After a long drawn out legal process that has spanned over three years, on July 14, 2016, Microsoft won its appeal against the US Government in the case of being asked to hand data over to law enforcement agents. Clashes between government and tech companies are not uncommon today, but this recent ruling introduces a new interpretation of data jurisdiction: even with a domestic warrant, technology companies cannot be forced by government agents to hand over data stored in foreign locations.
At face value, the clarification of US law in this case benefits privacy advocates and members of the tech industry. However, Microsoft v. USA has exposed cracks within current cross-border data transfers and international law enforcement, and these cracks have led to a trend of behaviours that, if not addressed, could result in a fragmentation in international cyber affairs.
Microsoft v. USA began in 2013, when a court in New York issued Microsoft a “Search and Seizure Warrant” for the e-mail content and records held within an MSN account tied to narcotics trafficking. The warrant was issued under the Stored Communications Act (SCA), under which “a provider of electronic communication service or remote computing service shall disclose to a governmental entity” certain account information, such as name, address, and other account characteristics of the subscriber in question, so long as the proper warrant has been issued.
Microsoft complied with the order, handing over non-content data that was stored in US data centres; however, Microsoft refused to pull the customer data that was held by the data centre in Dublin, Ireland. When communications are passed internationally, the data is stored by whatever Microsoft data centre is closest to the physical location of the account user – the US data centres will only hold the most basic account information. When Microsoft moved to quash the warrant beyond its domestic application, the District Court denied the request and held Microsoft in civil contempt for its refusal.
The United States Court of Appeals for the Second Circuit has released its decision on the case “In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation,” but the important provisions of the ruling came down to a key interpretation of existing legislation. The Court ruled on the SCA, saying “its aim was to protect user privacy in the context of new technology…neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.” Ruling in Microsoft’s favour, the Court concluded that “2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
Microsoft was the first US tech company to challenge a warrant seeking foreign-stored data, and many are touting this ruling as a win for both consumer privacy and the tech firm overall. Microsoft’s post-ruling press release cited three particular benefits: “it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.” Brad Smith, Microsoft’s general counsel, has tied this case to consumer tech confidence; with that mindset, it is no surprise that companies like Amazon, Apple, Verizon, and other tech companies had filed briefs in support of Microsoft throughout the case.
The US Department of Justice has expressed its disappointment regarding the rule and has already indicated that it may appeal the decision in the near future. Domestically speaking, this is another strike against law enforcement efforts to ‘negotiate’ with the tech industry. After the clash between Apple and the FBI regarding unlocking the San Bernardino attacker’s iPhone, it has become somewhat expected of the government to have to legally push tech firms to get the data it wants for law enforcement purposes.
But there are international implications as well. By determining the US’ access to data is based on the territorial jurisdiction of the data centre’s location, what the US has just broadcasted to every other country is a new precedent: what matters is the data’s location. This may encourage more states to include in their legislation data localization provisions for tech companies serving their citizens (which is bad for eCommerce and digital trade).
Beyond its economic implications, however, data localization could be manageable from a national security perspective if countries had efficient systems to share and access data about detected national security threats. Unfortunately, they don’t, and that, perhaps, is one of the most important elements highlighted by the Microsoft v. USA case.
The Microsoft ruling does have its merits. It relieved US tech companies from automatically having to hand over data housed on foreign territory when served a warrant, and it added one more layer of security for the privacy of foreign citizens using services provided by US tech firms. That being said, the ruling could cause a lot of pain internationally – particularly the fragmentation of data movement.
But overall, the case has shone light on a serious international trend: cross-border data transfers for law enforcement purposes are in a state of flux. In my next article, I will discuss what the Microsoft case has identified and what sort of reforms could happen in international data-sharing to ensure that the national security of many countries can be maintained.
Photo: US Defense Secretary Ash Carter tours the Microsoft Cybercrime Center in Seattle, by US Federal Government via Wikimedia Commons. Public Domain.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.