Forgot your password?
typodupeerror
The Courts Cloud Data Storage Microsoft United States Your Rights Online

American Judge Claims Jurisdiction Over Data Stored In Other Countries 226

Posted by Soulskill
from the su-casa-es-mi-casa dept.
New submitter sim2com writes: "An American judge has just added another reason why foreign (non-American) companies should avoid using American Internet service companies. The judge ruled that search warrants for customer email and other content must be turned over, even when that data is stored on servers in other countries. The ruling came out of a case in which U.S. law enforcement was demanding data from Microsoft's servers in Dublin, Ireland. Microsoft fought back, saying, 'A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the government disagrees.'

If this ruling stands, foreign governments will not be happy about having their legal jurisdiction trespassed by American courts that force American companies to turn over customers' data stored in their countries. The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime."
This discussion has been archived. No new comments can be posted.

American Judge Claims Jurisdiction Over Data Stored In Other Countries

Comments Filter:
  • American company (Score:5, Informative)

    by Todd Knarr (15451) on Saturday April 26, 2014 @12:47PM (#46848305) Homepage

    I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

    • by K. S. Kyosuke (729550) on Saturday April 26, 2014 @01:00PM (#46848389)
      What if it breaks the law of the foreign country in question?
      • by Anonymous Coward on Saturday April 26, 2014 @01:07PM (#46848425)

        Then the company is going to have to choose which country's laws to break, and suffer the consequences. In the extreme case, this will result in companies deciding that it's not worth operating in particular sets of countries.

        • Re: (Score:3, Interesting)

          by knightghost (861069)

          What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

          To summarize: Is my data legally independent from me?

          • Re:American company (Score:4, Informative)

            by St.Creed (853824) on Saturday April 26, 2014 @02:08PM (#46848751)

            Data is legally owned and controlled by somebody, and that's the one getting the subpoena. So as far as I know the law over here (IANAL) the answer is yes: the court that can claim jurisdiction can apply its laws and if they say they can order you to give up the data and decrypt it, then you have to.

            In my (amateur) opinion, the only way Microsoft would have gotten out of this one is if they had sold the data to another company that would reside in Ireland and that would be legally independent. Say, "MicrosoftDataHolding Ireland". However, *that* company could be ordered by the Irish courts to turn over the data to the Irish government, independent of what Microsoft USA would want. They wouldn't even be part of the case.

            • by Frobnicator (565869) on Saturday April 26, 2014 @06:35PM (#46850073) Journal

              Data is legally owned and controlled by somebody, and that's the one getting the subpoena.

              Read it again. Even the /. summary covers it properly.

              They did not get a subpoena, which would have forced Microsoft to turn it over. The used a search warrant, which allows the (unspecified) government to swoop in and seize the servers. Located in Ireland. Using a US's renound paramilitary law enforcement. In Ireland. Seizing Irish equipment from an Irish branch of the company, used by Irish people and defended by an Irish police force.

              The (unspecified) US government agency requested the ability (and the judge authorized) to enter the Irish facility and take the machines by force if necessary -- that is how search warrants work.

              The fact that they even requested it is troubling. The fact that the agency was granted it is fairly terrifying. If this doesn't get taken down in an appeal, the article and summary are correct, it means the US government is basically declaring sovereignty over the world even more than before. This isn't Afghanistan or Iraq, but Ireland they would be using force against.

              • Re:American company (Score:4, Informative)

                by radarskiy (2874255) on Saturday April 26, 2014 @07:02PM (#46850157)

                Stop lying.

                The actual articles says *nothing* about US agencies gaining physical access purely on the basis of a US warrant.

                From the actual article:
                "A search warrant for email information, he said, is a "hybrid" order: obtained like a search warrant but executed like a subpoena for documents. Longstanding U.S. law holds that the recipient of a subpoena must provide the information sought, no matter where it is held, he said."

                So the instrument really is more like a subpoena in that it forces action on the recipient, in this case to retrieve the data from the foreign location. It does not authorize any US official to seize the data from the foreign location without the involvement of the foreign authorities.

                This ruling literally does NONE of the things you accuse it of.

          • Nope. The jurisdiction concerned about the information would need two things: Your physical presence and a rubber hose.

          • by Rich0 (548339)

            What if I encrypted a block of my data, broke those blocks up, then stored separate (non-duplicate) pieces in every country in the world? Would a court need to get every country's permission to assemble the data? Is the data an entity that has to be pursued independently of the owner (me)? Or as the owner, can my citizenship country (or a country that is pursuing me) instead demand all pieces based on me as the owner?

            To summarize: Is my data legally independent from me?

            They would simply ask you nicely to produce the data within some period of time. Then if you didn't do it they'd just lock you up until you did.

            In just about any country the court is only going to ask you nicely to do something once. So, think about that before you put data you might be asked to produce in a place where you might have trouble getting to it.

