Like all the big tech companies caught with their pants down by Edward Snowdon’s revelations that they fully cooperated with the NSA over spying on their customers, Microsoft has ever since been desperate to claw back public confidence. A big win in court could have major implications for the US government’s ability to simply demand data from companies that is stored overseas.
The problem
Back in January 2014, Microsoft announced plans to allow non-US-citizens to store their data overseas,
"People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
The implication was that this move would protect data belonging to non-US citizens from being accessed by US intelligence services. As I noted with a somewhat raised eyebrow at the time, however,
"It should be clearly understood that US companies are legally required under the Patriot Act to hand over information on their servers to US intelligence agencies, even if that information resides on servers outside the US. Basically, US agencies can access any data held by a US company, regardless of whether that data is stored outside the US, so it is unclear to us what benefits it will bring.”
The Foreign Intelligence Surveillance Act (FISA) similarly allows US agencies to access information stored in cloud databases located in the EU, but owned by US companies. All that US authorities need do is get a secret court to issue a secret surveillance order, which when presented to a US company they have no option but to comply.
It should come as no surprise when almost immediately following its announcement, a US judge ordered Microsoft to hand over a customer’s emails, even though these were stored in Ireland.
The ruling by New York Judge James Francis supported a search warrant issued by US law enforcement officials, demanded information associated with an individual’s email account, including their name, credit card details, and the contents of all messages.
Microsoft fights back
To its credit, Microsoft did not take this ruling lying down. And despite the New York ruling being upheld by of US District in Manhattan, Judge Loretta Presk, Microsoft made US legal history by refusing to hand over the data until the case had wound its way through the appeals process,
"Microsoft will not be turning over the email and plans to appeal.”
A big win
On 14 July a panel of a panel of Second Circuit judges overturned the New York ruling, stating that a search warrant sent to Microsoft cannot be applied internationally,
"We conclude that Congress did not intend the [Stored Communications Act’s] warrant provisions to apply extraterritorially. SCA warrant may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.”
According to Nate Cardozo, an attorney working with the Electronic Frontier Foundation,
"This is a big win for privacy. It circumscribes the US government’s power abroad. It reiterates the rule that US law doesn’t apply outside the US …[And] it keeps foreigners’ data secure from the US government, which has shown again and again that it’s willing to overstep reasonable bounds on its power.”
Microsoft was similarly jubilant,
"This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments. As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”
Caution still required
This is a landmark decision that will help safeguard non-US nationals’ data that is stored outside the USA from being accessed by US authorities. A number of important caveats should be noted, however:
- The US government is almost certain to appeal this decision.
- The US and UK governments are currently negotiating an agreement that will allow the government US government to serve UK communications and technology companies with wiretap orders and warrants in order to access communications relating to US citizens. And vice versa. This plan has yet to be formally announced and will face a number of legal and practical hurdles, including opposition from the likes of Microsoft, Apple, and Google.
- We only know about the Microsoft email case because (somewhat usually) the NSL it received did not include a gag order, and Microsoft decided to go public about the affair. We have no way of knowing if and how often Microsoft otherwise complies with government demands.
Conclusion
This latest win for Microsoft is great news for privacy, and will hopefully put some brakes on the US governments’ belief that it is entitled to any and all data belonging to anyone, regardless of citizenship or where the data is stored.
If you really care about privacy, however, then you should not trust any technology company with your data. Use a VPN or Tor to hide your browsing habits, where possible use end-to-end encrypted messaging, and end-to-end encrypt all your sensitive data yourself. In other words, do not trust tech companies to protect your privacy