Hand over overseas data, says US judge in totally unhelpful cloud privacy ruling

Stuart Lauchlan Profile picture for user slauchlan April 27, 2014
Summary:
In what's believed to be the first – but definitely not the last – court ruling on the matter, a US judge reckons that cloud service providers have to hand over digital content to the US government even when that content is stored overseas. That'll help...

judge_gavel2012-wide
On a scale of one to ten of measures least likely to improve tensions between the US and the European Union (EU) over data privacy, US magistrate Judge James Francis just racked up a clear eleven.

In what's believed to be the first – but definitely not the last – court ruling on the matter, Francis ruled Friday that cloud service providers have to hand over digital content to the US government even when that content is stored overseas.

It's an ironic reversal of the usual state of affairs where EU politicians and officials have gotten agitated at how easily US government and security officials can demand access to data stored on US servers.

What Francis has now decided is the US services providers, such as Microsoft and Google, cannot refuse to hand over content stored on servers outside the US if there is a valid search warrant from US law enforcement.

In his ruling, Francis declares that the alternative to this would be that the US agencies would need to work with foreign

See also: PRISM exploitation drives EU's data protection overhaul
Oct 18 2013diginomica.com

governments to reach agreement on obtaining such data. This, he concludes, would never do.

“The burden on the government would be substantial, and law enforcement efforts would be seriously impeded."

To which the most immediate response would seem to be: not if there's a good reason for asking for the information, surely?
But he's right in one sense.

In the current post-NSA revelations climate and with European commissioners foaming at the mouth to stand up to the US 'spying program', the appetite for trans-atlantic co-operation is decidedly lacking in certain quarters.

Irish eyes

What sparked the ruling was the issuing of a US search warrant on Microsoft for access to information about a customer whose emails are hosted on a server in Ireland.

To its credit, Microsoft took a stand and said that it believed the US government should not be able to search the content of email held overseas:

"A US prosecutor cannot obtain a US warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees."

In his ruling, Francis is arguing that while this may be true for 'real world' search warrants, the same principle does not hold true in the digital world. He's claiming that a search warrant for digital information is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents.

Francis_James_616_372
Judge Francis

It's not clear which US agency is seeking the information in question, but the search warrant was approved by Judge Francis back in December. It demands access to customer's name, contents of all emails received and sent by the account, online session times and durations and any credit card number or bank account used for payment.

Following Francis' ruling on Friday, Microsoft deputy general counsel David Howard promised that this was only:

"...the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.”

He added:

“While the law is complicated, the issue is straightforward. It’s generally accepted that a US search warrant in the physical world can only be used to obtain materials that are within the territory of the United States.

“A US prosecutor cannot obtain a US warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. That’s why the US has entered into many bilateral agreements establishing specific procedures for obtaining evidence in another country. We think the same rules should apply in the online world, but the government disagrees.

“To be clear, we respect the critical role law enforcement plays in protecting all of us. We’re not trying to frustrate any government investigations, and we believe the government should be able to obtain evidence necessary to investigate a possible crime. We just believe the government should have to follow the processes it has established for obtaining physical evidence outside the United States.”

It's a sentiment that's going to play well in Brussels, where Microsoft has recently been playing nicely with the EU, insisting that non-US customers data should not be searchable by US authorities and said it would pledge to take a stand on the matter.

Recently Microsoft became the first US cloud provider to get a stamp of approval by the Article 29 Working Party, which represents the 28 national data protection agencies across the EU.

That ruled Microsoft’s enterprise cloud contracts meet the standard for privacy protection set forth in Europe’s data protections regulations, cutting the number of national authorizations required to allow the international transfer of data via Microsoft’s cloud.

4544.bsmith_web
Brad Smith

In other words, customers can use Microsoft services to move data more freely through its cloud services from Europe to the rest of the world, while data stored on Microsoft servers will be deemed to be covered by EU law even if housed outside the EU.

Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs at Microsoft, noted:

“This is especially significant given that Europe’s Data Protection Directive sets such a high bar for privacy protection.

“Ultimately, customers will entrust their information to the cloud only if they have confidence that it will remain secure there. This week’s approval by the European data protection authorities is another important step in ensuring customers trust Microsoft’s cloud services. And this is just the beginning: there is more to come soon.”

Unfortunately what has come about only weeks later will likely ramp up tensions further between the US authorities and the rest of the world.

Verdict

Not helpful, not helpful at all.

Judge Francis's ruling is of course only the first step and there's plenty of opportunity to have this bad decision revoked.

But in the meantime, there will be many in the European Commission who are outwardly livid for public consumption and inwardly cheered at being handed another big stick with which to beat the drum of their own political agenda.

 

Loading
A grey colored placeholder image