      • by rtb61 (674572)

        It automatically breaks the law of the foreign country. It is after all a search warrant and if the country has similar laws requiring a search warrant then the foreign part of the company is protected by law of that country. In this case the simple answer is, the warrant is issued, then served locally, then the company forwards the request and the foreign part of the company then refuses citing local law at their location. So locally they adhered to the law in both locations, both nothing happens and stup

    • by QuasiSteve (2042606) on Saturday April 26, 2014 @01:59PM (#46848679)

      Right - that's why AMS-IX opened 'their' NY location as a separate company, so that U.S. jurisdiction can't touch their Dutch operations.

      https://ams-ix.net/newsitems/1... [ams-ix.net]

      Or so their lawyers are interpreting anyway - probably nothing a stroke of the pen in the U.S. can't make disappear.

    • Re:American company (Score:5, Interesting)

      by Em Adespoton (792954) <slashdotonly.1.adespoton@spamgourmet.com> on Saturday April 26, 2014 @02:01PM (#46848689) Homepage Journal

      I think the fact that it's an American company being ordered to produce the data factors in here. The judge does have jurisdiction over the company, which makes it a different situation from ordering a company in another country to turn over data stored there. If you want to get out of a country's legal jurisdiction, you need to be out of their jurisdiction.

      What is an "American" company? MS Europe is incorporated in Ireland, has a datacentre in Ireland, and pays taxes in Ireland. The FBI should be approaching the Irish authorities for access to this data.

      Or look at it another way: Is Sony USA an American company, or a Japanese company? If it's a Japanese company, that means that the Japanese have the right to all data stored on Sony USA servers.

      Or let's take this further: let's say the government of China had reason to believe that Cisco China had an NSA backdoor in its products as they were being deployed in China, and so ordered Cisco USA to turn over all emails, technical specifications and documentation.

      Rinse and repeat with pretty much any middle east country and Haliburton.

      This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

      • by St.Creed (853824)

        Well... let's follow up on the argument a bit.

        If MS Europe is *really* independent, they can now turn down the request of MS USA for the data and the request will have to go through the Irish courts. But if they are *not* all that independent, and the data is not in fact controlled by them but by MS USA, then they can't interfere, MS USA will have to comply and I can just imagine what the tax authorities are going to do the morning after they produce the data: go after MS with a pretty big hammer.

        Interestin

      • by swb (14022)

        This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

        This is exactly what multinationals do. They love to have some weird, three-room office in an industrial park near the airport in someplace like Ireland that they can use as their tax headquarters to shelter a bunch of income from American taxes, but then keep t

      • by Rich0 (548339)

        This is a dangerous precedent for the US to set, as their only possible responses to foreign country's requests for similar information would be either "sure, here it is" or "sorry, we have a bigger army. Don't mess with us." Land of the Free much?

        How is that a dangerous precedent for the US to set? As you just pointed out, they can say that they have a bigger army, and that is true. It would be a dangerous precedent for another country to set for sure.

        In practice this is how most countries have operated since the dawn of time. They fully expect their citizens and corporations to collaborate with them in intelligence gathering against other nations, and they expect those same citizens and corporations to not collaborate with other nations in intel

    • Re:American company (Score:5, Informative)

      by Frobnicator (565869) on Saturday April 26, 2014 @02:11PM (#46848759) Journal

      I think the fact that it's an American company being ordered to produce the data factors in here.

      Close, but wrong.

      Being ordered to produce data is called a subpoena. That is the normal tool for producing emails and documents. A subpoena orders the company to find the documents meeting the criteria and produce them for the court.

      A search warrant allows LEOs to enter the building, search for everything themselves, and seize anything that might appear to satisfy the warrant. So they would enter the server room and immediately seize any computer that looks like it might have the email on it.

      The unnamed government agency got a warrant to seize a bunch of computers, and are acting under the guise that they are asking for specific information.

      It is completely the wrong tool. It would be nice to think it was a simple mistake, picking the wrong tool to get information. ... unless it is an agency looking to do far more than find some specific emails. Unfortunately it is probably the latter, given that everything is under seal and they are demanding to allow US federal agents into a non-US facility to seize servers.

    • So if I store a document in a vault provided by an American company in a foreign country, they must turn it over? Suppose the American company owns a building which they rent space in. Must they turn over documents stored there by third parties who are renting space?

      • by Aighearach (97333)

        Under US law a renter is legal possession of the property they are renting, so no. As to the vault that you're not renting but that the company is storing your document in, yes.

    • by Grishnakh (216268)

      Exactly. If this were an Irish company, located in Ireland, this wouldn't be an issue. It's no different than if the Court wanted access to your banking records in Switzerland. You're an American citizen, living in America, and sitting in an American courtroom, so they have the legal right to this information or money. If you refuse to comply, they can lock you up. If you're a Swiss citizen, living in Switzerland, and currently sitting somewhere in Europe, they have no power over you.

