US Supreme Court To Decide Microsoft Email Privacy Dispute (reuters.com) 70
The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.
America owns the world (Score:1)
Therefore there is no jurisdiction issue.
Re:America owns the world (Score:4, Interesting)
This has nothing to do with "owning the world". If a Microsoft employee, located in the U.S., can access a server located in [some other country], then the location of that server is irrelevant. That is the argument being used by the U.S. government, and in this case they are correct.
To argue otherwise means:
You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S.
Any person/business located in the U.S. just has to put all their servers outside the U.S. and access them remotely and they become immune to all U.S. laws. Want to investigate Microsoft/Google/Whoever for securities fraud or some other wrong doing? Sorry, all their documents and e-mails are located on a server outside the U.S. and they don't have to give them to you.
Re: (Score:2)
Well, that's the beauty of a world-wide network. A person can be sitting in front of a terminal in the U.S. and do business from, say, Europe because he has put a web server there that does all his transactions. I am really curious as to what would happen if he put his web server in orbit, outside any country. Or on an asteroid.
In fact, pilots of armed drones can kill someone in another country. The law can only make sense if the owner/controller has to comply with laws of both the residential country AND t
Re: (Score:3)
You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S.
Actually, where the person is located does not matter much.
We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.
Ano
Re: (Score:2)
Same store, same transaction, different result. The law is, as Dickens wrote, an ass.
Although I won't dispute your comment about the law (I frequently agree), the fact that it's the same store does not mean that the transaction is the same: part of the transaction is a location. Obviously, any location related to the transaction could have been chosen as transaction location:
For a physical transaction in a brick&mortar store, these are all (approximately) the same, so we don't notice if th
Re: (Score:2)
We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.
FALSE: Customers pay sales tax, retailers collect sales tax on behalf of the government, but the tax liability is the purchasers, not the sellers (see use tax). The argument becomes whether a government can require a citizen of a different state to operate on it's behalf by requiring them to collect this tax. (answer: they cannot -this is why establishing nexus becomes relevant.)
While you are correct that retailers do not pay sales tax, this does not invalidate my argument: the sales tax must be paid where the transaction takes place. This is where the customer is. Who must pay the tax (in this case the customer) is irrelevant.
Sauce for the gander (Score:1)
OP's snark was directed at the US Government's long history of prosecuting people under claims that persons located in the EU are governed by US law (anti bribery US laws are but one example).
Such prosecutions become even higher profile when those EU located persons are accessing computers located in the US. The exact obverse of this case.
In other words ... what's sauce for the goose is also sauce for the gander.
Re:America owns the world (Score:5, Informative)
Yes, a person in the U.S. can copy personal data from a computer located in the E.U. to a computer located in the U.S.. But doing so without the consent of the person the data belongs to is illegal in the E.U.. The European High Court has decided that even U.S. legal enforcement is not allowed to do so without serving a warrant to the responsible european court first. If a court in the U.S. decides otherwise it would be in contempt of the EHC. I wonder what happens if the EHC then serves a warrant against an U.S. court for doing so.
Re: (Score:3)
That is exactly the situation that makes it so interesting from a legal view.
The US courts can order the US company to take the action. But the instant they start messing with the data in Ireland, the emails of a the citizen who lives in Ireland, then the international treaties between the US and Ireland come into play.
If that happens -- meaning the US Supreme Court orders or allows the government to violate the international treaty even though proper channels exist through the treaty -- the consequences
Re: (Score:2)
Ireland may quietly do nothing and allow the treaty violation.
And the data's owner could then take the matter directly to the European Court of Justice. Possibly event preempt the violation by an ECJ injunction (not sure if such a thing exists).
This does not of course stop the US prosecuting the person involved for failing to turn the data over voluntarily. That has nothing whatsoever to do with server location.
Re: (Score:3)
"You're claiming that a person located in the U.S. is governed by EU law, e.g., they can't access a server they own and control except in accordance with EU law, despite the fact that they are not in the EU. You are, in fact, trying to impose EU law on a person sitting at a computer in the U.S."
You mean like when you get delivered the guy who hacked a US computer from England, because he violated US law from his mother's British cellar?
Re: (Score:2)
Re: (Score:3)
Then the US company should be held in contempt and charged with obstruction of justice and destruction of evidence. The question here is whether or not you can hide evidence from courts. The fact that it's being done with computers is really quite irrelevant.
This is not a "tech" article at all.
A corporation wants to pretend it's above the law by engaging in a shell game with their documents.
Re: (Score:2)
And if police forces come into the data center in Ireland and then serve the warrant to disconnect the servers, can the technicians (and thus Microsoft) claim duress? They can even obtain a paper from the european police men that they tried to fulfill the court order but were hindered by the european police forces. How does the U.S. court enforce its warrant now?
