Microsoft deluged with support in its email privacy battle against US government

library
crime | hacking | security

Microsoft would prefer if the US Department of Justice (DOJ) refrained from reaching over the ocean and past international law to ransack its Irish servers.

It’s been fighting the issue in court since August, when it refused to comply with a warrant for a user’s email that was stored in a Dublin data center.

On Monday, much of the tech industry, along with civil rights advocates, backed Microsoft in its legal battle, with more than 75 civil liberties groups, technology companies, trade associations and computer scientists filing legal briefs in support of the software company.

At issue: the DOJ’s insistence that it may search Microsoft’s overseas servers with a valid US warrant, sidestepping national and international laws that protect such content.

The scope of support for Microsoft’s position is unprecedented, its counsel says.

Verizon has said that if the US prevails in this case, it would produce “dramatic conflict with foreign data protection laws.”

Apple and Cisco have also come out against the government, saying that the tech sector runs the risk of being sanctioned by foreign governments and that the US should instead seek cooperation with foreign nations via treaties: a position the US has deemed impractical.

The deluge of support that added to these previously filed briefs point to what a precedent-setting case this will be if the company loses – one that would affect the technology world on a global basis, Microsoft Executive Vice President and General Counsel Brad Smith wrote in a blog posting about the outpouring of support:

Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we’re seeing today. … This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.

Microsoft published the list of backers that filed amicus briefs, including large media outlets such as National Public Radio, The Washington Post, The Guardian, and Forbes; leading technology companies such as Verizon, Apple, Amazon, Cisco, Salesforce, HP, eBay, Infor, ATT, and Rackspace; professors of computer science; civil rights and free speech advocates such as Digital Rights Ireland, the Electronic Frontier Foundation, and the Center for Democracy and Technology; trade groups such as the National Association of Manufacturers and the Reporters Committee for Freedom of the Press; and even the US Chamber of Commerce.

The groups and companies are all raising issues similar to those already brought up by Apple, ATT, Cisco and Verizon, Smith said:

These groups raise a range of concerns about the significant impact this case could have both on the willingness of foreign customers to trust American technology and on the privacy rights of their customers, including US customers if other governments adopt the approach to US datacenters that the US Government is advocating here.

Verizon said in its policy blog that the US government is overreaching:

The law does not allow the US government to use a search warrant to obtain customer data stored overseas. The US Supreme Court has reiterated many times that US statutes are presumed not to have extraterritorial application unless Congress “clearly expressed” its “affirmative intention” to the contrary.

There’s good reason why Congress hasn’t said that domestic US warrants should apply to data stored offshore, Verizon’s Randal Milch wrote. For one thing, the content of private email belongs to a customer, not to a provider.

The DOJ has resisted this argument, claiming that email stored in the cloud ceases to belong exclusively to us, becoming instead the business records of a cloud provider.

Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.

But if Microsoft were to give in to the government’s demands, it would actually be breaking Irish law, Verizon points out:

Ireland’s Minister for Data Protection has made clear that “when governments seek to obtain customer information in other countries they need to comply with the local laws in those countries.”

In fact, there are treaties in place that would have dictated whether or not the emails could be dug out of Microsoft’s offshore servers. Specifically, the DOJ could have followed procedures under the Mutual Legal Assistance Treaty between the US and Ireland to request the information it needed from the government of Ireland “in a manner consistent with Ireland’s laws”, Verizon points out.

Why didn’t the DOJ go that route? Many suggest that the reason is because it knew full well that it wanted something that was inconsistent with Ireland’s laws.

In its latest appeal, Microsoft argued that going outside of well-established treaties and partnerships to get at data wherever it’s stored sets a precedent for other countries to do the same and thus threaten the privacy of Americans.

There’s good reason why Microsoft and other tech companies store customers’ data close to them, Smith said:

As we’ve said since this case began, tech companies such as Microsoft for good reason store private communications such as email, photos, and documents in datacenters that are located close to our customers. This is so consumers and companies can retrieve their personal information more quickly and securely. For example, we store email in our Irish datacenter for customers who live in Europe.

And even if the treaties need an overhaul, that’s no reason to ignore them completely, he suggested:

The US has well-established treaties with countries around the world that allow them to seek the information they need while ensuring that citizens of other countries retain the privacy protections offered by their own laws and Courts. And there’s ample opportunity for work to modernize these agreements further.