Microsoft legal eagle explains why the Irish Warrant Fight covers your back
Plus: Nuke all emails after 6 months
Interview Microsoft thinks its litigation against the US government to protect your data is far more important than the Schrems case. And that was pretty big. What’s it all about?
The so-called “Irish warrant” case challenges Uncle Sam in areas it isn’t used to feeling any discomfort – and it encompasses far more data. So let’s hear the architect of Microsoft’s legal strategy in the case, John Frank.
Microsoft had thought for some time that the US government was relying on legislation passed in the 1980s, and taking advantage of its antiquated nature, to make unreasonable demands on private data.
Without trust, Microsoft thinks, nobody is going to use any cloud services, and the Snowden revelations put the trustworthiness of all technology suppliers in the spotlight. So when a warrant arrived at Microsoft’s Dublin data centre one day in 2013, a not uncommon occurrence for a cloud host, Microsoft was ready to kick back.
What Microsoft has done is refuse to comply, putting itself voluntarily in contempt of court. At issue is a piece of legislation called the 1986 Stored Communications Act, and the software firm is challenging two key things about it. Firstly, that the act covers private data that happens to be stored on your behalf by a third party (in this case Microsoft). Microsoft argues that the personal data is not its own, much as a UGC hosted YouTube argues that it doesn’t own material that is “stored at users' direction”.
The Department of Justice, defending the US state’s position, argues that the SCA gives it access to any company’s records. In Brussels, this week, the DoJ’s Michael Olmsted (senior counsel for the EU and International Law Enforcement Matters division, at the US mission to the EU) said he thought it was hypocritical that the Irish government supported the warrant, when it admitted it had granted itself the legal right to pull company information from foreign servers.
“The Irish had to admit in their filing that they too had the ability to reach outside Ireland, they just don’t use it,” said Olsmted.
Frank replied that the DoJ missed the point. The data didn’t belong to Microsoft.
“These are the private communications of our customers. They’re not ours. We don’t have access to them. We don’t want access to them,” he told an audience this week. “That’s a very different position to saying that any data stored with a cloud provider is a business record of that cloud provider, that can then be turned over to the government. That is a very dangerous precedent.”
And an interview with The Register clarified that point further: “By design we tell customers it is yours, we’re not going to access your data.”
“We view the SCA as a very important shield but one that now has a big hole in it. We get demands all the time from governments that don’t embrace democratic principles asking for all kinds of information on their customers,” he explained on Monday.
Frank told The Register the US had a perfectly well established legal alternative to gatecrashing overseas servers with a warrant, and that was an MLAT (Mutual Legal Assistance Treaty).
“There is an MLAT with Ireland but the US government refuses to use it. I don’t have sympathy with them when they say [MLATS are] hard to use – they designed them.”
The SCA doesn’t explicitly specify that agencies have extra-territorial powers. Frank says that a legal doctrine set by the Supreme Court case Morrison v National Australia Bank (pdf) means that unless legislation is explicitly given extra territorial scope, it must be assumed not to have extra territorial scope.
In Brussels this week, the DoJ’s Olmsted argued that the US needed to keep things simple. What if the data agents needed was spread across different countries? What if they can’t identify what country it’s in?
Frank was, er, frank in dismissing this for us: “The facts are very simple and clear. The email content is in Ireland. All this handwringing is beside the point.”
Microsoft has tried to rally cloud providers and users behind a modernised bill – the LEADS Act, which has some 100 supporters in Congress and a growing number in the Senate. Frank says ultimately it’s citizens and their Governments who should be having the debate. “Democratically elected representatives and the people should ultimate negotiate what the rules should be. And it’s important that privacy interests have a seat t the table when those discussions take place.”
Not everyone is prominent in rallying behind Microsoft. It’s won support from activist groups (the EFF) and academics, and industry big dogs including Apple, Cisco and Hewlett Packard.
But Google is a prominent absentee. So much for solidarity between cloud giants, we mused.
“Where we disagree we still find values are shared,” Frank replied diplomatically.
Although there’s broad agreement that one part of the SCA needs to go, he points out.
“If you don’t download email after 180 days, the Government can get it without a warrant. In 1986 email was this thing that sat up in the server until you connected to it, and once you did, the email wasn’t on the server any more.”
Not really a cloud-era law, there. ®
Sponsored: Global DDoS threat landscape report