Microsoft case shows the increasingly long reach of government agencies

By Graeme Burton
06 May 2014 View Comments
Judge's gavel

When US Magistrates Court judge James C. Francis ruled against Microsoft over the extra-territorial applicability of a search warrant, it cast light on a debate that is taking place around the world: How far do government agencies' rights to seize data in the course of an investigation really extend?

Microsoft had argued that a search warrant directing the company to supply data about a specific user whose emails were ultimately stored on one of the company's data centres in Ireland was not valid, because "courts in the US are not authorised to issue warrants for extra territorial search and seizure". 

Further reading

But Judge Francis, who had granted the original search warrant, ruled against the company. The warrant had specifically authorised "the search and seizure of information associated with a specified web-based email account that is 'stored at premises owned, maintained, controlled, or operated by Microsoft". And that, said the judge, meant everywhere.

According to the judge, Microsoft's Global Criminal Compliance team went as far as to collate the data, using automated tools designed for the purpose.

"Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent that it directs the production of information stored abroad," wrote Francis in his summary.

He insists that under the terms of the Stored Communications Act (SCA), passed as part of the Electronic Communications Privacy Act, 1986, US government agencies can order a company to turn over all records in response to a subpoena, court order, or warrant - regardless of where it is stored.

But the judgment is not quite the landmark that many reports suggested.

First, the judge was ultimately presiding over a warrant that he issued and the court, in any case, is fairly junior. Microsoft, furthermore, expected defeat at this level, but instigated it in order to get the law clarified in an action that is likely to run for some time through various courts and appeals.

Microsoft's aim is to rein-in the US government in its web surveillance activities in a bid to protect its own burgeoning global cloud business.

"The US government doesn't have the power to search a home in another country, nor should it have the power to search the content of email stored overseas," wrote Microsoft's deputy general counsel, David Howard, in a blog post.

He continued: "When we filed this challenge we knew the path would need to start with a magistrate judge, and that we'd eventually have the opportunity to bring the issue to a US district court judge and, probably, to a federal court of appeals."

Howard perhaps implied, though, that technology companies had hitherto routinely complied with global data requests as a matter of course. He wrote that the decision, "maintains the status quo but is a necessary step in our effort to make sure that governments follow the letter of the law when they seek our customers' private data in the future".

In any case, the globally applicable warrant that Judge Francis supports ultimately represents little more than a stitch in time for law enforcement and other government agencies: court orders issued by courts in the US and UK are already applicable in most countries overseas via Mutual Legal Assistance Treaties.

Hence, the ease with which an agency in country can legally access data held in another is not an insurmountable challenge.

What all this means for companies offering cloud computing services - and especially for users of those services - is that they should trust no-one, says Marc Dautlich, a partner at law firm Pinsent Masons.

"Companies should ask, 'what are our crown jewels'? Then classify them and treat them differently," says Dautlich. That might mean not putting such information onto any cloud services as a matter of trust.

And, furthermore, deploying encryption. "That's one of the best protections of all. You can spend a lot of time with lawyers, which I don't discourage, but you should also encrypt your data. Also, if your cloud provider doesn't have the decryption key it forces the government agency to come to you if it does want to execute a search warrant," adds Dautlich.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

38 %
26 %
15 %
21 %