Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Government Privacy Your Rights Online

Court Denies US Government Appeal in Microsoft's Overseas Email Case (pcworld.com) 71

An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft and other companies to turn over customer emails stored on servers outside the United States. From a report: The U.S. Court of Appeals for the Second Circuit, in a 4-4 decision Tuesday, declined to rehear its July decision that denied the DOJ access to the email of a drug trafficking suspect stored on a Microsoft server in Ireland. Microsoft has been fighting DOJ requests for the email since 2013. The DOJ has argued that tech companies can avoid valid warrants by storing customer data outside the U.S. Judges "readily acknowledge the gravity of this concern," but the 31-year-old U.S. Stored Communications Act (SCA) doesn't allow worldwide search under a U.S. warrant, wrote Judge Susan Carney. "We recognize at the same time that in many ways the SCA has been left behind by technology," Carney wrote in Tuesday's decision. "It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose."
This discussion has been archived. No new comments can be posted.

Court Denies US Government Appeal in Microsoft's Overseas Email Case

Comments Filter:
  • Read as: (Score:2, Insightful)

    by Anonymous Coward

    DOJ butt hurt about ruling continues to.seek unfettered access to all data regardless of where it is or who owns it.

    • Re:Read as: (Score:5, Insightful)

      by saloomy ( 2817221 ) on Tuesday January 24, 2017 @02:55PM (#53730401)
      The DOJ is butt-hurt. But too bad. The US can't just decide that their warrants are valid EVERYWHERE, just because a company operates in the US as well. What happens when China wants data stored by Boeing in the US, because Boeing has offices in China, and there is a law-suit? There is a reason why the laws are written like this. If the drug traffickers data was so instrumental to the case, and the justification for the warrant is so compelling, then the US attorney should contact authorities in Ireland and seek the Irish courts to issue a warrant to MS.

      If there is anything fishy, they won't go that route, and if there isn't, an extra set of judicial eyes on the facts of the case can't hurt.
      • by Anonymous Coward

        The US can't just decide that their warrants are valid EVERYWHERE,

        Well yes they can, in this case they decided otherwise. But even if they did, nobody else really HAS to listen. Despite what most Europeans may think about their "Right to be Forgotten" laws.

        What happens when China wants data stored by Boeing in the US, because Boeing has offices in China, and there is a law-suit?

        What happens is that Boeing can either give up the data, or they can shut down their China-based operations. And why bother with hypotheticals, when you could easily have come up with all sorts of actual real-world examples?

        • "why bother with hypotheticals, when you could easily have come up with all sorts of actual real-world examples?"

          FATCA. Banks everywhere. 'nuff said...

          The US can and does try to push its law into other countries, where is clearly has no jurisdiction. Sometimes it succeeds. The rest of the world is getting fed up with this. If the US does try to push this, European privacy laws could well be the hill that US influence dies on.

          • That may be so, but you can't expect a corporation like Microsoft to be caught between US warranty laws and EU privacy laws. Somewhere the system has to accommodate the diverse laws in place, and jurisdiction is the solution to that problem
      • The DOJ is butt-hurt. But too bad. The US can't just decide that their warrants are valid EVERYWHERE ... If there is anything fishy, they won't go that route

        The problem -- which the DOJ and other parties absolutely know -- is that they are using a warrant.

        You say they won't go that route if there is anything fishy, but the fact that they are attempting to use a warrant is extremely fishy.

        There is an enormous difference between a warrant which they are using, and a subpoena that they would be trying to do if the one person in the case was all they wanted.

        With a subpoena the company must produce information. They must produce the information no matter where

        • Even if there is a subpoena, that again is irrelevant to obtaining data held in a different jurisdiction as, just like warrants, they have no legal force whatsoever outside the country of issue. If one is issued in Eire, then fine. Until then, tough shit.

        • by bsolar ( 1176767 )
          I think the correct tool in this case would be an international letters rogatory requesting judicial assistance from Ireland, where the data lies.
    • by Anonymous Coward

      Speaking of the DOJ and government...

      AN IMPORTANT MESSAGE FROM MIKE PENCE
      WASHINGTON (WHPB)—Vice-President Mike Pence has issued the following message to the American people:
      Dear American People,
      What with all the hoopla and hullabaloo of Inauguration Week, we didn’t really get a chance to get to know each other. And so, if you don’t mind, I thought that I’d take a minute or two to tell you a thing or two about Mike Pence.
      I’m what most people would call a “fun guy.” I

  • by account_deleted ( 4530225 ) on Tuesday January 24, 2017 @02:40PM (#53730311)
    Comment removed based on user account deletion
    • Another solution (Score:5, Insightful)

      by Okian Warrior ( 537106 ) on Tuesday January 24, 2017 @03:05PM (#53730473) Homepage Journal

      So, is US congress now going to change the law so a US judge can permit the US DOJ to access foreign servers? May we assume reciprocity, so that other countries can then serve warrants to providers in the USA and legally demand access to data stored on US soil?

