Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Microsoft Azure

US Judge rules against Microsoft in email privacy case

In a long running and public battle, a ruling from US district judge Loretta Preska has potentially driven a stake through the heart of American-owned cloud computing when she ruled that Microsoft must turn over emails stored in an Irish data center to the US Federal Bureau of Investigation (FBI). This is more than just a Microsoft email privacy case; this was a test case that will determine what will happen to the US cloud industry and cloud computing as a whole.

The Microsoft Email Privacy Case: Fears about Cloud Computing

There has been much debate about privacy versus cloud computing since this deployment model first started to make waves in 2007. Most people in the USA probably never heard anything about it; that’s because the rest of the world was concerned about aggressive US government agencies that have been known to abuse laws to advance their goals (institutional or personal), and perhaps abuse their legislative powers to commit corporate sabotage or spying. The revelations of Edward Snowden did not help.

Judge rules against Microsoft in email privacy case

Has the Loretta Preska decision in the Microsoft email privacy case
threatened future cloud growth? (Image: Dreamstime)

The primary fear was that US government agencies would use laws to force US-owned hosting companies to turn over personal or private information. This is where I’ve witnessed an Amazon evangelist claim that their solution was to place data centers around the world. US laws do not care about international boundaries; if Amazon, Google, Microsoft, or Honest Boston Bob’s Hosting is storing customer data in Dublin, Amsterdam, Tokyo, or Rio de Janeiro, once a US government agency issues a warrant for that data, that data must be turned over.

I worked in the hosting/cloud business and participated in many a debate about US laws being abused. At one time it seemed like a theoretical exercise. In the end,  four attitudes emerged:

  1. There were those who used the “I have nothing to fear because I am doing nothing wrong” defense, but that’s a naïve argument. The world is a dirty place, and businesses have secrets to keep. Ever since states were invented, those states have use their agencies to commit corporate espionage to further the interests of their local friends and political sponsors. For American readers who think otherwise, have a look at the lengths that the IRS has gone to in order to hide what they have done to attack the political opposition. Any IT administrator must have guffawed at the testimony that was given in excuse of lack of cooperation.
  2. There were those who said “it’s all theory and it will never happen” line. The recent headlines in the tech news prove that we are no longer arguing about hypotheticals.
  3. Many just did not care; they saw the cost and businesses advantages of US-owned cloud services such as Office 365 and climbed on board.
  4. And then there were those who said that they could never trust a US-owned cloud. American readers might not understand this. To give you a similar perspective, would you consider storing your corporate or personal information in an American-located data center that is owned by the Chinese government? Note that certain nations have banned the purchase of computers made by some Chinese companies that have a close relationship with the Chinese government/military.

The Ruling: Microsoft ordered to release customer emails located in Irish datacenter

Back in April, the BBC reported that that a “judge in the US has ordered Microsoft to hand over a customer’s emails, even though the data is held in Ireland”. The article claimed that the US government sought to retrieve account, payment, and emails of a public person from a mailbox that was stored in Microsoft’s data centers that are located in Dublin, Ireland, a member state of the European Union that is subject to the privacy laws enacted under the Data Protection Directive.

Microsoft appealed the decision. Microsoft’s Brad Smith (general counsel and executive vice president, Legal and Corporate Affairs) took to the Internet and spoke often and widely about how Microsoft would take every legal step to prevent this intrusion of privacy. Recently he wrote an opinion article for the Wall Street Journal where he said:

… in our view, that the U.S. government can obtain emails only subject to the fulllegal protections of the Constitution’s Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.

The government seeks to sidestep these rules, asserting that emails you store in the cloud cease to belong exclusively to you. It court filings, it argues that your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims that it can use its broader authority to reach emails stored anywhere in the world.

Smith promised to fight the US government through every legal avenue available to them. Google, Amazon, Apple, and many others involved in American-owned cloud computing openly supported Microsoft in this battle.

The case went before Judge Lorreta Preska of the US Southern District of New York on July 31st 2014, and the George W. Bush appointee sided with the US government against Microsoft and against the privacy laws of Ireland.

Ah yes! There’s a catch!

European Law versus International Cooperation

As I stated earlier, I used to work in the hosting business. I have seen how Irish law enforcement will use legal mechanisms to legitimately “raid” a hosted customer. And there is a long history of Irish and other European law agencies cooperating with the FBI to perform international raids and “sting” operations. We regularly hear of stories where orchestrated raids shut down botnets or rings that distribute illicit materials.

