10 December 2014 by Bill Boyle - DatacenterDynamics
Microsoft has this week filed a fresh appeal against a US warrant for customer information stored in an Irish data center.
Last year, a New York magistrate ordered Microsoft to reveal the contents of one user's emails, stored at its data centers in Ireland, under the Stored Communications Act. Microsoft objected to the warrant and has been held in contempt of court. Now it has lodged a new appeal in New York's Second Circuit Court of Appeals.
Microsoft takes the view that privacy of its foreign clients’ information should achieve First Amendment standards, and its chief legal council Brad Smith has presented an interesting argument: “Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei."
The shoe on other foot scenario
Smith elabrorates: “The U.S. Secretary of State fumes: 'We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws'. Germany’s Foreign Minister responds: 'We did not conduct an extraterritorial search—in fact we didn’t search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter’s privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate.'”
“No way would that response satisfy the U.S. Government. The letters the reporter placed in a safe deposit box in Manhattan are her private correspondence, not the bank’s business records. The seizure of that private correspondence pursuant to a warrant is a law enforcement seizure by a foreign government, executed in the United States, even if it is effected by a private party whom the government has conscripted to act on its behalf.
Staving off international problems
"This case presents a digital version of the same scenario, but the shoe is on the other foot. The Electronic Communications Privacy Act of 1986 (“ECPA”) allows federal agents and local police to command email providers to execute a “warrant” to seize customers’ private emails from the digital lockboxes they secure with a password. Federal agents served such a search warrant on Microsoft’s U.S. headquarters, requiring it to search for a customer’s private emails, copy them, and turn them over. The emails, however, are located exclusively on a computer in Dublin, Ireland, where they are protected by Irish and European privacy laws.
“To avoid just this sort of international discord, courts presume that federal statutes do not apply extraterritorially unless Congress expresses a clear intent for them to do so. Congress, however, gave no indication in ECPA that it intended to authorize federal and local police to commandeer service providers to execute searches and seizures of private emails located in foreign countries. Nor did Congress express any intention to allow the Government to ignore established avenues for international cooperation, such as Mutual Legal Assistance Treaties, to obtain such evidence.”
Microsoft’s very high-profile stance in fighting this case almost certainly comes from the potential loss of foreign customers who may object to their data being forcibly repatriated to the USA without their knowledge. It obviously worries many other US companies given the large number of them which have submitted Amicus Curiae to the court.