US court says cloud companies must hand over ALL data on demand, regardless of where it is held

Holding data overseas doesn't exempt cloud computing companies from US government data grabs

Internet and cloud companies must turn over all information to US government agencies on demand, regardless of where the data is held.

That is the judgment of US Magistrates court judge James C. Francis in an action brought against software giant Microsoft. However, Microsoft claims that the judgement is just the beginning of an action intended to uphold constitutional limits on government search-warrant powers.

It follows moves by Microsoft to reverse a search warrant that sought the contents of emails of a customer, whose data was held on a server physically located in Ireland.

"Microsoft contends that courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant. For the reasons that follow, Microsoft's motion is denied," wrote Francis in his judgment.

He continued: "On December 4, 2013, in response to an application by the United States, I issued the search warrant that is the subject of the instant motion.

"That warrant authorizes the search and seizure of information associated with a specified web-based email account that is 'stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA'."

According to the judge, Microsoft's Global Criminal Compliance team went as far as to collate the data, using automated tools designed for the purpose.

"Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent that it directs the production of information stored abroad."

However, Francis insists that under the terms of the Stored Communications Act (SCA), passed as part of the Electronic Communications Privacy Act, 1986, US government agencies can order a company to turn over all records in response to a subpoena, court order, or warrant.

The judgment represents a new challenge to technology companies offering cloud computing services.

The court demand re-opens the debate over cloud computing that was blown wide open by the revelations of US National Security Agency (NSA) whistleblower Edward Snowden.

Those leaked NSA documents showed how the US security agency's online surveillance activities went even further than even the most paranoid commentators expected - and also how closely the NSA worked with other intelligence agencies in its information gathering, including GCHQ.

Technology companies re-architected their cloud applications to ensure that the data remains encrypted and siloed in distinct geographic locations for compliance purposes, supposedly to keep the data from court-mandated data grabs by overseas agencies.

Although Microsoft's email data is held in the location closest to the country indicated when individuals originally registered their new email address, the organisation also stores items of other data relating to that account in the US.

According to the judgment, these include:

First, certain non-content information retained in a data warehouse in the US for testing and quality control purposes.

Second, address book information relating to certain web-based email accounts.

Third, certain basic non-content information about all accounts, such as the user's name and country, which is maintained in a database in the US.

The judge described Microsoft's argument that federal courts did not have the authority to issue warrants for search and seizure of property outside the US as "simple, perhaps deceptively so".

Seemingly seeking to re-interpret the SCA, he argues that Microsoft's "analysis, while not inconsistent with the statutory language, is undermined by the structure of the SCA, by its legislative history, and by the practical consequences that would flow from adopting it".

In a blog posting, Microsoft corporate vice president and general counsel David Howard re-asserted the company's position.

"The US government doesn't have the power to search a home in another country, nor should it have the power to search the content of email stored overseas," wrote Howard. The legal challenge was filed by Microsoft to protect this principle, he added.

"Today we received an initial decision that maintains the status quo, but is a necessary step in our effort to make sure that governments follow the letter of the law when they seek our customers' private data in the future.

"When we filed this challenge we knew the path would need to start with a magistrate judge, and that we'd eventually have the opportunity to bring the issue to a US district court judge and probably to a federal court of appeals," he added.

Microsoft's legal position is that the same limitations on government search powers that exist in the physical world should apply online, "but the government disagrees".

See the below video for an update on the latest IT news.