Somehow we went from mild interest in December when Microsoft challenged a search warrant over user data stored in Ireland to some kind of frenzy today when Chief US District Judge Loretta Preska ruled in the government’s favor. I know it doesn’t make good sound bites, but this is not a case of good versus evil and today’s ruling is not necessarily a Bad Thing. It might be, but it’s just too soon to tell. If Judge Preska’s decision survives the inevitable appeals, the most important thing will be the basis of her (and the appeal judges’) reasoning. Until then, let’s cut through the hyperbole to see what the case does and does not mean.
What it doesn’t mean
US law enforcement can access your data anywhere in the world
It doesn’t actually mean that the world’s servers are now fair game for the FBI. The e-mail account was created with the US company, Microsoft Corporation, and the records were stored in Ireland. This case applies to US-based companies, not to each and every internet provider in the world.
User data is completely unprotected and at the mercy of the FBI without any checks and balances.
We may all be a little punch-drunk from the seemingly endless revelations of NSA overreach in accessing user data, but this isn’t just another round in “NSA vs the World”. The data was sought under a search warrant. The government still had to meet probable cause in order to access it. The question is not whether the judiciary should be involved, but which judiciary applying whose laws.
Microsoft and the other companies in their corner are strong on defending foreign users’ rights.
When it comes to sharing user data with foreign governments, internet companies have large amounts of discretion (at least when it relates to non-content). As noted previously, there are very few checks and balances on this discretion, and different companies have quite different track records.
Tech companies are united in their objections to the government position.
Apple, Cisco, AT&T, and Verizon have voiced support for Microsoft’s position. Other big providers have been silent. This could be because they take a different approach to data storage and jurisdiction. Importantly, it shows that there is definitely not unanimity on how best to solve this issue.
What it does mean
The rest of the world is watching
Every law enforcement agency in the world is struggling with the question of how to stay one step ahead of criminals and no country really wants to have to go through the involved process of mutual legal assistance in time-sensitive cases if they can avoid it. This doesn’t mean that it will be a total free-for-all on user data; this decision would only apply to companies that are within that country’s borders. It may, however, encourage other countries to adopt more expansive legislation and policies.
There is potential for conflict of laws issues and questions of sovereignty
It is permissible for a country to have legislation with extraterritorial effects, but not to go into another country to enforce it. If this case ends up creating a principle that a search or seizure occurs at the time that a US company copies data from their server in a foreign country, then the US might be trying to exercise enforcement jurisdiction in another country. This is one of the few areas of international law on jurisdiction that’s pretty clear; it’s a no-no.
On the other hand, if the search or seizure doesn’t occur until the data is handed over to US authorities, you have a conflict of laws. This is because a user’s data could be affected by both the US law and the other country’s data protection laws.
This could have significant implications for cloud computing and remote data storage
There are definitely downsides to an approach that uses data location as the basis for jurisdiction. One of these is that it would mean that companies will make decisions about data location based on legal priorities rather than technical needs, which could compromise the speed and robustness of new products.
We’re going to have to wait for legal certainty
The Magistrate’s decision, the ensuing briefs from Microsoft and the government, and the various amicus briefs each focused on different legal issues. Is this essentially a fourth amendment case or a question of statutory interpretation of the Electronic Communications Privacy Act? This is actually a big deal and goes to the heart of issues such as where does an electronic search or seizure occur? To some extent, it is not the outcome of this case that really matters, but the reasoning upon which it is based.