Microsoft vs the long arm of US law: Straight outta Dublin
Hey you, get off of our cloud
Comment The US government can get access to your data stored outside the United States. A controversial ruling by the New York District Court made it clear earlier this year just how far US warrants can extend. The judge ruled that Microsoft had to hand over customer data it was holding in its Dublin data centre. But this is not the end of the matter.
Conscious that its entire cloud strategy outside of the US could be jeopardised, Microsoft is refusing to hand over data at the risk of being placed in contempt of court.
Let’s rewind a minute to work out what this is all about. In 2011, when it launched Office 365, Microsoft's former UK MD Gordon Frazer – now China COO for Redmond – said that his firm would hand over data held in EU data centres in order to comply with the USA PATRIOT Act, since it is a US-headquartered company.
That seemed a remarkable statement at the time – that Microsoft customers in the EU, with no apparent connection to the US, could still have their data being accessed by the US government because there was a US company in the supply chain. But logic suggested that the US government would not access everyone’s data and would target its law enforcement efforts to maximise its effectiveness against those engaged in unlawful activities.
The Snowden effect
Then, two years later, former NSA sysadmin Edward Snowden made his revelations. The use of surveillance powers was already fairly well known. But Snowden exposed access to and storage of data in bulk by the US National Security Agency, under its PRISM programme. NSA was using broad and long-lasting warrants obtained under the Foreign Intelligence Surveillance Act without the need to obtain individual warrants.
This led to international outrage, not just from customers, but from heads of state who were being snooped upon, including German Chancellor Angela Merkel. In an act of reconciliation, US President Barack Obama set up a committee to review the NSA’s powers with a view to making changes to the process and bolstering the Safe Harbour data protection regime. These changes, so far, have been largely window-dressing.
Store data local to customer
Conscious of the concerns the NSA was causing to its non-US customers, Microsoft said earlier this year – via its general counsel, Brad Smith – that it would allow customers to choose to store their data without having any copy stored in the US. In the present case, Microsoft – true to its word – was locating customer data close to the customer in its Dublin data centre.
The US government applied to get access to this data and the judge ruled in its favour and granted it a warrant. In general, most people are comfortable with the need to gain access to data for law enforcement purposes provided there are proper checks and balances in place. The issue that has caused consternation was the New York judge’s approach to geographical boundaries.
This time the legislation used was the Stored Communications Act. The US government applied for access to data Microsoft was holding in its Dublin dat acentre. Microsoft argued that the warrant did not have “extra-territorial power” – that is, the warrant should not apply outside the United States. If this argument had prevailed, it would leave the US government having to use other powers to get access to the data in Ireland.
One such mechanism is the Mutual Legal Assistance Treaties that exist between various nations which enable the collection and sharing of data to assist. This formal process recognises that sovereign nations control their jurisdictions but are willing to cooperate with other nations for law enforcement purposes. In fact, it appears the US and Irish governments signed a mutual legal assistance treaty in 2001, although it is still not in force.
With a direct approach via treaty seemingly not available to the US government, this would put more emphasis on the judge ruling in its favour. And that is exactly what the judge did. He did not question whether or not the treaty with Ireland was in force. Instead, the judge quoted a commentator, who had said: “This process generally remains slow and laborious, as it requires the cooperation of two governments and one of those governments may not prioritize the case as highly as the other.”
Therefore the judge granted the warrant, explaining: “If the territorial restrictions on conventional warrants applied to warrants issued [in this case], the burden on the Government would be substantial, and law enforcement efforts would be seriously impeded.”
There is clearly a point of policy at play. As the judge pointed out, a criminal could effectively “forum-shop” and hide his data in another jurisdiction to put it out of the reach of the US government. Dealing with sovereign governments would take too long and, if they did not cooperate, would leave the US government without access to the data. The easiest way to get access to data, therefore, will always be via the US cloud provider.
Microsoft in contempt?
But Microsoft has not given up. It has so far refused to hand over the data and has appealed the ruling. The court suspended the ruling pending this appeal but has since lifted the suspension. The US government has asked the court to find Microsoft in contempt of court if it continues to withhold the data. This could mean fines for Microsoft.
According to court documents released recently against another provider, the US government threatened to fine Yahoo $250,000 a day if it refused to hand over user data to NSA. Thus, at stake is the entire US cloud offering outside the US, with the German government reportedly stating that it won’t use data storage from US companies unless the ruling is overturned. Not surprisingly, other US companies, including AT&T, Apple and Verizon, have filed court briefs supporting Microsoft.
What does this teach us?
Well, it shows the US courts are generally supportive of US government attempts to get access to data held by US companies outside the country. The formal mutual legal assistance treaties are considered a cumbersome process which the American government would prefer to avoid where possible.
The EU data protection laws appear not to be able to prevent this type of access. US providers, mindful of the damage the US government is inflicting on their non-US business interests are willing to fight to stop the release of the data.
New attempt to restrict access to data
Microsoft and others are supporting a new draft law, the Law Enforcement Access to Data Stored Abroad Act (PDF). This is aimed at ensuring the US government respects an individual’s privacy, global borders and those laborious treaties. We wait to see whether this law will be passed, but it certainly shows the debate continues over protection of privacy on the one hand and access to data on the other. Here's Microsoft's comment on LEADs.
What can a UK customer do?
A UK customer could take the view that the US government accessing its data is not a cause for concern. Alternatively, if a UK customer wants to make it harder for the US government to get access to its data, it must encrypt the data and remove every single US company from its IT cloud and data supply chains. Doing this, of course, will not prevent GCHQ from getting access to data held in the UK. As Snowden revealed, GCHQ has been sharing data with NSA via its Tempora programme.
There is an alternative: the Russian and German governments have recently invested in typewriters following the Snowden revelations, but I’m not sure that's really going to catch on. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016