TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

Analysis: Microsoft’s Legal Victory More about Process than Privacy

New ruling decrees that U.S. companies cannot be forced to turn over data held overseas, although the Microsoft case highlights some issues with current processes and laws.

• By James E. Powell
• July 15, 2016

Microsoft does not have to turn over email content stored in Ireland to U.S. investigators, according to the recent decision by the U. S. Court of Appeals for the Second Circuit. The ruling, however, was more about how the data was requested, not about keeping the data private.

Some background: In 2013 the District Court for the Southern District of New York denied Microsoft’s motion to quash a warrant that had been issued under the Stored Communications Act. The warrant required Microsoft Ireland Operations, Ltd. (a wholly owned Microsoft subsidiary) to produce “the contents of a customer’s email account stored on a server located outside the United States” (the email server was in Dublin, Ireland) and noted the company would face civil contempt charges if it failed to comply. The emails were part of an investigation into narcotics smuggling.

Microsoft turned over the metadata about the email but refused to turn over the email content itself, choosing to appeal the decision. In May 2014 a federal magistrate confirmed the original decision. Thursday’s ruling by the U.S. Circuit Court reverses these decisions, siding with Microsoft.

The unanimous ruling of the three-judge panel reads, in part:

We conclude that § 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.

The Center for Democracy & Technology (CDT) released a quote from Greg Nojeim, CDT director of the freedom, security, and technology project: “This ruling is a major affirmation that the rights we enjoy in the physical world continue to apply in the digital world. By declaring that a U.S. warrant cannot reach communications content stored abroad, the court ruled strongly in favor of privacy and national rule of law.” 

Nojeim continued, “Had the Department of Justice prevailed in this case, other countries would follow the U.S. lead and start claiming access to data stored here in the U.S. based on their own laws. It would have been like the Wild West and disaster for privacy.”

CDT was among 23 trade associations and advocacy groups and 28 technology and media companies -- including Amazon, Apple, CNN, Forbes, Fox News, and the ACLU -- that filed amicus briefs in support of Microsoft’s position.

Daniel Castro, vice president of the Information Technology and Innovation Foundation, a tech policy think tank, seemed less concerned about the issue of privacy and more about the process.

A note from the company to Upside explained, “As we argued almost two years ago, ‘the question here isn't whether the U.S. government can gain lawful access to this data, but rather the process it should use to do so. Instead of using a search warrant, the U.S. government agency in question could have sought access to this account information using a Mutual Legal Assistance Treaty [MLAT]. MLATs are agreements designed for law enforcement agencies to receive and provide assistance to their counterparts in other countries. The U.S. has MLATs with more than 50 countries, including Ireland.’”