      There's a simple l

      • by pjt33 (739471)

        It's not quite that simple. You also have to avoid companies which might be bought out by an American or multinational company at some point in the future.

        • by Grishnakh (216268)

          Well that's pretty hard to predict, so you just need to be prepared to abandon a company quickly if they are bought out by an American or multinational. It goes back to that "don't put all your eggs in one basket" axiom, plus the idea of being self-reliant when possible.

      • by Aighearach (97333)

        There is no precedent here, this is an obvious outcome of a basic issue. MS did a "hail Mary" trying to get a new type of protection, and (predictably) failed.

        MS was always a US company, and US courts always had jurisdiction over any evidence in their possession or under their control.

        • by Grishnakh (216268)

          Well, that's basically what I said in my post above, with my analogy about the US citizen in a US court trying to hide information about their holdings in a foreign bank account.

    • How about Dutch servers (Leaseweb) rented by a company based in Hong Kong (Megaupload)?
    • by _KiTA_ (241027)

      "We know you have a house in Ireland, but you're an American, and we demand you let us federal agents into your Irish estate."

      Somehow, I imagine Ireland or the EU are not going to be enthused about this.

  • by Anonymous Coward

    The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.

    • And what happens when Ireland, the UK, the EU etc pass laws which specifically prevent Microsoft et al from responding to such warrants when they are issued from countries where the data does not reside?

      Microsoft would be between a rock and a hard place.

      • Already in place.... (Score:4, Informative)

        by CaptainOfSpray (1229754) on Saturday April 26, 2014 @01:11PM (#46848435)
        EU law already makes it illegal to pass "personal data" to any location which lacks the protections available in Europe. The so-called Safe Harbor provisions apply for te US situation, but everyone who understands the EU law knows that the Safe Harbor arrangements are just smoke and mirrors - they afford precisely no protection at all - they exist to enable EU companies to export data to the US while claiming they have complied wth the law.
      • by Trepidity (597)

        That's precisely why Microsoft is opposing this order, not so much to avoid turning this particular data over, but because it may damage their European business. Microsoft has made a big marketing push in Europe trumpeting that their cloud products comply with EU data-protection laws, and this has been somewhat successful: several big companies and universities have signed up with Office 365 as their email/calendaring provider, in part because they were convinced that doing so is compatible with their oblig

    • Only if the data belongs to american citizens, they shouldn't have access to Irish citizens' data
      • by Immerman (2627577)

        Ah, but it's not Irish citizen's data - it's Microsoft's data about Irish citizens. Possession is 9/10ths of the law after all. I'd bet you good money that the EULA even says something to that effect down around page 29475.

    • by rossdee (243626)

      Sent it to them at 300 baud

    • by X.25 (255792)

      The judge said that the warrant served on Microsoft is valid, meaning that Microsoft, which has control of the servers in Dublin, can be required to use its access to its own servers to turn over information within its control. Nothing Earth-shattering here.

      Unless servers actually belong to a business entity registered in Ireland (Microsoft office there or whatever), which is subject to EU laws and regulations, not to US judge opinions and wisehs.

      If server belongs to company registered in Ireland (regardless of who is the 'parent' company), they would likely be breaking EU laws and regulations if they would follow orders from US judge.

      Do you have objections to Chinese judge ordering Huawei to disclose personal data of their US customers?

      If you don't, I guess t

      • by Aighearach (97333)

        If you're debating about what you have "objections" to, that is a discussion better had on a thread about legislation. A thread about legal rulings hopefully centers around understanding what the law actually is right now, and potential differences of understanding on what that is.

  • The judge has now made sure that no American company will ever admit to having stored any data anywhere, or risk losing business.

  • by Anonymous Coward on Saturday April 26, 2014 @01:30PM (#46848517)

    Denmark recently sold its digital infrastructure (digital identities, national bank payments, etc) to a US company. The Danish government said there was nothing to worry about, because the servers would still be in Denmark. Thank you, USA, for proving the Danish government wrong.

  • by MouseTheLuckyDog (2752443) on Saturday April 26, 2014 @01:35PM (#46848549)

    I mean come on!
    This is reported on by Reuters, and they do not supply a link to the ruling itself. Which means they probably state the ruling all wrong and also leave out important details. In fact one detail I see at once is missing. Whose emails are these?

    They could be Boris Putins,.or Kim Dotcoms, in which case I would have severe problems with the judges orders.
    Or they could be Dread Pirate Roberts, or even Microsofts operating emails stored in Dublin just to avoid having to turn them over in which case I would have no problems with the judges orders.

    In any case please get us all the facts before putting up such a story.
    Is that really too much to ask?

