from the it-ain't-over-till-the-fat-lady-sings dept.
Microsoft Corp. gets a second chance to prove it's entitled to keep data stored overseas out of the hands of U.S. investigators when its lawyers appear before a federal appeals court Wednesday, but the computer software giant is already hedging its bets, calling on Congress to clarify the law. The 2nd U.S. Circuit Court of Appeals will hear Microsoft's challenge to a July 2014 lower court ruling concluding that a court or law enforcement agency in the United States is empowered to order a person or entity to produce materials, even if the information is housed outside the country.
The Redmond, Washington-based company hopes the appeals court will overturn the decision upholding the U.S. government's right to search a consumer email account that Microsoft stores in Dublin, Ireland. The government wants to search the account as part of a narcotics investigation.
A warrant for the information was issued in December 2013, saying there was probable cause to believe the account in a facility opened in 2010 was being used to further narcotics trafficking. Microsoft turned over the customer's address book, which was stored in the United States.
In court papers, Microsoft calls on Congress to "grapple with the question whether, and when, law enforcement should be able to compel providers like Microsoft to help it seize customer emails stored in foreign countries."
"Only Congress has the institutional competence and constitutional authority to balance law enforcement needs against our nation's sovereignty, the privacy of its citizens and the competitiveness of its industry," it said.
But Manhattan federal prosecutors said in court filings that "powerful government interests" override potential negative effects on Microsoft's business or any other company seeking to profit on the storage of information overseas. "The fact remains that there exists probable cause to believe that evidence of a violation of U.S. criminal law, affecting U.S. residents and implicating U.S. interests, is present in records under Microsoft's control," they wrote. "With the benefits of corporate citizenship in the United States come corresponding responsibilities, including the responsibility to comply with a disclosure order issued by a U.S. court. Microsoft should not be heard to complain that doing so might harm its bottom line."
Prosecutors noted Microsoft still controls the foreign-based data and U.S.-based employees can retrieve it. They said Microsoft customers also have no right under the company's terms of service to demand that data be stored at any particular data center.
In a filing in the appeal, the government of Ireland noted that the Irish Supreme Court has ruled that Irish courts have the power to order production of documents by an Irish registered company by one of its branches situated in a foreign country. It said Irish taxation authorities also can force Irish banks to produce records of accounts held by customers wherever the information is located.
"Ireland continues to facilitate cooperation with other states, including the United States, in the fight against crime and would be pleased to consider, as expeditiously as possible, a request under the treaty, should one be made," it said.
In another appeals submission, 29 major U.S. and foreign news and trade organizations asked the court to reverse the lower court, saying journalists and publishers worldwide rely on email and cloud-storage services provided by Microsoft and others to gather, store and review documents protected by the First Amendment.
"Even if the subscriber today is not a reporter—although we do not know for sure—the next subscriber may be," the court papers said.
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @12:34AM
Do what Obama says or else you gets the drones again.
(Score: 2) by davester666 on Tuesday September 08 2015, @05:09AM
I completely agree. If a Republican were the president now, this case would never have happened.
(Score: 3, Interesting) by drussell on Tuesday September 08 2015, @01:08AM
I guess it's not just Microsoft's customers but Microsoft itself which should obviously actively look for other places to move most or all of their active business to.
The rest of the world is only going to put up this these kind of shenanigans for so long before someone, somewhere, revolts. If this were 50+ years ago, I would have expected that it would be the U.S. population that would be at the forefront but lately I don't seem to see much interest from "the masses" in even attempting to fix any of the aspects of what seems to be a horribly, horribly broken system in so many, many regards... But, I digress....
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @01:13AM
The masses rarely do much of anything until the last minute.
(Score: 2) by frojack on Tuesday September 08 2015, @01:18AM
Did you miss this sentence:
In a filing in the appeal, the government of Ireland noted that the Irish Supreme Court has ruled that Irish courts have the power to order production of documents by an Irish registered company by one of its branches situated in a foreign country.
Its not just the US that is screwed up.
No, you are mistaken. I've always had this sig.
(Score: 2) by Nerdfest on Tuesday September 08 2015, @10:27AM
I get the feeling (somewhat unfounded) that this whole case is just for show, to give people the impression that Microsoft is protecting their data. It has a very cozy relationship with the US government and quite likely gives them information without even a warrant frequently. Even the public interactions are pretty indicative. They handed the FBI the data they wanted 45 minutes after being asked after the Charlie Hebdo attack. There was almost certainly no warrant.
