International legal wrangling over information housed in an Irish datacentre is at the centre of a dispute involving Microsoft and the US prosecution service. American prosecutors want access to emails held on servers in Dublin as part of a drugs investigation.
The prosecutors have sought access to the files by issuing a search warrant in the US itself; Microsoft says the legalities for such action should originate and take place on Irish soil.
The case follows a ruling in the summer by a New York district judge that Microsoft must hand over customer data to the US Government even though it's held overseas.
Eviscerated personal privacy
America-based Microsoft has insisted that if this power were granted to the American law enforcement services, it could lead to a "global free-for-all" that eviscerates personal privacy.
The US statute at issue here is the Stored Communications Act, which was enacted in 1986 in the comparatively early days of the access to the world wide web. The individual from Dublin in this case has not been identified.
As detailed on the Reuters news service, Microsoft's lawyer Joshua Rosenkranz has warned the 2nd US Circuit Court of Appeals in New York that upholding the warrant would open the door to other countries using their law enforcement powers to seize the emails of Americans held in the United States.
Tim Erlin, director of security and product management at Tripwire says that it is tempting to think that data stored in the cloud “isn't really anywhere”, as he puts it. But says Erlin, even the cloud is ultimately made up of bits on disk in some number of physical locations – in this case, Ireland.
Speaking to SCMagazineUK.com this week, Erlin said that the repercussions of any precedent set will be widespread. “Jurisdictional issues, definitions of custody and location, all impact a myriad of current and future legal decisions,” he said.
Reuters describes this case as a question of whether the warrant is an "extraterritorial" application of the law (which is what Microsoft contends it is), or whether the fact that US-based Microsoft employees can retrieve the data in question means that, in this case, the statute is being actually physically used and applied solely within the United States, as the government argues.
Balancing act: privacy-to-security
Gavin Reid, VP of threat intelligence at Lancope says that this is an age-old problem, the balance between privacy and security. Speaking to SC this week, Reid offered up the “often butchered” Benjamin Franklin quote: Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.
“While not being strictly about personal privacy, this misses the point that there is an inflection where a small amount of privacy lost for a huge gain in safety is worth it. We depend on our governments to ride this balance carefully – and the press to tell us when they don't,” said Reid.
Richard Anstey, CTO for EMEA at Intralinks, categorises this as a very significant test case on the importance of data's physical location, striking at the very heart of important questions around data privacy.
“The result will have far-reaching implications for cloud providers and, indeed, any companies storing data in the cloud – which today is almost every company in the world, whether they're aware of it or not. From a cloud provider's standpoint, however, customer requirements are always top of mind, and Microsoft is well within its rights to take a firm stance here given that current data privacy regulations are very much built for a paper age, and must be more fundamentally re-thought for the age of fast networks and cloud services,” he said.
Anstey pointed to the thorny issue of data location and said it raises the question of whether, in the cloud age, we should classify data based on its physical location at all, or whether we should consider other options, such as where the point of control of encryption resides – also known as the “logical” location.
“The physical location of data is important because it is often used to help define the wider privacy problem. For some companies, keeping data on-premise, or in-country, gives data owners peace of mind. However, the technological reality is that control over decryption keys is what dictates who can see and use the information, not where it is stored. Over time, the ‘logical' location of the data actually becomes more significant, as opposed to the notional physical location of an encrypted file,” he said.
Further opinion was voiced by Bryan Lillie, chief technical officer for cyber security at QinetiQ. Lillie says that the general position should not be too difficult: people should have a clear right to privacy and the government should never be able to view private information on a whim – just as police can't poke around your house any time they like.
“However, if there is a genuine suspicion that a serious crime is planned or has been committed then there should be a process to allow the appropriate people to access that information,” he added.
Lillie clarified further: “The UK has a quite clear and reasonable position: if a government wants to access private data it most show it has a good reason for its suspicions, and have substantive evidence that the data obtained will be valuable to the case. Under the Regulation of Investigatory Powers Act 2000 (RIPA), in order to gain access to the actual content of a communication, for example the text of an email, a warrant issued by the Secretary of State is generally required.”
The tricky bit is deciding in what precise circumstances data can be handed over, he said: “Situations are different so there is no universal rule – it comes down to the individual evidence of the case and is therefore a decision for an independent judiciary, which has heard the evidence, understands the law and is versed in balancing these competing interests fairly.”