Re: (Score:2)
Re: (Score:2)
A corporation wants to pretend it's above the law by engaging in a shell game with their documents.
Are you following the same story? This is not the shell game you propose.
The US government refuses to include details like if the person is an American, but instead they have bound the details of the case in secrecy. Microsoft is a global company with smaller corporations in each nation to follow the local laws. The US government in a local criminal investigation (for something not criminal in much of the world) has issued a search warrant for one company to seize information held by a sister-company in
Re: (Score:3)
This has nothing to do with "owning the world". If a Microsoft employee, located in the U.S., can access a server located in [some other country], then the location of that server is irrelevant. That is the argument being used by the U.S. government, and in this case they are
incorrect. That is because the Microsoft employee can access a server located in [some other country] due to permission from someone ([some other country] MS employees) at the location to enable access to the server. The [some other country] MS employee have 100% rights to physically disconnect their server at anytime under their judgement and the local country's jurisdiction.
Simpler concept: Guy 1 has a ball and Guy 2 also has a ball. Separated by land while under agreement and regulation, both of them c
Who owns the server? (Score:2)
MS in the US or MS in Ireland?
If you say "doesn't matter", realize that SAP is based in Germany, and we'd want to see some data you have over there. Schnell!
Re:Who owns the server? (Score:4, Insightful)
Unfortunately, this is where the story gets interesting. Whilst MS Inc, the US Parent, is incorporated under US Law and therefore subject to US jurisdiction, if the Irish subsidiary is incorporated under Irish law, then the ability of the US government to exert demands on it are potentially eliminated.
I have found that a good test to apply in a situation like this is to reverse the scenario. Here's a hypothetical situation to put this to the test: imagine that "Microsoft Ireland" was found guilty of a criminal offence [it doesn't matter what] and that the fine levied for this was equal to $100 Billion US. Now imagine that Microsoft Ireland are worth a grand total of say $40 Billion US and that extracting even this from them will completely bankrupt them.
Would the Supreme Court / Microsoft (US) inc be willing to allow the reciprocal to happen - i.e. that the plaintiff in the Irish case has the authority to go after Microsoft US for the remaining $60 Billion of their settlement? In other words - does that liability go both ways?
Obviously this is an academic question for a hypothetical situation; my sense is that the US parent would not want an open-door liability like this to be allowed. Which, whilst different in some respects, rather serves to enforce the view that these are two entirely different legal entities, incorporated under the laws of entirely different countries. If Microsoft Ireland had been incorporated under US law, then there might be an argument supporting the view of the US government. If it exists under Irish law, I don't see how the US government's case can have merit.
But then again, I'm not a lawyer...
Re: (Score:2)
Even simpler case: an Irish company is ordered by an Irish court to obtain data from its subsidiary in the USA. Which court wins ?
Re: (Score:2)
Given the US data protection laws, there's no conflict of law.
Re: (Score:2)
I suspect that this will be a split decision, but I would surmise that the SCOTUS will not be willing to set the precident that it's okay for another country to access data across boarders with traditional search warrants, but this will require cooperative search warrants. That is, if the US issues a Search Warrant, and then the country in which the server resides will, in turn, issue a matching Search Warrant, then the data can be accessed.
However, I do not believe the SCOTUS will want Ireland or Dubia or
Re: (Score:2)
It doesn't matter. MS (the people in the USA) can certainly be compelled to provide the information or, more likely, be sanctioned. If they made a deal with a foreign company (MS Ireland, presumably) that precludes them from doing so, then, there might be a price to pay for that. MS doesn't have to be permitted to do business in the USA if they start ignoring court orders, for instance.
SAP, same story, if SAP themselves own data in Germany, the USA can try all they want to get it, but they only get
Re: (Score:2)
I am not assuming that at all. All I am assuming that if MS doesn't come up with it for whatever reason, they are liable for sanctions. "Gee, we asked them and they said no" isn't going to get them out of it.
It would be a real stretch but depending on the rest of the case (and of course I didn't RTFA...) MS could be liable for obstruction of justice for squirreling the data/evidence away from US jurisdiction. They may never make the original case for lack of the evidence but nothing k
Re: (Score:2)
IIUC, the laws of Ireland prohibit exporting personal information to the US because of US laws on data protection. So for someone in Ireland to ship the data to the US would be in violation of Irish law.
This isn't just corporate maneuvering, it's also governments arguing about jurisdiction. The US is demanding that Irish laws be violated on Irish soil. And Irish law derives from EU law, so this is also the US vs. the EU.
Re:Who owns the server? (Score:4, Insightful)
It doesn't matter who owns the server, since even if it is MS Ireland, they're almost certainly a wholly owned subsidiary of MS US, meaning that MS US owns that data regardless. And if the US government compels MS US to hand the data over, they'll be making a request that's illegal in the country where the action must be undertaken, regardless of whether it's MS US or MS Ireland doing the deed, so in that regard it also doesn't matter who owns the server.