(Score: 0) by Anonymous Coward on Wednesday September 09 2015, @05:04PM
I guess it's not just Microsoft's customers but Microsoft itself which should obviously actively look for other places to move most or all of their active business to.
That would be nice, as it would pave the way for a replacement to Microsoft to enter the U.S. market.
Or Microsoft could as a corporation headquartered in the United States just, you know, host their servers in the United States....
(Score: 3, Interesting) by frojack on Tuesday September 08 2015, @01:15AM
If any random court in the US an demand data stored overseas (even when in-country storage is mandated by the host country) then, logically, any data stored in the US is also subject to the demands of any foreign court. Microsoft is a corporation in MANY countries.
Since Ireland is willing to entertain the data request through treaty channels, this is simply another dangerous and unnecessary power grab.
How is it possible that each country on earth can extend the reach of their laws to every other country? How could something so obviously unworkable be contemplated by educated judges?
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @01:20AM
Educated judges can be corrupt and authoritarian. Being educated doesn't make you a good person or a defender of freedom.
(Score: 2) by romlok on Tuesday September 08 2015, @11:01AM
Simple: they don't. The general rule is: "if you operate in our country, you play by our laws". So for the multinational corporations in question, they can either play by a country's rules, or get out of that country.
If two countries' laws conflict, a multinational must make a choice between leaving one of those markets entirely, or knowingly and willfully breaking the law in one or both countries.
The judges and law-makers are well within logic and reason to take the tacks they have.
The unreasonably unworkable strategy is the one taken by the corporations; who want to operate in all countries of the world, but obey none of the laws in any.
One solution would be to deprecate true multinational corporations, and have completely separate companies (rather than subsidiaries) for each incompatable legal system.
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @02:04PM
So for the multinational corporations in question, they can either play by a country's rules, or get out of that country.
Which puts all of our privacy in danger, especially when you take into account countries that are extremely hostile to it.
The judges and law-makers are well within logic and reason to take the tacks they have.
Because for them, this is about power. Indeed, they are acting like evil scumbags, but they aren't acting irrationally.
(Score: 2) by frojack on Tuesday September 08 2015, @06:41PM
The unreasonably unworkable strategy is the one taken by the corporations; who want to operate in all countries of the world, but obey none of the laws in any.
In your rush to spew hate for corporations you tip your hand, overstate your case, and destroy your own argument.
In the present case, Microsoft (for once) is trying to protect user confidentiality, and adhere to Irish and EU laws for data stored in an Irish datacenter.
Following your recommendations, when some tin horn judge in the US orders Microsoft to violate EU law, Microsoft should immediately shutter its entire operations everywhere in the EU, sell off it's data centers, and call it a day. You sir, are an Idiot.
No, you are mistaken. I've always had this sig.
(Score: 2) by romlok on Thursday September 10 2015, @08:36AM
No, I don't think the use of a little hyperbole is enough to destroy an argument. Isn't arguing such itself a logical fallacy?
They're only "trying to protect user confidentiality" as a side-effect of trying to keep their business (and tax breaks) in the EU. If such privacy laws didn't exist, I'm pretty sure Microsoft wouldn't give two shovels about where the data was geographically held.
If it becomes impossible for Microsoft to simultaneously obey both US and EU laws, which is a possible outcome if the Supreme Court decides against Microsoft, what do you suggest they do to resolve the situation? I see three logical possibilities:
1. Microsoft gets laws changed in their favour;
2. Microsoft knowingly and willingly break the laws of one or more nations, and face the penalties;
3. Microsoft split out entirely separate companies per incompatible legal jurisdiction.
In the case of 1, I don't personally like seeing corporations influence governments to the extent that laws get changed in favour of their profits.
In the case of 2, penalties can include anything from fines (the EU has previously fined Microsoft millions of dollars - per day - for non-compliance) up to shutting the business down. Neither are good for business.
In the case of 3, many huge corporations will be more limited in size and power, there will be more companies, and thus more competition in more regions, and customers will be able to explicitly know and choose the legal jurisdiction for the services they use. What's not to like (unless you're a multinational corporation)?
