Microsoft locates a customer’s data in the data centre nearest to the customer and, according to the judgment, doesn’t keep a copy in the US. This is partially to reduce network latency but also, as Microsoft had presumably hoped, to provide better data protection for its customers and possible immunity from access requests by the US government. The judge didn’t consider whether there was a back up copy of the data in the US and, if there had been, maybe this case would have revolved around getting access to that back up copy instead.
Microsoft argued that the warrant for access to the data issued under the Stored Communications Act did not have “extra-territorial power”, that is, the warrant should not apply outside the USA. The judge analysed case law but decided that such a limitation would be too inconvenient for US law enforcement:
If the territorial restrictions on conventional warrants applied [here], the burden on the Government would be substantial, and law enforcement efforts would be seriously impeded.
That doesn’t sound too unreasonable in some ways. As the judge pointed out, a criminal could simply hide his data in another jurisdiction. The other section which caught my eye was the dismissal of the established process of asking a foreign government to hand over data held on their soil through a Mutual Legal Assistance Treaty. The judge quoted from a commentator who said:
This process generally remains slow and laborious, as it requires the cooperation of two governments and one if those governments may not prioritize the case as highly as the other.
What wasn’t clear from the case was why there was a US warrant against a Microsoft customer who wasn’t based in the USA. Were they a US citizen based in Europe? Did they set up the account while in the USA but then move to Europe? It’s also not clear if the outcome would have been different if the customer had entered into a contract with Microsoft Ireland instead of Microsoft Corporation. Also, does this undermine Yahoo UK’s decision to move to Ireland?
What lessons can we learn?
- If your data is held by a US provider, even in Europe, the US government can get access to it and you probably won’t even know they’re doing it
- US interests can circumvent having to use established processes under Mutual Legal Assistance Treaties and dealing with slow sovereign governments
- If you want to avoid USA snooping, make sure there is no US provider anywhere in your cloud supply chain
- And don’t forget, of course, all governments have similar powers…
Go visit the original story here:
US can get your data. Anywhere