So I’ve been wonder why the US government didn’t use these well-established avenues of communication and cooperation to reach out to Irish authorities to perform a legitimate retrieval of data in Dublin in the first place? Was this a case of legislative muscle flexing? That would be a rather stupid decision, not that government isn’t immune to storms of brain farts. Or was this a less than legitimate raid? Was this the sort of thing that Irish laws, which protect privacy, would have prevented?

Rather interestingly, the Irish Independent (an Irish newspaper) reported that the US government’s demands of Microsoft contravened Irish laws. The (now former) justice minister of Ireland submitted an affidavit to the court:

In a strongly worded affidavit in support of the technology company … the disclosure of data is only lawful if it is signed off by a judge in Ireland.

Despite this, Justice Preska ruled that:

… information could be produced by Microsoft in the United States without intruding on the foreign sovereignty of Ireland.

Huh! I’m no genius but even I can see that this ruling defies simple logic.

The Long Term Effects of this Case

This ruling by Justice Presk seems to ignore international law and may kill the business opportunities of US-owned cloud companies outside of the 50 states. IT is moving to the cloud, with or without the USA. Based on the stock values this morning (August 1st, 2014), it appears that Wall Street isn’t feeling to confident in US involvement in this new epoch of IT, thanks to the Justice Presk ruling.

US cloud providers saw their stock values fall
Stock values of prominent US cloud companies [Source: Yahoo, August 1st 2014]

Stock values of prominent US cloud companies [Source: Yahoo, August 1st 2014]

Already we are seeing large economies such as Germany cancelling contracts with US companies over the actions of the US government against their allies.

Microsoft has already lodged an appeal against this ruling that sabotages American-owned service providers. They do not need to turn over the mailbox and data until the case has a final decision. I would expect companies like Microsoft, Apple, Google, Amazon, HP, Dell, and more to all use their ample bank accounts to influence the mid-term elections in the USA, but we all know that the US Congress is where common sense goes to die.

So for the tech piece of this article I would say, if you are a European/Asian/wherever consultant or engineer working or hoping to work in a hosting company then this might be a great time to learn Hyper-V, Windows Azure Pack, and System Center for deploying an alternative to Azure outside of US legislative reach.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (17)

17 responses to “US Judge rules against Microsoft in email privacy case”

  1. Shane

    Should I fake surprise. On one hand we have a government with little concern for laws and processes in other countries (the US), and a provider with a colourful history in deceitful business practices (Microsoft). Cloud is great, but when your "stuff" is on a system elsewhere in the world you really cant assume you have control of it. I remember some time ago (12-24 months) we had a small cloud hosting provider here in Australia whose systems were wrapped up in legal possession. Those with hosted systems not associated with the company at the centre of the legal action are still waiting for access to their systems.
    • mao

      It's funny how this is never mentioned in webinars which create the hype to make people desire the cloud because everybody else "embracing" it. Just like government: can't let a good crisis go to waste, vendors can't let a money boom go to waste. So they create the "problem," techies generate the "reaction," and then the vendors provide the "solution." PS: have you have tried to catch water vapor? All you're left with is a clammy hand and no real water. The cloud won't be much different.
  2. Shane

    Should I fake surprise. On one hand we have a government with little concern for laws and processes in other countries (the US), and a provider with a colourful history in deceitful business practices (Microsoft). Cloud is great, but when your "stuff" is on a system elsewhere in the world you really cant assume you have control of it. I remember some time ago (12-24 months) we had a small cloud hosting provider here in Australia whose systems were wrapped up in legal possession. Those with hosted systems not associated with the company at the centre of the legal action are still waiting for access to their systems.
    • mao

      It's funny how this is never mentioned in webinars which create the hype to make people desire the cloud because everybody else "embracing" it. Just like government: can't let a good crisis go to waste, vendors can't let a money boom go to waste. So they create the "problem," techies generate the "reaction," and then the vendors provide the "solution." PS: have you have tried to catch water vapor? All you're left with is a clammy hand and no real water. The cloud won't be much different.
  3. daMystery1

