Data should be subject to the rules of law where the data is stored, not where the agent’s backside is planted.
Yesterday we told you about how Microsoft is one of several companies who are encrypting their services and hardening their systems against the prying of nosy agencies like the NSA. Now Microsoft is fighting a Federal court order that they turn over the data for a user’s email account whose email data resides on a server outside of the U.S. (in Ireland, to be specific).
The case is “In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation” (yes, that’s the real name of the case), in the United States District Court, Southern District of New York (“SDNY”), case number 13 Mag. 2814
In this matter, Magistrate James C. Francis IV concluded that:
“Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft’s motion to quash in part the warrant at issue is denied.”
As we mentioned in yesterday’s article, non-U.S. customers are already concerned about the robustness of the privacy of their data – or rather lack thereof – when entrusted to a U.S.-based company.
Here is what the warrant demanded:
The information to be disclosed by Microsoft pursuant to the warrant consists of:
a. The contents of all e-mails stored in the account, including copies of e-mails sent from the account;
b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and sources of payment (including any credit or bank account number);
c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files;
d. All records pertaining to communications between MSN . . . and any person regarding the account, including contacts with support services and records of actions taken.
Now, on one hand, this is a lot of data. On the other hand, were the data on a server in the U.S., there would be scarcely be a (legal) issue here.
Let that sink in any way you like.
International customers are by far not the only ones concerned by this ruling. Verizon has filed a brief in support of Microsoft, arguing both that Francis’ ruling would “harm American businesses, undermine international agreements and understandings, and spur retaliation by foreign governments,” and that under traditional rules of law, searches and seizures take place “where the data is looked for and retrieved, not where the data is viewed by law enforcement.”
In other words, the data and warrant should be subject to the rules of law where the data is stored, not where the agent’s backside is planted.
The EFF has also said that they will file a brief in support of Microsoft, and the New York Times has stated that “European officials have expressed alarm.”
You can read Judge Francis’ full opinion in 13 Mag. 2814 here, and you can read Verizon’s brief here.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.