  • by ultranova (717540) on Saturday April 26, 2014 @01:51PM (#46848631)

    The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage? This is a matter that has to be decided by International treaties. While we're at it, let's try to establish an International cyber law enforcement system. In the meantime.

    Why would I want to build an enforcement system when I don't know who's rules it will end up enforcing? Chinas? North Koreas? NSAs?

  • These days the public has a concept of what an American company is but i'm not so certain that the law shares the same concept. Corporations are multi-national these days and frankly the nature of multi national corporations sucks bilge water. Here is why: Going into WWII the Coca Cola company felt that they would take heat for producing product in Germany. So they created the Fanta line of sodas. That way they could still make money on all those lovely Nazi soldiers while keeping the public unawar
  • I would suggest a law that forbids information to be retrieved from servers for the purposes of satisfying a warrant or supposed legal order that has not been validated by a court within jurisdiction.

    The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?

    • by nbritton (823086)

      The question is: who does have legal jurisdiction on data stored in a given country? The courts of that country, or the courts of the nationality of the company who manages the data storage?

      Any court that has personal jurisdiction over the corporation. Which is to say wherever the company is incorporated or resides. At a minimum the Federal and State court where the company is incorporated will have personal jurisdiction. There are no jurisdictional borders when it comes to corporations, ether the court has personal jurisdiction over the company or it doesn't, and if it does it can issue any warrant it wants on the corporation. The court can't send it's agents to another country to execute the

      • by mysidia (191772)

        Any court that has personal jurisdiction over the corporation. Which is to say wherever the company is incorporated or resides.

        Good news, everyone... Microsoft US, Inc. and Microsoft Ireland, Inc. are separate corporations with their own separate trustees/agents. The court might want to issue a search warrant for officers to visit Microsoft Ireland's premises and seize potential evidence, BUT only Microsoft US has a presence in the US, therefore, the court has no ability to hold Microsoft

    • by Aighearach (97333)

      MS resides in Washington State, if Ireland manages to hold them in prison to prevent them complying with the order, that is fine. They might rethink their Irish strategy when they get back, though. ;)

  • Where the servers reside is simply not relevant because the corporation resides within the jurisdiction of the court, corporations are people and because a company is one legal entity the court has jurisdiction over all of the company, regardless of where it's assets are physically located. It's called personal jurisdiction and the ruling is correct, it will be upheld if appealed. If you don't want to be subject to american jurisdiction then don't incorporate in america, it's really that simple.

  • As far as I know, multinational companies are really a collection of separate companies, all incorporated in the countries they are physically located in and pay taxes in that country. It's the reason why much of Apple's income is held by foreign versions of Apple. Yes, they all report to the mothership, but that mothership doesn't have sovereignty or jurisdiction over it. I'd love for some Irish barrister to send a letter telling this Judge to go feck-off along with a subpoena the Judge's phone records bec
    • by Aighearach (97333)

      If the subsidiary is wholly-owned then the parent company does indeed control the information and has to produce it. The tax-game stuff is not a loophole created by lack of jurisdiction, it is loopholes created by the specific ways the tax laws are written to favor certain strategies.

      • A subsidiary company has a separate board of directors. It is the task of those directors to run the company in the interests of the shareholder, in accordance with local law. In this case, given that the company is subject to European Data Protection legislation, it would be for the local directors to refuse to obey the court order - and invite MS USA to sack them at an AGM. By the time the AGM comes along, there's a good chance that either the Irish courts will have got involved, or the US government will
  • How is this different than French judges insisting that the internet use French, German judges trying to ban Nazi logos in global games hosted elsewhere, etc?

    I mean seriously, there's like a story a week about some dumbass judge thinking he can tell the internet what it can and cannot do?

    It's about the "stupid", not the "America". Although those are often enough synonymous, I admit.

    • by Aighearach (97333)

      There is plenty of stupid to go around, I can assure you.

      And yes, French courts could issue any sort of ruling they want against French companies. If you're a French company and there is some French law about online language, you'd be well advised to obey it.

  • For EU companies it is now impossible to store user related or other sensitive data on servers or cloud nodes provided by US American companies. Data privacy regulations in the EU would prohibit the use of such infrastructure. Even though there is a "safe harbor" treaty.

  • The Americans like to complain about Russia's "invasion" of Crimea, and claim that it's a power grab.

    But with this decision, the judge is trying for a GLOBAL power grab the likes of which the world has never seen.

    Quite frankly, the US judge and administration can go fuck themselves. YOU ARE NOT THE WORLD.

  • It is data about a person, in many cases it is literally the documents, calls, emails, tweets, IMs of people to people. That clearly belongs to the persons themselves, not to some company that wrote an app used to interact with that data or the companies providing the pipes for it to travel across. So that it is an American company really has nothing to do with it if we see it from the logical point of view of who the data belongs to. If it belongs to a European then it is government by European law. P

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...