(Score: 2) by etherscythe on Tuesday September 08 2015, @06:15PM
I think this may ultimately end up putting businesses in the position of deniability as Standard Operating Procedure.
Let's take Microsoft as our current example. Say the DOJ or equivalent from any country Microsoft has an office in, decides they want to decrypt your BitLocker'd notebook they have seized at a border crossing. Microsoft does not officially have that password - however, their OneDrive backup may have recorded a hash or some other derivative that is easily brute-forced if you have terrible password-selection (I assume they are anticipating this case and have backdoor-like mechanisms of one sort or another in place). Now Microsoft has a choice, depending on how friendly they are feeling towards said prosecution team or the government thereof. They can either cooperate by sharing the secret sauce and most likely break the security mechanism, or say "sorry we don't have that information." If they've played their cards right, there can be no argument about it.
This is the only way I can see multinational corporations handling having essentially two bosses that are giving contradictory orders - pick the one(s) you like (if any) and cooperate only with them, making sure that they can reasonably say "no" as they move forward.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 2) by frojack on Tuesday September 08 2015, @06:47PM
Apple is currently facing this very issue as we speak.
The government you elected is trying to force Apple to remove it's "zero knowledge" based encryption and hand over user data.
Apple is saying they use client side encryption, and do not know the users decryption key.
http://www.theguardian.com/technology/2015/sep/08/apple-encryption-comply-us-court-order-iphone-imessage-justice [theguardian.com]
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by penguinoid on Tuesday September 08 2015, @05:55AM
Suppose Alice the banker lives in America, but has banks in Europe. The police decide to investigate a guy named Bob for crimes committed in the USA. After getting a warrant, they search but are unable to find any evidence Bob did anything wrong. They notice Bob has a safety deposit box in Europe, but the American warrant won't allow them to search it. However, they notice the Bob is Alice's client, and therefore Alice has a key to and therefore access to Bob's stuff. Therefore, they force Alice to go over to Europe, use her key to access Bob's box, and then search through all of Bob's stuff and bring back a copy of all of Bob's documents.
But of course if a computer is involved then everything is different.
RIP Slashdot. Killed by greedy bastards.
(Score: 3, Funny) by VortexCortex on Tuesday September 08 2015, @07:26AM
But of course if a computer is involved then everything is different.
Indeed, in that case your Alice intrusion solution can be patented!
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @07:42AM
What happens if someone sets up some sort of distributed storage, so that storage is allocated in blocks ... say... the payload size of a TCP/IP datagram.
When the client stores a file, he is apt to use a separate server to store each datagram. The servers are distributed all over the place, kinda like a bit-torrent scheme.
The entity storing the document in the cloud is the only one who knows the sequential addresses of where he put the data, and whatever encryption scheme he used.
In common usage, a file is apt to require hundreds, if not thousands, of IP packets sent from thousands of cloud servers, reassembled in the client's machine into the original file that was stored. Since only the client has the record of where all the fragments were stored, and which order to reassemble them in, only the guy who was storing the file in the cloud has enough information to reassemble the thing into anything meaningful.
To make this even more secure, have several different vendors offering the same storage protocol. Kinda like storing your stash with a lot of little one-room public storage garages across several countries in several chains of garages.
If any cloud server is ordered to report the file, they would have no way of knowing which packet belong to who. All they know is customer X has N packets stored with them. Somewhere. They have no idea where they are. And even if the packet was intercepted, its only one part of the file. Its apt to require information in both the preceding and subsequent packet to decrypt it.
Recovering the file without the string of pointers would not be a easy thing to do...
(Score: 1) by unzombied on Tuesday September 08 2015, @07:12PM
Clarify: To make clear; to free from obscurities; to brighten or illuminate. (Wiktionary)
Clarify: To interpret in my favor. (Politics and Business)
(Score: 0) by Anonymous Coward on Tuesday September 08 2015, @07:57PM
Prosecutors ... said Microsoft customers also have no right under the company's terms of service to demand that data be stored at any particular data center.
That's funny: my organisation is an EU-based Microsoft customer (we used Office 365) and we were absolutely guaranteed that our data would stay in the EU. It was the main reason behind the decision to use Office 365 instead of Gmail.