US Judge rules against Microsoft in email privacy case
In a long running and public battle, a ruling from US district judge Loretta Preska has potentially driven a stake through the heart of American-owned cloud computing when she ruled that Microsoft must turn over emails stored in an Irish data center to the US Federal Bureau of Investigation (FBI). This is more than just a Microsoft email privacy case; this was a test case that will determine what will happen to the US cloud industry and cloud computing as a whole.
The Microsoft Email Privacy Case: Fears about Cloud Computing
There has been much debate about privacy versus cloud computing since this deployment model first started to make waves in 2007. Most people in the USA probably never heard anything about it; that’s because the rest of the world was concerned about aggressive US government agencies that have been known to abuse laws to advance their goals (institutional or personal), and perhaps abuse their legislative powers to commit corporate sabotage or spying. The revelations of Edward Snowden did not help.
Has the Loretta Preska decision in the Microsoft email privacy case
threatened future cloud growth? (Image: Dreamstime)
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
The primary fear was that US government agencies would use laws to force US-owned hosting companies to turn over personal or private information. This is where I’ve witnessed an Amazon evangelist claim that their solution was to place data centers around the world. US laws do not care about international boundaries; if Amazon, Google, Microsoft, or Honest Boston Bob’s Hosting is storing customer data in Dublin, Amsterdam, Tokyo, or Rio de Janeiro, once a US government agency issues a warrant for that data, that data must be turned over.
I worked in the hosting/cloud business and participated in many a debate about US laws being abused. At one time it seemed like a theoretical exercise. In the end, four attitudes emerged:
- There were those who used the “I have nothing to fear because I am doing nothing wrong” defense, but that’s a naïve argument. The world is a dirty place, and businesses have secrets to keep. Ever since states were invented, those states have use their agencies to commit corporate espionage to further the interests of their local friends and political sponsors. For American readers who think otherwise, have a look at the lengths that the IRS has gone to in order to hide what they have done to attack the political opposition. Any IT administrator must have guffawed at the testimony that was given in excuse of lack of cooperation.
- There were those who said “it’s all theory and it will never happen” line. The recent headlines in the tech news prove that we are no longer arguing about hypotheticals.
- Many just did not care; they saw the cost and businesses advantages of US-owned cloud services such as Office 365 and climbed on board.
- And then there were those who said that they could never trust a US-owned cloud. American readers might not understand this. To give you a similar perspective, would you consider storing your corporate or personal information in an American-located data center that is owned by the Chinese government? Note that certain nations have banned the purchase of computers made by some Chinese companies that have a close relationship with the Chinese government/military.
The Ruling: Microsoft ordered to release customer emails located in Irish datacenter
Back in April, the BBC reported that that a “judge in the US has ordered Microsoft to hand over a customer’s emails, even though the data is held in Ireland”. The article claimed that the US government sought to retrieve account, payment, and emails of a public person from a mailbox that was stored in Microsoft’s data centers that are located in Dublin, Ireland, a member state of the European Union that is subject to the privacy laws enacted under the Data Protection Directive.
Microsoft appealed the decision. Microsoft’s Brad Smith (general counsel and executive vice president, Legal and Corporate Affairs) took to the Internet and spoke often and widely about how Microsoft would take every legal step to prevent this intrusion of privacy. Recently he wrote an opinion article for the Wall Street Journal where he said:
… in our view, that the U.S. government can obtain emails only subject to the fulllegal protections of the Constitution’s Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.
The government seeks to sidestep these rules, asserting that emails you store in the cloud cease to belong exclusively to you. It court filings, it argues that your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
Smith promised to fight the US government through every legal avenue available to them. Google, Amazon, Apple, and many others involved in American-owned cloud computing openly supported Microsoft in this battle.
The case went before Judge Lorreta Preska of the US Southern District of New York on July 31st 2014, and the George W. Bush appointee sided with the US government against Microsoft and against the privacy laws of Ireland.
Ah yes! There’s a catch!
European Law versus International Cooperation
As I stated earlier, I used to work in the hosting business. I have seen how Irish law enforcement will use legal mechanisms to legitimately “raid” a hosted customer. And there is a long history of Irish and other European law agencies cooperating with the FBI to perform international raids and “sting” operations. We regularly hear of stories where orchestrated raids shut down botnets or rings that distribute illicit materials.
So I’ve been wonder why the US government didn’t use these well-established avenues of communication and cooperation to reach out to Irish authorities to perform a legitimate retrieval of data in Dublin in the first place? Was this a case of legislative muscle flexing? That would be a rather stupid decision, not that government isn’t immune to storms of brain farts. Or was this a less than legitimate raid? Was this the sort of thing that Irish laws, which protect privacy, would have prevented?
Rather interestingly, the Irish Independent (an Irish newspaper) reported that the US government’s demands of Microsoft contravened Irish laws. The (now former) justice minister of Ireland submitted an affidavit to the court:
In a strongly worded affidavit in support of the technology company … the disclosure of data is only lawful if it is signed off by a judge in Ireland.
Despite this, Justice Preska ruled that:
… information could be produced by Microsoft in the United States without intruding on the foreign sovereignty of Ireland.
Huh! I’m no genius but even I can see that this ruling defies simple logic.
The Long Term Effects of this Case
This ruling by Justice Presk seems to ignore international law and may kill the business opportunities of US-owned cloud companies outside of the 50 states. IT is moving to the cloud, with or without the USA. Based on the stock values this morning (August 1st, 2014), it appears that Wall Street isn’t feeling to confident in US involvement in this new epoch of IT, thanks to the Justice Presk ruling.
Stock values of prominent US cloud companies [Source: Yahoo, August 1st 2014]
Already we are seeing large economies such as Germany cancelling contracts with US companies over the actions of the US government against their allies.
Microsoft has already lodged an appeal against this ruling that sabotages American-owned service providers. They do not need to turn over the mailbox and data until the case has a final decision. I would expect companies like Microsoft, Apple, Google, Amazon, HP, Dell, and more to all use their ample bank accounts to influence the mid-term elections in the USA, but we all know that the US Congress is where common sense goes to die.
So for the tech piece of this article I would say, if you are a European/Asian/wherever consultant or engineer working or hoping to work in a hosting company then this might be a great time to learn Hyper-V, Windows Azure Pack, and System Center for deploying an alternative to Azure outside of US legislative reach.