      I think not..

      Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US.

      The benefit is that foreign countries don't get to access our citizens' data as easily (Russia, China, Canada).

      The *real* solution is that E-mail and other data should be encrypted end-to-end, where the provider and location don't matter. Proton mail and Lavabit come to mind.

      I remember when DropBox first came out, it required a driver to install (in WinXP) to synchronize the data to the cloud, and asked whether they had any plans to add encryption. Their response was "Oh, we'll never add encryption! That's the end-user's responsibility, and besides... it's haaaaaard!"

      We need turn-key solutions. If good security is a checkbox "make my messages private", more people would use it.

      • by Falos ( 2905315 )
        "[we have] encryption with zero key management" is a phrase I've seen touted as a feature. And something that, not just "will be" but "has already gotten" ...increasingly popular with vendors.

        It's not even a question of jurisdiction or ethics or legal rights, the reality is that sometimes (anywhere between some and all) private effects can't be accessed, not mere "should/n't".

        You might as well discuss the legal reach allowed to federal time travelers.
      • by Kjella ( 173770 )

        Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US. The benefit is that foreign countries don't get to access our citizens' data as easily (Russia, China, Canada).

        Which would be a massive legitimization of Russia and China's nationalistic social media policies to make people only use services under Putin and the CCP's control. If US data is not safe in the EU, why is EU data safe in the US? And you're flipping the situation on its head, only the US is crazy enough to demand data from an Irish subsidiary. You think Ireland would demand data from a US subsidiary through Irish courts? The US would go ballistic. The US is asking for other countries to accept what it woul

      • Another solution is to pass a law saying that all US citizen data has to be kept in servers in the US.

        What about e-mail or other service providers that don't have servers in the U.S.? Would it be illegal, under your framework, for U.S. citizens to sign up for e-mail or other data accounts with foreign providers with no U.S. presence? How exactly would enforcement work?

    • by alexo ( 9335 )

      So, is US congress now going to change the law so a US judge can permit the US DOJ to access foreign servers?

      Not really. The way I understand it, the idea is for the US congress to change the law so a US judge can permit the US DOJ to force a US company to surrender data that it stores on foreign servers.

    • by vux984 ( 928602 )

      To be fair, to properly police a multinational corporation you really do need a multinational police force.

      I agree that we shouldn't be looking to change the law so that the US DOJ can simply access foreign servers. But we SHOULD be strengthening the ability of inter-national police forces to prosecute cases; to streamline international discovery. While the US can't and shouldn't try to enforce laws extra-nationally -- at the same time a multinational shouldn't be immune to prosecution by virtue of being si

      • by Anonymous Coward

        There are processes in place for that already. And to most of us who daily work with people in other countries, regularly travel abroad etc. that would all seem relatively simple and obvious.
        However US law enforcement is stuck in a past where talking with someone from a foreign country, or worse even travel there to get things done is considered an unthinkable burden. So if such a need arises, they try to club it through on the US side, wasting everyone's time, and when it then predictably fails they tend t

        • by vux984 ( 928602 )

          There are processes in place for that already.

          They are not especially efficient or streamlined though. Which is why international crimes have to reach a much much higher bar before anyone even tries prosecuting them.

          I don't disagree with the rest of your post.

      • It has nothing to do with foreign servers though, it is about the DoJ telling US companies to turn over documents that are held by subsidiaries that they control. All of that happens in the US.

        • It has everything to do with foreign servers because that is where the data is held. This data is also protected by the laws of the country it is held in from extradition just because a foreign party (in this case the US Govt is the foreign party) wants it.

    • No, SCOTUS will overturn this because very-well-established precedent says that US companies, including their controlled subsidiaries, have to obey all US court orders. Americans traveling overseas does not stop them from having to obey US law. Maybe US laws are only applicable inside the US for specific reasons, but in general US law applies to Americans and American companies at all times.

      An example, it is illegal for Americans to communicate with foreign governments for the purpose of affecting their res

      • by Kjella ( 173770 )

        An example, it is illegal for Americans to communicate with foreign governments for the purpose of affecting their response to US foreign policy; it is illegal for Americans to bribe foreign governments; it is illegal for Americans to have sex with minors in foreign countries. These laws are not legally controversial or gray areas, they are well-established.

