to, allowing the USA to use 'big data' methods.
I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.
Why do you assume that? I don't.
So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws, the Irish gubbermint will do whatever US big-tech tells them. In this case, it'll be "do as the MIB say", because that gives people like Apple a "get out of jail free card".
"So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws"
Well, this allows the EU to impose what's effectively a 4% global turnover tax on US companies. That probably far exceeds anything they'd have taken via a with-holding tax on EU turnover.
The ramifications of this go far beyond mere data protection. The US is, in effect, claiming sovereign rights over another nation. Frankly I don't think it's an overstatement that this is tantamount to a declaration of war. This is not America. You don't get to do just anything you like in our country.
American hegemony is not exactly new, but rarely is it this brazen.
If you're an American citizen or company operating in our country, then you are governed by our laws. If you or your government dispute this, then you need to leave. Period.
They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country.
If the data was held on a server belonging to an Irish company then the US would have no way to demand the data, and would need to apply for an order through the Irish court system.
The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.
Employees working for an entirely Irish owned company with no US parent company would not be answerable to the US government at all, and could only be compelled to perform any action by Irish or EU governments and courts.
If you're concerned about foreign governments interfering in your business, then support local businesses and only worry about your own government (which you cant avoid anyway, and theoretically have some control over).
@Joe Montana the data is on a server on Irish soil, owned and run by an Irish company, which just happens to be a subsidiary of a US company.
And regardless, the data is in Ireland and falls under EU and Irish law. If Microsoft US hands over the data, the board of Microsoft Ireland could face large fines and imprisonment for breaking data protection laws. Microsoft Ireland cannot hand over the data to a US organisation or US law enforcement without the written permission of all identifiable persons in the communications (if they are EU citizens) or a valid EU / Irish issued warrant.
So Microsoft US executives faces imprisonment and fines if they don't hand over the data and Microsoft Ireland (a separate entity) face imprisonment and fines if Microsoft US does hand over the data.
"They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country."
You actually believe that? It's data which is not owned by US company and it's not in US.
That's the definition of claiming rights over another nation. Even if you are not admitting it: That's irrelevant.
The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.
In most countries, working for a company doesn't mean that you are obliged to break the laws of your country because your superiors abroad order you to.
Exactly. Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people? I don't get the difference with what the merkins are doing.
By the way, I like the way you ended your post with 'period'. Very USA'ish. Full stop.
"Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people?"
I think we should
the US embassy in London refused to pay the congestion charge on the grounds of diplomatic immunity, but UK embassy staff in the US don't have that luxury as they have to pass through toll booths.
Data held in servers in the EU should be subject to EU law only - but in reality we know that the US will never respect that nor any other laws that they don't pass.
Remember the US is the country which granted itself the right to invade The Hague should any US citizen by arrested by the ICJ. Thinking they can do what they like in the world is par for the course.
See also Trump pre election thinking he could use compulsory purchase to acquire neighbouring properties for his Aberdeenshire golf resort. You can do that in the US but not here in Scotland.
Then there's that TV series where an FBI unit is allowed to travel the world with weapons and arrest/shoot/kill bad guys in other people's countries. That is just 'Merican wish fulfilment wet dream fantasy.
If that is their cultural reference this is little surprise. The EU equivalent with Donald Sutherland is much more realistic in terms of jurisdictional issues.
Ireland can't fight this. If they do, the tiniest US nuke could blow them up in a second.
Ireland could fight this by allying themselves with China, whom the US can't defeat, but if they do, next step is for China to demand all data held in Ireland, so they're not going to be any better off.
Ultimately the only recourse to the pious people of Ireland is that the Lord in his infinite mercy may grant them an afterlife where they'll not be so weak and abused by other nations. I pray for that.
This post has been deleted by its author
But that would have ruined the apparently user friendly (but deeply citizen unfriendly) backronym.
So it's no longer safe dealing with US subsidiaries if you want your data secure.
Don't deal with US companies for data storage or transmission at all.
America Rogering Someone Else, AKA ARSE Act.
MS are between a rock and a hard place. Uncle Sam says they must, Europe and Ireland say they must not. It's not often I feel sorry for the Redmond land sharks but this time? I can't see a way they can obey either without falling foul of the other.
In other news, several imps have perished due to the unusual cold spell in Hades.
Exactly Chronos.
