Microsoft vs. DoJ: The battle for privacy in the cloud

Is a U.S. warrant enough to force an American company to breach privacy laws abroad? Microsoft with the support of friends and foes alike, says no

What issue can unite the EFF and BSA? Fox News and The Guardian? Amazon and eBay? The ACLU and the Chamber of Commerce?

The issue is the demand by the Department of Justice that Microsoft deliver the email correspondence and address book data from one of their customers as demanded by a warrant, apparently related to a drugs case (though all the documents remain sealed). Microsoft won't. The reason? The customer, the email, and the server it's on are all in Ireland and operated by a local subsidiary.

Microsoft asserts that private correspondence that's never involved the United States is outside the jurisdiction of the United States. It claims that if the government wants that data, the right way to get it is not a domestic warrant but rather the exercise of a treaty agreement between the U.S. and Irish governments. The New York District Court disagreed in April, asserting it's all business data and, as Microsoft is a U.S. company and wholly owns the Irish subsidiary in question, a simple domestic warrant is enough. In July, the 2nd Circuit Appeals Court agreed, and in September Microsoft was held in contempt of the court (at its own request) so it could progress to the Supreme Court.

If anything, the surprise is there aren't more American businesses ready to voice their concerns to the Supreme Court. If the U.S. government is allowed to demand U.S. businesses treat all data everywhere as if it fell under U.S. domestic jurisdiction, international business could become impossible for American companies. In an era of cloud computing, jurisdictional overreach on the part of any government is likely to prevent its citizens trading abroad.

Microsoft illustrates the core issue well in this excerpt from its brief to the Supreme Court:

Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.

How would that be received in the United States? Microsoft explains:

The U.S. Secretary of State fumes: "We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws."
Germany's Foreign Minister responds: "We did not conduct an extraterritorial search -- in fact we didn't search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter's privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate."

To put it more succinctly, the position Microsoft and so many others are opposing "argues that, unlike your letters in the mail, emails you store in the cloud cease to belong exclusively to you. Instead, according to the government, your emails become the business records of a cloud provider."

This is a fundamentally important case for cloud computing, so it's no surprise to see OpenStack cornerstones HP and Rackspace standing shoulder to shoulder with their competitor. It's also fundamentally important to digital rights globally, which is why the EFF and the ACLU are joined by Digital Rights Ireland and the U.K.'s Open Rights Group (of which I am a director). Let's hope the Supreme Court can see past the technical and business details to the real issue: the privacy of the citizens of every country where America trades, as well as American citizens.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform