The battle of government reach into data stored in overseas data centers should be top of mind for IT organizations. It has significant implications for whether cloud-stored data can be protected, and the battle so far suggests if either side completely wins, the result would be unpleasant.
The U.S. Justice Department and Microsoft are waging a war over whether federal prosecutors in the United States can access email stored on servers in Ireland. The specific issue is the feds’ demands for emails that belong to a suspect in a narcotics investigation, but the big issue is whether national governments can force a company to provide access to user data stored in other countries.
The Justice Department requested the emails in December 2013. However, Microsoft refused that request. It stated that U.S. authorities have no power to enforce a warrant for data stored overseas.
In April 2014, a federal judge agreed with U.S. prosecutors and ordered Microsoft to hand over the emails. Microsoft again refused and was found in contempt; the Second U.S. Circuit Court of Appeals has been asked to settle the case. Oral arguments took place last September, and a ruling is expected imminently.
These kinds of cases will accelerate as the government tests the bounds of existing, often outdated laws and as cloud providers try to protect what they see as their -- and their customers' -- private data. After all, companies moving to cloud may think twice about cloud adoption if any government has access to its data on demand anywhere it resides.
For example, as Microsoft argues, if the United States can compel it to turn over data stored in Ireland, the Chinese government could compel it to turn over data stored in the United States. The unintended consequences of the U.S. government's request are worrisome to contemplate. That's why a full Justice Department win here is worrisome.
But a full win by Microsoft is also worrisome. I understand the desire to deny access to everything, but the government will fight that stance to the point of distraction. Cloud providers and cloud users need clarity, not more limbo.
I can’t help but think there is a compromise that can be had here between the cloud providers and the government. Although the government should not have access to data in clouds on demand, there should be a defined process that would allow the government access to some data when specific criteria has been satisfied -- and the authorities in the countries where the data resides are able to participate.