If the CLOUD Act holds up to scrutiny, companies with a US presence will have to decide, whether they want executives in the USA to face fines and imprisonment or executives in Europe to face fines and imprisonment...
The Microsoft model for data centers in Germany will be interesting, going forward, they are owned and run by T-Systems on Microsoft's behalf. MS don't get any physical or electronic access to the datacenter or the information in it, they have to request it from T-Systems and the DoJ would still need a European warrant to get access, just like they did before the CLOUD Act.
It would appear that the DoJ are trying to add the case in retrospect. The law wasn't there when the case started therefore they shouldn't be able to apply the law retrospectively.
Oh, sorry I forgot this is in the US that thinks it rules the world and make laws that overrule the laws in sovereign countries.
"It would appear that the DoJ are trying to add the case in retrospect"
actually no. it's a new action related to an old case.
I think everyone knew this was coming. Now Micro-shaft can say "we tried" and make themselves APPEAR as if they care about user privacy. But, based on EULAs and actual BEHAVIOR, they obviously do NOT.
it's a new action related to an old case.
Which makes it different to restrospective in what way exactly? It would set a very dangerous precedent if it succeeds. I would not be in the least surprised if the most conservative judges come down the hardest on this aspect. Will be fun to see Trump moan about judges he picks but can't sack.
"actually no. it's a new action related to an old case."
...but referencing the same warrant, not a new one. Although they are claiming that the CLOUD Act negates the need for a warrant. It's all moot anyway as they already have a legal, treaty based method to get the data. This is all about getting around the treaty method of requesting specific data in relation to specific evidence and trying to get unrestricted access to anything they feel they might want to grab.
I think that is exactly what they are attempting to do. Should they have a valid need for the data they could issue a warrant in Ireland for the data. They haven't. This either means they don't have a valid need for the data or they wish to set a precedent to circumvent international treaties and access any data they wish without appropriate oversight.
Microsoft will resist and Google and Amazon should be trying to assist them otherwise no one in their right mind will be looking to buy cloud storage or compute services from an American based company.
There's nothing retrospective going on at all. They are making a request in the present for something that exists in the present.
Retrospective would be fining Microsoft for not handing over the data before the new law came into force. Now the new law is in force companies and people are now required to comply with it.
Countries or regions like the EU with an interest in protecting individual privacy, will rule that for a cloud provider to hold data on individuals there must be regional or country bound stewardship of the data where the cloud provider is able to enforce local protections (such that CLOUD Act warrants cannot be served because the data is not under the control of an entity affected by such a warrant).
Countries or regions with an interest in extending access to information for government organisations will apply reciprocal arrangements so that, for example, if a cloud provider wishes to operate in the region, they must provide access to any data under their control whether in the region or not.
IANAL and some of this probably already exists, but this does seem like an awfully big can of worms to write in to the US legislative framework.
The current laws already state that. The data cannot be transferred out of the EU (unless the destination land has equivalent levels or data protection or things like Privacy Shield being an exception) and cannot be handed to third parties, including legal authorities, without a valid EU issued warrant.
That means it would be illegal for Microsoft US to hand over the data under the CLOUD Act and would leave Microsoft Ireland in a very sticky situation.
Current laws already state that. I know for certain of at least one company, and suspect several more, knowingly breaching that law. The company I know of was audited by the FCA and given a clean bill of health. The FCA simply looked the other way when it came to cloud data storage....
So the law is worth exactly the paper it is written on.
Slowly but surely, the only option left to EU governments to implement the privacy protections guaranteed by their own laws will be to demand that private data must be held in European data centers operated by independent European companies, which have no need to obey US demands. I'm not sure they will go that far, or that they care enough about our privacy...
which makes Office365 and Google Documents, as used by governments, a bit of an embarrassment when it turns out the USG can slurp it all when they feel like it.
Some while ago, we got a company wide memo reminding all staff, sales people in particular, to NOT use Google docs etc for business related activities.
"Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash... There is thus no longer any live dispute between the parties, and the case is now moot."
You can not pass laws in your own country and expect all other countries to follow your laws. Sorry but it doesn't work that way. That law doesn't apply to a different country.
Anyone would think they passed this law to get back at Microsoft.
It can expect its laws to apply to all corporations registered in its jurisdiction.
If foreign laws prevent you complying then you don't do business in those countries.
