Microsoft Slams What It Calls a ‘Floppy Disk Law’ in a Cloud Computing Era
Can U.S. law enforcement obtain a probable cause-based warrant to seize emails stored outside the U.S. by a cloud services provider?
See Also: How to Scale Your Vendor Risk Management Program
That’s the question the Supreme Court will hopefully answer next year. The high court agreed on Monday to hear an appeal in the long-fought case involving Microsoft and emails stored in Ireland related to a drug trafficking case.
Microsoft contends the government is inaccurately applying a 31-year-old law, the Stored Communications Act, which describes how prosecutors and law enforcement can obtain electronic communications. The act hasn’t kept up with the internet, let alone cloud computing advances, the company contends.
“The current laws were written for the era of the floppy disk, not the world of the cloud,” writes Brad Smith, Microsoft president and chief legal officer, in a blog post Monday.
In December 2013, a federal magistrate in the South District of New York issued a warrant that required Microsoft to turn over emails and metadata related to a drug case. That information was stored in Ireland, where the company has run a data center since 2010.
Microsoft contended that the government should go to Ireland for the data. As with many countries, the U.S. has mutual legal assistance treaty with Ireland, which outlines protocols for exchanging law enforcement information.
But the government argued that Microsoft could easily access the emails from the U.S. given the nature of cloud computing.
Because the law is decades old, the Stored Communications Act doesn’t address data that is held outside the U.S. Microsoft has contended that its drafters never intended the act to be used for those purposes, even if the company could pull up the data within the U.S. with a few clicks of a mouse.
Microsoft’s motion to vacate the warrant was denied in 2014. But in a July 2016 appeal, the Second Circuit Court of Appeals agreed with the company.
The government sought a rehearing, but the same court in January came to same conclusion in a 4-4 decision: the government can’t use a warrant to obtain emails stored outside the United States (see Microsoft Prevails in Case Involving Stored Emails).
Clash with GDPR
Microsoft has cited many reasons for resisting the warrant. Fundamentally, the company contends that the Stored Communications Act needs to be revised or rewritten to encompass the technology advances.
And there’s continuing conflict on the horizon. When the Justice Department petitioned the Supreme Court in June, Smith wrote that such access to overseas data would conflict with the European Union’s General Data Protection Regulation, which will be enforced beginning next May.
Under GDPR, “it would be illegal for a company to bring customer data from Europe into the U.S. in response to a unilateral U.S. search warrant,” Smith writes.
The legal conflict isn’t theoretical, either, he writes. In Brazil, one of Microsoft’s local employees was criminally charged after the company refused to comply with a similar legal order that conflicted with U.S. law.
“Neither people nor companies should be put in a position where complying with the laws of one country puts them in conflict with another country under whose laws they must operate,” Smith writes.
Same Protections as Paper
In his latest blog post on Monday, Smith writes that information that data stored in the cloud should have the same protections as information stored on paper in a desk.
“If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?” Smith asks.
The Electronic Frontier Foundation, a digital rights group, has supported Microsoft throughout the litigation.
Lee Tien, a senior staff attorney with the foundation, says there are concerning issues around reciprocity in that the data in question “is not simply abroad – it is in another country. If a Russian cloud provider had a data center in the United States, we might care whether Russian law enforcement could get data stored here (which to Russia would be “abroad”) without going through any U.S. legal process,” Tien tells Information Security Media Group.