Over the last four years, an increasingly bitter legal battle has been playing out between technology firm Microsoft and the US government. The battle is being watched carefully by those in the know, as the final result will have extremely far-reaching consequences for ordinary internet users’ privacy.
It could also trigger a major diplomatic row with Europe, and may have a major impact on how, and even if, US technology companies do business overseas.
What Is Going on?
The argument revolves around whether the US government has the right to demand that Microsoft hand over data stored on an overseas server (specifically, a server in Ireland).
According to both the USA Patriot Act and the Foreign Intelligence Surveillance Act (FISA), US agencies can access any data held by a US company, regardless of whether that data is stored outside the US.
Microsoft is a US company, and the US government has a valid warrant for email stored on Microsoft’s servers in Ireland relating to a drug investigation. So as far as the US government is concerned, case closed.
Microsoft, however, begs to differ. It has fought tooth and nail against the warrant, arguing that a US warrant cannot apply to data that is stored overseas, and that the data is protected by the laws of the country in which it is stored.
After losing the last round of the ongoing legal contest, the government has asked the Supreme Court to intervene (pdf):
“This Court should grant review to restore the government’s ability to require providers to disclose electronic communications—which are, in this day and age, often the only or the most critical evidence of terrorism and crime.”
September 2007 – Microsoft joins the NSA’s PRISM surveillance program
During this time, Microsoft collaborated closely with the NSA, allowing the NSA to perform mass surveillance on its users. Many of those users were US citizens, who are theoretically protected from such behavior by the US Constitution.
May 2013 – Edward Snowden exposes how Microsoft was betraying its customers
Ex-NSA whistleblower Edward Snowden released thousands of documents that showed the world the terrifying extent of the NSA’s surveillance programs. Among the many shocking revelations was the extent of Microsoft’s complicity in the PRISM program.
Microsoft was caught with its pants well and truly down. Suffering from both a damaged reputation and the resulting economic fallout, Microsoft was quick to distance itself from the NSA. Crucially, it stopped cooperating with government demands for users’ data.
January 2014 – Microsoft announces plans to allow non-US citizens to store their data overseas
In a move designed to restore consumer confidence in its service, Microsoft said (paywall) that it would allow non-US customers to store their data on servers located outside the United States:
“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
The implication was that this move would protect data belonging to non-US citizens from being accessed by US intelligence services. Given the aforementioned provisions of the Patriot Act and FISA regarding this subject, the announcement caused some raised eyebrows at the time.
April 2014 – US government demands that Microsoft hand over overseas data
It therefore came as little surprise when, barely weeks after this announcement, a New York court ordered Microsoft to hand over data belonging to a non-US citizen that resided on a server outside the US.
September 2014 – Microsoft loses again
Eager to re-establish its tarnished reputation, Microsoft vowed to resist the warrant. It suffered another defeat, however, when Judge Loretta Preska, Chief of US District in Manhattan, upheld the April ruling. Despite this setback, Microsoft was determined to fight on:
“Microsoft will not be turning over the email and plans to appeal.”
July 2016 – A big win for Microsoft
Fast forward almost two years, and a panel of Second Circuit judges overturned the New York ruling. They stated that a search warrant sent to Microsoft cannot be applied internationally:
“We conclude that Congress did not intend the [Stored Communications Act’s] warrant provisions to apply extraterritorially. SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.”
According to Nate Cardozo, an attorney working with the Electronic Frontier Foundation,
“This is a big win for privacy. It circumscribes the US government’s power abroad. It reiterates the rule that US law doesn’t apply outside the US …[And] it keeps foreigners’ data secure from the US government, which has shown again and again that it’s willing to overstep reasonable bounds on its power.”
Want more great news stories like this?
Sign up to our Newsletter today!
Newsletter sign up
Want more great news stories like this?
Sign up to our Newsletter today!
Microsoft was understandably jubilant:
“This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments. As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”
June 2017 (now) – US government refers the case to the Supreme Court
In support of its petition to the Supreme Court, the government accuses Microsoft of using arguments that “ring hollow,” and of cynically putting economic concerns before the national interest:
“Economic concerns cannot override the text of the statute or the interests in public safety and national security that are at stake in this case—particularly when the claimed economic benefit is derived directly from a provider’s ability to market itself as capable of shielding subscribers’ activity, including their criminal activity, from discovery by the authorities.”
What is not explained is how evidence relating to a drug investigation constitutes a threat to national security.
With the Patriot Act and FISA on its side, plus a Supreme Court that, following the controversial appointment of Judge Neil Gorsuch, is now Republican-leaning, it is certainly possible that the government will win this case.
The consequences of it doing so, however, could be disastrous for US companies that operate internationally. For a start, it means that consumers will know their data is not safe with US companies.
Secondly, it places US companies in an impossible position with regards to international law, which requires that companies operating within a legal jurisdiction obey the data protection laws of that jurisdiction.
In lucrative markets such as Europe, this would place US law into direct conflict with EU privacy regulations. If US companies are unable to comply with EU law, they may be forced to withdraw from the EU market. In addition to the companies directly affected, this would not be good for the US economy.
The solution would be for the US to negotiate reciprocal arrangements in which they can ask foreign judges to grant local warrants for the information desired.
Many other countries, such as China, have legal systems that would be incompatible with such an agreement.
For now we will just have to wait and see what happens. Interesting, isn’t it?