This law simply says that MSFT now can't legally work in EU, in the same way it can't operate in cuba, N Korea, Iran etc
The EFF has a good piece on this:
"For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws."
https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data
"For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe"
For those outside of USA that like their privacy, Internet routing is about to become much more complicated.
Nonononono.
Extraordinary Rendition is when you *start* in America but take someone out of it to where American Law doesn't apply and fingernails are optional.
CLOUD is the reverse. That's where the US drops a legal haywire grenade template over a foreign data center and declares American Law now applies there.
Keep your data away from US companies, period.
Agreed but it's not always easy to do. Virgin Media is owned by Liberty Global so would that make them an American company or not when it comes to American jurisdiction? Even before that VM were using Google to handle their email.
And we in the UK can only guess what the government is going to give away to the US in their desperate need to secure a trade deal post-brexit.
Yes. I would even use a fictitious Russian company, which I will call rooble, that offered the same facilities as the biggies, and offered decryption for which I and only I held the key. I don't know why every road leads to a USA company. It's just code, otherwise the Internet is, or should be, a level playing service. Why aren't there non-US equivalents? I'm not angry, just puzzled.
Hackers of many independent nations could do this in their sleep.
I just checked, and, unbelievably, rooble.com is not taken. rooble.ru is parked and for sale. rooble, like the Russian currency, but also like google with changes in two letters, just so everybody gets it. My apologies to 99% of those who have read this far. And thank you.
One could still legitimately argue that even though the US says its companies have an obligation to hand over things held overseas, that obligation ends at the border of the US and once the data is overseas the law does not apply.
Its like giving yourself the right to vote in a foreign country because the US says you can. It means squat overseas and the companies can just take the view that they have no right to do anything overseas as the law stated doesnt apply outside of the US.
I look forward to the EU demanding a US company hands over Trumps accounts as they can compel the auditors of Trumps estate in the USA using a similar trick.
If MS Ireland were on the ball, they will have already involved the Irish equivalent of the ICO (EICO?). If they havent I'm sure some well meaning citizens could inform the EICO that the US government is trying to force an EU based company to break EU law. That should pretty much stale-mate it as EU execs would ultimately be liable if they allow the US company to trawl their systems.
Pretty sure EDPR/GDPR will essentially make the use of a US based cloud provider illegal
It already is, it's just that Privacy Shield Figleaf hasn't yet been declared invalid/incompatible with European data protection laws. But when GDPR comes in, it will be "somewhat harder" to say that Privacy Figleaf + US Law complies.
I think the inevitable side effect of this (and the similar problematic but well intentioned SESTA/FOSTA nonsense) will be the the US tech giants will look to become "jurisdiction exiles" (like tax exiles, but not about tax).
So Google might become something like a Nevis corporation, with subsidiaries in the US, Canada, the EU, the UK, etc. The US subsidiary does is "just" a sibling to the EU one, so no-one in the US has "control" over the EU data centers.
The exact and precise model to follow is the "flags of convenience" practice used in commercial shipping...
The exact and precise model to follow is the "flags of convenience" practice used in commercial shipping...
Ikea would also be an interesting case study.
Ikea's based in Sweden right? Except it's headquartered in the Netherlands.
The [Stichting INGKA Foundation] owns the private Dutch company INGKA Holding, based in Leiden (NL), which is the holding company that controls 315 of the 360 outlets of IKEA. INGKA does not own the IKEA franchise and trademark; these are owned by Inter IKEA Systems B.V. in Delft, also in the Netherlands, which receives 3% of all IKEA revenues in royalties. Inter IKEA Systems is owned by Inter IKEA Holding, registered in Luxembourg, which is controlled, in turn, by Interogo Foundation, a Liechtenstein foundation...
It's an incredible tax-avoidance structure which also integrates anti-takeover mechanisms. The article doesn't mention who owns or controls the other 45 stores, and doesn't even touch on the Swedish design studios and purchasing departments who actually design and order the product that is sold by INGKA Holding.
I'm going to go out on a limb and guess that Microsoft's response is going to come from the Ireland business unit saying that they are waiting for clarification from the EDPB re: their duty as a business operating in Europe and holding data on EU citizens. That should stall things for another couple of years, at least.
1) Encrypt the data. Store it anywhere you like.
2) Encrypt the keys, and store the encrypted keys anywhere you like.
