Cloud Security, Network Security, Security Strategy, Plan, Budget

Microsoft and US government clash over Ireland-held cloud data

The Federal government and Microsoft are set to clash in a case that may settle some important issues over the jurisdiction of the cloud.  

The US asked for access to the emails of one individual linked to a narcotics investigation back in December 2013. Those emails were held on a server in Ireland, not the US, bringing to the fore a problem of jurisdiction which has long plagued politicians and regulators.

Microsoft refused to hand over the emails, saying that the US has no power to ask for that data, as it is held in another country and well outside of their jurisdiction. In April 2014, a federal judge ordered Microsoft to cough up those records to which Microsoft gave largely the same answer as before and was found in contempt of court. The case now sits in a US appeals court, awaiting a decision by a more senior judge.

The question of national jurisdiction when it comes to the internet has been the bugbear of many a politician. How does one impose national legislation on data or activities that by their nature can switch from one country to another in a second, or occur in multiple jurisdictions at once? 

It's a question that has been long waiting in the wings to be answered. 

The impact of this case has been made only more intense by the European Court of Justice's smackdown of the European Safe Harbour agreement, which had created a legal channel for the transfer of information between the US and Europe.

“I am not sure that the implications are as profound as they might appear to be,” said Dai Davis, a technology lawyer with extensive experience in cyber-related issues. 

Davis is sceptical about the broader legal significance of this case: “These proceedings are because the United States government asked for information in a certain way,” said Davis -- if they had asked for the information using other legislation, there would be no dispute.

So why go to Microsoft, instead of the Irish government? After all, the desired data is stored in Irish jurisdiction and such a lengthy controversial dispute could have been avoided by merely using the Mutual Legal Assistance Treaty meant to foster cooperation in law enforcement matters between the two countries.

The US government claims that considering Microsoft is a US-based company they need not use that treaty because Microsoft can get that requested information quite literally at the push of a button. The requested information is being asked for under the 1986 Stored Communications Act (SCA), which allows the government to compel companies to hand over any data they own in pursuit of an investigation. The fact that the data in question is in another country, does not seem to matter.

John Frank, deputy general counsel and VP of legal and corporate affairs at Microsoft, told trade press earlier this week, “These are the private communications of our customers. They're not ours. We don't have access to them. We don't want access to them.”

This could be a matter of principle for Microsoft, who has voluntarily put itself in contempt of court, claiming it is not compelled to deliver the requested information because it is not actually owned by the company, but being hosted by it.

“That's a very different position to saying that any data stored with a cloud provider is a business record of that cloud provider, that can then be turned over to the government. That is a very dangerous precedent,” Frank continued.

Microsoft appears to be saying that the 1986 Act would only apply if this data were owned by Microsoft within the US. The fact that it's not, says Microsoft and its supporters, raises questions about judicial sovereignty.

The global software firm also claims that if the US government were allowed to extract data from foreign territories for the purpose of law enforcement, other countries might be able to do the same. Other countries whose definition of law enforcement might extend to say, merely speaking out against the ruling party, would then use that legally extracted data to oppress its citizens.

Andrew Hewson, principal consultant at MTI, lauded Microsoft's rejection of the US government's request, saying that the danger of cooperation “could set a precedent for any government to demand access to information held in the cloud on the basis that e-mails from private individuals are company records”.

Hewson added: "The business implications for Microsoft, if they give in to the requests of the US government, could be costly as customers may feel that their data is no longer truly private. As a result, they could choose to move their business to a company that operates within countries without a data sharing agreement with the US." 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.