Of course, just because it doesn't matter who owns the server doesn't mean it's legal for the US government to make that request, nor that it's legal for MS (regardless of which brand we're talking about) to hand the data over.
Ideally, the people on the ground in Ireland would simply refuse to comply with the order if MS was compelled to hand over the data. After all, the US government has no authority over them, nor an ability to prosecute them, nor an ability to pursue a prosecution of them via diplomatic channels given that the request was illegal in the first place. In fact, the proper way for this to work is that the US government uses those diplomatic channels to seek an extraction of the data pursuant to its treaties with Ireland or the EU.
Unfortunately, it may be possible for MS US to extract the data from Ireland without the involvement of the people in Ireland. If that's the case, then those Americans may be opening themselves up to contempt or court and other charges for failing to produce documents that they are capable of producing. When Apple was facing a similar situation with the FBI attempting to compel them to add a backdoor to iOS, the rumors leaking from internally indicated that the team that would have been compelled to take those actions planned to quit if push came to shove, and that other companies were already lined up to accept them if need be. I'd expect that the same would be true here: anyone who quit over an issue like this would have no trouble finding work elsewhere in the industry.
Re: (Score:2)
It doesn't matter who owns the server, since even if it is MS Ireland, they're almost certainly a wholly owned subsidiary of MS US, meaning that MS US owns that data regardless.
The EU might not agree that that is the case.
Can anyone tell me where I can buy popcorn in bulk ?
Re: (Score:2)
Yeah, that was a typo. I realized I was using "data" interchangeably with "server" when I shouldn't have been. I went back and replaced most of them, but missed that one, apparently. I didn't want to get anywhere near the topic of who owns the data, since that wasn't the point of my post and wasn't at all something I was trying to address.
Re:Who owns the server? (Score:4, Insightful)
You talk a lot about legal and illegal without mentioning jurisdiction which is rather important since the US got jurisdiction over MS US, Ireland over MS Ireland. The US can legally put the thumbscrews on MS US to produce the documents, Ireland can legally put the thumbscrews on MS Ireland to not produce the documents. Which puts Microsoft in a "damned if you do and damned if you don't" position, but there's no "world court" they can appeal to. The US can say we're right, appeal denied and Ireland can say the same. It still won't be possible for Microsoft to comply with both.
It's clear to see why the US - or indeed any country - don't like the idea that you can "jurisdiction shopping", like oh all our company data is outsourced to our wholly owned subsidiary in the Cayman Islands and we wouldn't want to break any local laws, you'll have to go through the courts there. But if that's a problem you should restrict the export of information, like if you're a US company the data on US citizens must be accessible to US courts. Trying to demand that all data held by foreign subsidiaries, even on foreign citizens be available to US courts is begging for trouble.
The reciprocity here is that a Chinese court can demand data on US citizens stored on US servers by a US subsidiary because it's owned by a Chinese company. The US would never grant the permissions it's trying to create for itself, it's one rule for us and one rule for everybody else. Hopefully the supreme court is smart enough to see that, otherwise there is only one choice: Stop making any product made by a US company in any privacy-sensitive context.
Re: (Score:2)
Great points all around, I'm glad someone made them. You're right that I glossed right over those distinctions, though I'll say that I did so intentionally since I wanted to focus on other aspects of the situation.
Thanks for the insightful comment!
Re: (Score:2)
Give me a reason to believe that's what they're doing. They're protecting corporate secrets from an intrusive government.
OTOH, the US government seems to be demanding that Irish (EU) laws be violated on Irish soil in order to satisfy their demands. Which seems a definite overreach.
If MS is compelled, (Score:2, Insightful)
Does that mean that my country's government can compel MS to hand over data stored on servers in the US?
Re: (Score:3)
If it's the data of one of your country's citizens or corporations, then why not? Even our right to privacy is not a universal shield against a warrant or subpeona.
Re: (Score:2)
Of course not. Standard US foreign policy has always been, "What's good for the goose ISN'T good for gander."
Re: (Score:2)
In Microsoft's own words (Score:4, Insightful)
This is really important not only for international privacy but also for US business profits from international sources (which is a major reason for Microsoft being on the right side of the issue).
Re: (Score:2)
Re: (Score:2)
Search warrant != Subpoena (Score:2)
A search warrant does not compel anyone to provide anything. A search warrant just means that the holder of the warrant is allowed to search, and the results of the search will be admissible as evidence. When the police say, "We're going to search your property," whether they have a warrant or not, all you have to do is step aside and not interfere.
Now, if they have a subpoena, then you may be compelled to produce some evidence, by whatever means are at your disposal.
So if the US police show Microsoft a war