3) Hand the 'Key Encryption Keys' over to an external person-in-trust.
The Person-in-trust has to be outside direct control of the Corporation. Kinda like a Team of Lawyers in the Cayman Islands, operating under a strict predefined contract that cannot be overruled. The KEKs might be hashed and RAID-like smeared over a wide group.
"Hand the 'Key Encryption Keys' over to an external person-in-trust."
This is vaguely what happens in MS's German setup. I haven't read of them doing that elsewhere. I'd have thought they'd have rolled that out everywhere else in the EU starting in Ireland.
Or go a bit more drastic.
1. Have non-US citizens set up a company in a privacy-favouring country.
2. Hand over to the new comapny the the operation of the non-US DCs as a franchise operation with strict contract conditions forbidding MS any access that would break local laws.
3. Separate off US sales and operations as a local US franchise in the same way. Likewise, separate any other stuff such as development that they want to stay in the US into a local company that provides such services under contract.
4. The non-US company takes over Microsoft Corporation on a share exchange. In effect the former MS shareholders become the shareholders of the new corporation which holds all MS's IP etc, which is listed on a non-US stock exchange and which isn't subject to US legislation and doesn't pay US taxes. Only the rump businesses in the US are subject to US law and taxes. Any MS officers who don't want to move overseas can become officers of the rump businesses; the fees paid by the non-US MS can cover their pay but they don't get to order about the new non-US business and can't be used by the US to coerce that business.
5. Other US corporations look at the arrangements, realise it's the way to do business with the world at large and follow suit.
6. Nice little tech industry you had there, US. Pity something nasty happened to it.
A few year back, when the catholic priests in America were being exposed. there was a threat of legal action against the church due to the fact that the church knew about it and actively covered it up
Knowing the way courts in America hand out compensation based on how much the perp has, then the wealth of the Vatican was in danger.
They then separated into The Roman catholic church and The Catholic Church of America, and the Vatican gave the Catholic Church of America a few million in its kitty. The compensation claims were levied against the Catholic Church of America and the Vatican was protected.
So, all a company needs to do, is separate its businesses from each other in different territories. for example Microsoft USA and Microsoft EU. Two totally different companies who do not operate in each others territories or hold any data in each others territories. . Both companies buy the products they sell from a third company say Microsoft Global.
There is nothing to stop someone travelling to Europe from the USA and buying or signing up for a service and access that service from the USA. I don't believe the CLOUD act would compel Microsoft EU to hand over data without applying for a warrant in the EU...
Its a lot of fucking about, but if the company truly had any thoughts on peoples privacy then they would do something like that. For example, if Microsoft did this and google did not, then I am almost certain anyone in the EU that valued privacy from the US spooks would stop using gmail and go with Microsoft offerings.....
Surprise, surprise. How long have people here known that the only way to actually keep data private is to own the hardware and software both, then keep it out of a privacy-unfriendly jurisdiction?
The middle and latter bits are easy, use Linux, keep the hardware in the EU. The former bit is somewhat harder as it requires you move off of Intel and AMD (they retain access to the hardware via firmware bits and can be compelled to hand things over), and also modern ARM where the same general firmware is present ("for your safety", of course....)
The big question is, will anyone bother to purchase secureable systems, or somehow try to just get away with flaunting the GDPR? I know what'll happen first, and I hope some seriously stiff (business-destroying) fines are levied as a result...
rms (he's case sensitive) had the right idea running a Longsoon MIPS64 based notebook long before any of this kicked off. Of course, using EMACS for everything just isn't a road I want to go down.
I wasn't actually suggesting using MIPS.
The RK3399 based Orange Pi is pretty much all I need in a desktop, barring the still-closed Mali GPU and the Spectre-vulnerable A72 cores. The latter is likely to be mitigated fairly soon with retpolines. The former is the bigger issue. I can't be without 3D graphics as I use things like OpenSCAD and gEDA a lot. Come to think of it, a couple more GiB of memory would be nice. The Rock64 fulfils this requirement but it doesn't have a SATA port.