    At first I could see a rationale against the Judges decision but the more I think about it ,she may have a point. It goes something like this: Microsoft is asked to produce data- It replies: we cannot supply it BECAUSE WE HAVE IT IN ANOTHER COUNTRY. Perhaps that is correct, and they do. BUT, THEY ARE STILL ABLE TO READILLY ACCESS IT FROM THE USA. On that basis, just imagine if the IRS asked a citizen for their tax records and they replied that they could not supply because their records were held in another country. Surely, In such a scenario that would not negate the onus to supply the information. If USA laws provide for citizens data to be supplied on request or demand, that data would need to be supplied and would not be negated just because IT HAD BEEN HIDDEN ?? If Microsofts case is taken to the extreme, what about a citizen who is found to have subscribed to an illegal Porn site from his home computer and the Porn websites servers are in another country - which they probably are. Does that mean that he is beyond the reach of the law because the actual images are on a foreign server..... I think not. I suspect it is all about what can be accessed and from where.....One is personally deemed to have whatever is made available to them from wherever they can access from ??.
    • 3 Left

      I can access my money in a foreign bank via the Internet from the USA. Do we now want the government to have access to our money from that bank simply because we can access it from the internet. I think not. I understand the US Law trumps International Law. But it should not supersede Irish Law. ..... There is a difference between a person supplying documents, regardless of their location, and the government retrieving those same documents without my permission simply because they're located on a computer that's owned by a business that's renting space for private or commercial use.
    • Aidan Finn

      Here is where your analogy does not fit. If I move my tax records to another country, they are still MY tax records. However, the email in question does not belong to Microsoft. And anyway, if the fed in question bothered to fill in a form and/or make a phone call to Garda HQ in Dublin, I'm pretty sure a warrant would have been issued here within a day or two ... assuming that the need was justified.
  4. daMystery1

    At first I could see a rationale against the Judges decision but the more I think about it ,she may have a point. It goes something like this: Microsoft is asked to produce data- It replies: we cannot supply it BECAUSE WE HAVE IT IN ANOTHER COUNTRY. Perhaps that is correct, and they do. BUT, THEY ARE STILL ABLE TO READILLY ACCESS IT FROM THE USA. On that basis, just imagine if the IRS asked a citizen for their tax records and they replied that they could not supply because their records were held in another country. Surely, In such a scenario that would not negate the onus to supply the information. If USA laws provide for citizens data to be supplied on request or demand, that data would need to be supplied and would not be negated just because IT HAD BEEN HIDDEN ?? If Microsofts case is taken to the extreme, what about a citizen who is found to have subscribed to an illegal Porn site from his home computer and the Porn websites servers are in another country - which they probably are. Does that mean that he is beyond the reach of the law because the actual images that he accesses and views, are on a foreign server..... I think not. I suspect it is all about what can be accessed and from where.....One is personally deemed to have whatever is made available to them from wherever they can access from ??.
    • 3 Left

      I can access my money in a foreign bank via the Internet from the USA. Do we now want the government to have access to our money from that bank simply because we can access it from the internet. I think not. I understand the US Law trumps International Law. But it should not supersede Irish Law. ..... There is a difference between a person supplying documents, regardless of their location, and the government retrieving those same documents without my permission simply because they're located on a computer that's owned by a business that's renting space for private or commercial use.
    • Aidan Finn

      Here is where your analogy does not fit. If I move my tax records to another country, they are still MY tax records. However, the email in question does not belong to Microsoft. And anyway, if the fed in question bothered to fill in a form and/or make a phone call to Garda HQ in Dublin, I'm pretty sure a warrant would have been issued here within a day or two ... assuming that the need was justified.
  5. Hank Shank

    THIS is why we have been warning people against "cloud" computing for so long. You'd have to be incredibly foolish, as a citizen of a different country, to entrust your data to US providers. Hopefully, this is the end of the "cloud".
  6. Hank Shank

    THIS is why we have been warning people against "cloud" computing for so long. You'd have to be incredibly foolish, as a citizen of a different country, to entrust your data to US providers. Hopefully, this is the end of the "cloud".
  7. Tips for Choosing a Microsoft Azure Region | Windows Tips and Tricks

    […] and many other American-owned corporations, they are subject the US laws. And unfortunately, the USA believes their laws apply to everyone else. That means the US government can force Microsoft and all the other American-owned hosts to hand […]
  8. Tips for Choosing a Microsoft Azure Region | Windows Vista Info

    […] and many other American-owned corporations, they are subject the US laws. And unfortunately, the USA believes their laws apply to everyone else. That means the US government can force Microsoft and all the other American-owned hosts to hand […]
  9. Tips for Choosing a Microsoft Azure Region | Those Computer People

    […] and many other American-owned corporations, they are subject the US laws. And unfortunately, the USA believes their laws apply to everyone else. That means the US government can force Microsoft and all the other American-owned hosts to hand […]

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.