        Extra-territorial laws where Americans are required to simultaneously uphold both US and local law are well-established. Extra-territorial laws that compel Americans to break local law would be extremely controversial. If US law says you drive on the right and you go to Britain where people drive on the left then obviously you follow local law. If you can't do that, then you can't drive. If you can't do business in the EU without breaking local law, you can't do business there. The US supreme court can say

    • by rtb61 ( 674572 )

      More simply, extradition laws could be extended to include data, catch, no secret extraditions must be public because the affected citizen has the right to defend it, not a warrant but a data extradition request. The local government would than serve the warrant for that data in order to provide the data requested under the legally fulfilled data extradition request.

  • The DOJ has argued that tech companies can avoid valid warrants by storing customer data outside the U.S.

    It's not a valid warrant, because the court that issued it doesn't have jurisdiction.

    • This court was right, I think, to write that although there are problems either way, it's not the job of the court to rewrite the law - that's up to Congress to fix it.

      One possibility is that Congress won't allow warrants on foreign *servers*, but will allow some form on subpoenas on US *companies* who possess evidence about people in the US.

      One reasonable argument (maybe right, maybe wrong) is that if a US company has some evidence about a US person, related to a US case, they can, after a court hearing, b

  • by geekmux ( 1040042 ) on Tuesday January 24, 2017 @03:08PM (#53730509)

    (Billionaire US business owner) "Hell yes! Go after those dirty drug dealers! Those bastards shouldn't be able to hide their evils in another country!"

    (Billionaire's accountant) "Sir, might I remind you that your tax haven data is stored in Ireland..."

    (Billionaire US business owner) "Nevermind! Those meddling DOJ bastards don't need access to anything."

    • by green1 ( 322787 )

      Which is why the DOJ will be given access, but the IRS will not.

      Politics is a game where the top 1% write the rules, you know who's favour they will be in.

  • This is how I want tech companies to protect my privacy. With a four-year lawsuit designed to delay handing over my data (and it ultimately won!). Compare and contrast to Lavabit, which decided to shut down in 2013 after printing out its private keys in 2-pt. font.

    • by Anonymous Coward

      Compare and contrast indeed.

      Microsoft, a huge multinational corporation, with billions in cash reserves and a legal department that could be a law firm by itself, had to go up against the Department of Justice (DOJ) in the regular American court system. The DOJ sought data that Microsoft (US) did not actually have. It was attempting to compel Microsoft (US) to force Microsoft (Ireland) to send that data to the United States, in contradiction to EU privacy laws governing Microsoft (Ireland).

      In other words, t

      • t, do you still think LavaBit failed to protect its customer's privacy?

        Yes, I think they failed to effectively protect their customer's privacy.. LavaBit had the time to hire a lawyer (although I have no idea how much money he had) He was crushed in court cause he was an idiot who didn't take the0 proceedings seriously. And the judge found him in contempt because instead of fighting the subpoena, appealing it, etc, he acted like an ass.

        All you're providing is reasons why LavaBit failed - not the actual ch

  • If worse comes to worse, Microsoft will give its foreign branches enough independence (enough to make it a separate company) to deny any request it wants from the US branch.

  • Realistically, doing so would create a catch-22 lose-lose situation for American corporations.

    Don't give information to US authorities from foreign servers: they're violation of US law and you get penalised

    DO give away information to US authorities from foreign servers: (often) they're in violation of the privacy/access/etc laws in said foreign country, and they get penalised

    I'm not American, and certainly not a fan of some of the international shenanigans perpetrated by US corporations, but allowing a law

    • ...such a law would make it illegal for US companies to operate servers in the EU in a lot of cases, because there are protections for EU data. There are some 'safe harbour' exceptions for certain types of data in certain circumstances, but that won't cover everything, and (I suspect) doesntt cover email.

      Moreover, many EU based companies would think very long and hard if they wanted to use a US cloud provider for anything at all, especially if the law allows for the US to grab 'chunks' of data (eg. a server

  • Just another case of multinationals are outside any countries control.
    It's a fecking free for all

  • With the very recent event of the US pulling out of the TPP, I feel it's unlikely that others in the International Community, will take kindly to foreign powers accessing servers in their territories. Should US lawmakers update the law and change it to allow for US laws to operate in this manner, I imagine that companies like Microsoft, will outsource the administration of those non-US servers, so they have a non-US division operating them, thus leaving them outside of the reach of US laws.

  • Quite simply there seems to be some kind of magical thinking that you can balance something unreasonable against basic rights. For instance anyone who thinks that it would be "Balanced" for a US court to order people in another country to do something is insane. The whole US revolution was about things like taxation without representation. So what makes the US seem to think that people in other countries should give two shits what their courts say when we have exactly zero input into the laws, the lawmakers

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...