I'd really rather not go down the *book road as, generally, the keyboards are pants and they're compromised to fit into the form factor. Starting with a mainboard you get to choose your storage, cooling, noise levels and no sodding embedded batteries welded to the case. Yes, it acts like a UPS and all that rot, I already have 24VDC to the desk and rack from a big-arsed 2kWh reservoir to cope with outages (I have a pair of Banana Pis on fileserver duties) and it seems silly to convert 230V to DC, store it and then occasionally drag it back up to 230 before converting it down again with a SMPSU. All those inefficiencies must add up and DC-DC buck converters are much more efficient than isolated SMPSUs.
And it's appalling.
Under it, Microsoft can try to resist handing over the data if it thinks:
“(i) that the customer or subscriber is not a United States person and does not reside in the United States; and“(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
If it files such a motion, then a US court will decide whether to grant it - that is, a US court has to interpret the laws of whatever other country is being targeted this week. I'm pretty sure that's unconstitutional, because US courts are only empowered to interpret US laws (Article 3, section 2 of the constitution).
The mere fact that the request violates a foreign law - is no defence at all. It also has to belong to "a non-US person". How that is supposed to square with the equal protection clause, I'm not sure.
– even though it maintains it shouldn't have had to issue one.
It shouldn't have issued under 2703 in the first place. There was no need for any of this willy waving, there are existing treaties in place, which would have been much faster and more economical for the DoJ.
They just needed to fill out a form, contact their opposite number in Ireland, have them place it before the Irish court and, if their application had any merit, the Irish court would have ordered Microsoft Ireland to hand over the data.
That they didn't follow "proper channels" makes it feel like it was a fishing expedition that would not have stood up in an Irish court.
"The surveillance imposed on us today is worse than in the Soviet Union. We need laws to stop this data being collected in the first place", Richard Stallman Apr 03 2018
...of got around this by creating a new business that was registered in the EU but based in Ireland and linked to MS. Because it's then not a US registered company, surely US laws can't apply to the data storage arm of MS then, as it would be a separate EU registered company.
Much how it looks like, I could be wrong, Alphabet was created by a certain company to avoid tax.
It's Team America - World Police again.
The law that was in force when the relevant data was created and stored did not enable US law enforcement to get their hands on that data (without a warrant).
The CLOUD Act purports to reach a different conclusion on the basis of the same set of facts. That's retroactive under any interpretation.
There would be no retroactivity (in the context of the US legal system) if the new law only applied to data created and stored after the CLOUD Act came into force. But that is clearly not the case here.
Then there is that pesky issue of Irish and EU laws. Those laws have not changed and require US law enforcement to produce a warrant if it wants to get its hands on the data in question. Whilst the CLOUD Act purports to enable US law enforcement officials to side-step this requirement, that Act is unquestionably irrelevant to the interpretation and enforcement of pre-existing Irish and EU laws... which will continue to require a warrant.
Set against this context, one has to question the US government's strategy in this case. I mean, why go to such extraordinary lengths (a protracted legal battle with Microsoft, drafting and passing the CLOUD Act, etc.) when the option of obtaining a warrant was there all along?
OK, it is no secret that the ultra right-wing has taken over the US Political system and, sadly, much of the Citizenry. Trump, or his advisors, are pushing hard to isolate the US. They don't care whether other countries comply or not. If they comply then the US get everything they want. If don't comply then the US shut them down or out of the US.
So, the effect is that the US becomes more isolated and Nationalistic. The economy is reduced which makes it even easier for the ultra right to increase its control. The Fascists are firmly in control. If any of the left or center leaning Supreme Court Justices die while there's an ultra right wing President the US Justice system will be shambles for another generation, maybe longer.
No prizes for guessing what he's got planned post-brexit then. "Keep our people safe" - praytell from whom, Boris?
I have just tweeted him pointing out that as he was himself a US citizen until last year, the US explicitly state that the UK/EU privacy laws are irrelevant and would have claimed access to his global data. Sadly I suspect Boris is output-only and I have just wasted 140 characters.
>Sadly I suspect Boris is output-only and I have just wasted 140 characters.
Up until around 100 years ago, Boris would have found a position as an officer in the British Army. He would probably have been shot by his own men for instigating some futile charge against the enemy that left too many of them dead.
Probably the next thing we should be expecting is some binding declaration from the EU that US law and EU law are now irrevocably at odds with each other, meaning US ownership of EU data is also inherently in violation of GDPR, giving all US companies say 30 days to divest themselves of ALL EU data holdings before it becomes enforced. Forget the trade war with China, let's see what a data embargo with the EU will entail.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
