US government wants Microsoft 'Irish email' case reopened
Argues that users don't control where data resides, so Redmond should pretend its within reach of US law
The United States Department of Justice has asked the nation's Second Circuit Court of Appeals to re-open its three-year-old case attempt to have Microsoft hand over e-mails stored on servers in the Republic of Ireland.
At the same time, the Department has dropped more than a hint that Google's in the cross-hairs.
In July, Redmond seemed to have won the long-running battle over whether it had to comply with a US-issued warrant demanding the data.
Microsoft brought the issue to a head in 2014 in a moderately-unusual fashion: it put itself in contempt of court, complaining that the 1986 Stored Communications Act (SCA) shouldn't apply outside America's borders.
In that judgement, the court said “We conclude that § 2703 of the Stored Communications Act does not authorize courts to issue and enforce against US‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers”.
In September, assistant US attorney-general Leslie Caldwell said the DoJ was unhappy with that result.
In its new filing (PDF), the DoJ focuses not on where the data is stored, but who controls it. The filing calls the previous ruling “unprecedented” in finding that “Section 2703 does not authorise courts to issue and enforce warrants to US-based Internet service providers for the disclosure of customer email content that is stored on foreign servers but entirely within the control of the U.S.-based company”.
In picking over the previous judgement, US government lawyers say Microsoft's control over where data is stored is key here because the user has no choice about where their data resides.
The DoJ is also worried that if the July judgement stands, it'll be hamstrung in a world where cloud providers of the scale of Google shift data around the world constantly and automatically. Here's the Department's logic:
“Major US-based providers like Google and Yahoo! store a customer’s email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”
Treaties don't help
If I were a Google lawyer, I'd be watching the appeal-against-the-appeal with concern, because the DoJ seems to have Mountain View marked on its map.
In its request to reopen the case, the DoJ says two characteristics of Google's operations are particularly worrying, if the July decision stands.
Only Google's US staff can recover e-mails if a warrant is served – but that data might be anywhere. That, the DoJ argues, means that Google has engineered itself beyond the reach of Mutual Legal Assistance Treaties requests or non-US law enforcement, making it effectively untouchable.
Its specific arguments against the previous decision are:
- The SCA protects privacy by regulating the disclosure of information, and in complying with the warrant, Microsoft would be disclosing information in the US. In other words, the DoJ is arguing that granting the warrant would not be an extraterritorial application of the law; and
- The lawmakers that crafted the SCA clearly intended to include exemptions to privacy protection in the case of criminal investigations.
Microsoft is sticking to its previous position, that while it would like to work with lawmakers to solve the problem, it told The Washington Post the 30-year-old SCA doesn't apply to e-mail stored offshore. ®