In a case that could ultimately have huge implications in how tech companies deal with law enforcement request, an up-and-coming tech company called Microsoft is currently fighting a government-issued search warrant seeking customer emails. In late 2013, a New York federal magistrate judge granted prosecutors a search warrant that would force Microsoft to deliver the customer’s emails to the feds. A federal request for data is nothing new, of course, but this one has a twist: the emails in question are stored on a server in Microsoft’s Dublin, Ireland, data center.
Violating International Law, Reducing Privacy Protection Worldwide
Microsoft has thus far refused to comply, saying in a court filing that if the warrant is executed, it “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.” Microsoft’s statement went on to argue that prosecutors have no right to seek information stored elsewhere.
“The government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft’s Dublin facility. Likewise, the government cannot conscript Microsoft to do what it has no authority itself to do; i.e., execute a warranted search abroad,” the statement reads, in part.
Fulfilling the court’s request, the company says, will negatively impact Microsoft’s business and erode the trust of foreign governments and companies.
Verizon has championed Microsoft’s cause, filing an amicus brief in support. The brief states, in part, that if the court order goes through, it “could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.”
EFF is also planning to file a supporting brief.
Worldwide Reach
Microsoft, Google, and other major tech companies store customer information—like emails—at countless data centers across the globe. In this instance, because the customer’s email data is stored in Ireland, Microsoft says it “resides on a specific server in the Dublin datacenter… [and] does not exist in any form inside the United States.”
Those same tech companies also regularly publish “transparency reports” that plainly describe the number and nature of data requests made by the government (case-specific information is withheld in the name of discretion). Unless they are backed by valid subpoenas, warrants, or court orders, however, Microsoft does not fulfill any request of this nature.
Prosecutors maintain that the case at hand is a special instance, as it relates to a specific criminal investigation—reported involving drug dealing and money laundering—and is supported by an already-approved warrant.
What Says the Man?
“Imposing the limitations urged by Microsoft would lead to absurd results and undercut several criminal investigations conducted by U.S. law enforcement,” Preet Bharara, U.S. attorney for Southern District of New York, wrote in a court filing. He also stated that Microsoft should not consider physical and digital search warrants to be on equal footing, especially as the electronic data can be readily accessed by Microsoft employees in the U.S.
This type of search warrant, Bharara stated, is “functional[ly] equivalent [to] a subpoena or other investigative demand served on a service provide, which compels the provider to review its stored records and produce relevant material” regardless of where said material is stored.
Additionally, in a classic case of not understanding how the internet or service providers work, Bharara wrote that, “A person planning or committing crimes in or affecting the US could easily reduce the risk of detection by providing false information about his place of residence, causing Microsoft to store resposive records outside the U.S. and beyond law enforcement’s ability to obtain the records in a timely manner, I at all. Such a restriction would have a devastating impact on the government’s ability to conduct criminal investigations.” Because there is absolutely no way for a tech company to verify where a customer’s data is coming from. None whatsoever.