How one judge single-handedly killed trust in the US technology industry

How one judge single-handedly killed trust in the US technology industry

Summary: Well that's certainly a phrase one US judge can nail on the casket of her career.

TOPICS: Security, Legal, Privacy
US Judge Loretta Preska ruled Microsoft must hand over data it stores overseas (Image: Federal Bar Association)

Some people volunteer at shelters. Some people play video games. Some work tirelessly for 80 hours a week for the sake of their startup. 

Some destroy the global trust in the US technology industry.

In a single two-hour courtroom session on Thursday morning — just in time for lunch — US District Judge Loretta Preska ruled on a case that has massive global implications for US technology giants.

It's not like there was much left in the wake of the Edward Snowden disclosures, which threw nine Silicon Valley giants under the global surveillance bus more than a year ago. But we were coming to a point where our collective trust levels in these companies, which are fighting for their right to disclose government data request figures, were slowly rising — at least in the US.

To the outside world, lack of trust was still a big issue. Particularly for Europe. As the closest continental friend to the US, there was a lot of work that needed to be done.

But as relations were beginning to improve, the US judiciary decided that, for the purposes of its own law enforcement and intelligence agencies, the world was its oyster and data stored outside of its jurisdiction was fair game.

US to Europe: We'll take what we want, when we want it

The US has a relatively long recent history of exercising its laws "extraterritorially" — from drone strikes in Pakistan to overseas military activities, and in recent times, the bulk acquisition of data from foreign (and often friendly) states for intelligence purposes.

So it's little wonder that with this collective mindset, Preska decided to make the world's data available to the US government, in spite of foreign nations' own judicial and legal regimes, supra-national fundamental values, and even public international law.

"Microsoft contends that courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant." 
— US Judge James Francis

The ruling on Thursday follows from an earlier lower court, in which U.S. Magistrate Judge James Francis in New York ruled that a search warrant can be applied outside the country.

The theory was that because Microsoft, named in this case, owned and controlled a foreign subsidiary company based in Dublin, Ireland, any data stored in its overseas offices or datacenters still fell within US territory — albeit loosely.

 The official channels between countries that allow cross-border law enforcement operations to work, called mutual legal assistance treaties (MLAT), are "generally... slow and laborious," Francis said in his ruling. He added that the "burden" on the US government to work with other nations would be "seriously impeded."

Naturally, Francis did what any US judge would do and put the US population — and the government — first and foremost. It's not his, or any other justice's job, to worry about the effects on other states or nations outside his jurisdiction.

The Redmond, Wash.-based software giant was quick to challenge the ruling, pushing the case to a higher court.

Other major US technology and telecommunications giants lent a hand in the second stab at the case. Verizon submitted an amicus brief in Microsoft's support, concerned that its overseas data could also be at risk. Apple, AT&T, and Cisco also threw their weight behind the software giant.

But it's a surprise so few companies joined in, considering how the legal precedence of Preska's ruling would affect the entire US technology industry. When Preska was charged with handling the case, the burden landed on her shoulders to decide whether or not the US could legally (at least under its own jurisdiction) walk in to any foreign datacenter loosely associated with a US company and grab whatever data it wanted.

"It is a question of control, not a question of the location of that information," Preska said in the court ruling. 

And so the verdict was set, at least until a higher court can take the case. Preska stayed the verdict until an appeal can be lodged, but the court had its say. Foreign data was as up-for-grabs as domestic data was.

It wasn't just a domestic case. The effects would hit the ceiling on a global scale. It was a very international problem.

Because Ireland is one of the 28 member states of the European Commission, the onus of responsibility for its laws falls between Dublin, and Brussels-based bureaucrats.

Read this

EU 'assessing U.S. relationship' amid PRISM spying claims

EU 'assessing U.S. relationship' amid PRISM spying claims

In a letter obtained by ZDNet, the EU justice chief hints at consequences to come for the U.S. government if European citizens were targeted by the NSA's PRISM program.

European law is relatively straightforward. Data must not leave Europe under any circumstances unless the country it's going to can guarantee the data will be treated as if it's still in Europe. Why? Because Europe's data protection and privacy rules, brought into force in 1995, are the strongest in the world. Any data held by a company in Europe still ultimately belongs to the citizen who generated it. A citizen can request access to his or her own data, and when it's no longer needed, it must be deleted.

That posed a problem for the US, which was at the time nurturing Silicon Valley-based startups, which would go on to be the technology giants who provide the services Europeans need — from business data, social networks, and websites dedicated to kitten pictures.

Europe's data protection and privacy rules led major technology companies to build local datacenters in Ireland, Singapore, Australia, and elsewhere. It was a two-fold win: data would be stored locally, and it would reach their customers faster — and in case of a massive facility failure, companies could "geocache" data so it can be pulled from other datacenters.

Because Europe realized Internet data still had to flow without being impeded, the Safe Harbor principles were introduced in order to create a channel between the two continents. These rules meant that US companies must promise to treat European data like it's still under European law, even when it's in their US datacenters.

If they fall foul of that, Europe can cut off the data supply. That could mean Facebook suddenly not working in the 28 member states. It's a worst case scenario, and largely unfeasible in this day and age, but those are the principles which the companies abide by.

It's not like this wasn't happening already 

The US didn't always play fair, as the NSA disclosures proved.

The US government has for years, according to documents leaked by Snowden, allowed the NSA and other US intelligence and law enforcement agencies to bypass MLAT and swipe the data it wanted or needed using existing US laws. 

Remember the Patriot Act? The Foreign Intelligence Surveillance Act? Both are crucial weapons in the NSA's arsenal because they can force the handover of overseas and domestic data and gag the companies from saying anything.

Both laws helped formed the basis of the NSA's PRISM program, used to take US and foreign data as and when the NSA needed it. 

EU Justice Commissioner Viviane Reding, charged with protecting the data protection and privacy rights of more than 500 million Europeans, went nuclear at her American counterparts when the PRISM scandal broke. And for good reasons. She wasn't naive to think that friends don't spy on each other, but the scope in which the US was snooping on her fellow countrymen was far beyond anyone's expectations.

Reding said in the wake of the Snowden scandal that the US government must use the official MLAT channels if they want data in Europe. 

But now, thanks to Preska's latest ruling, the US government has yet another legal backup line to use in order to grab what it wants, when it wants it.

There goes the global neighborhood

Questions remain over what happens next.

Some have called for Europe to take affirmative action. Remember Safe Harbor? Suspend it, say some. Data must flow, but not to a country that uses your data for its global data mining needs. 

The US government and the European Union may have to hash it out in the so-called World Court. Formally known as The International Court of Justice, it's where governments take other governments to court, and remains the final arbiter of disputes between nation states.

European officials haven't ruled it out. But for now, there's little push from global governments, let alone the international court, to act. And at any rate, the US pulled out from the court's compulsory jurisdiction in the late 1980's, forcing any issue to be brought up at the United Nations — if any state cares that much.

As for you? If you're based in the US, you may enjoy the freedom and the protections of the constitution. But you also know the risks (and are making the conscious decision) to live there. 

As for the vast majority of foreigners not living in the US? The bottom line is simple, and it's a question rather than a statement.

Based on this ruling, why should you ever trust a US technology company again? 

Topics: Security, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Personal attack isn't appropriate

    Judges only interpret the law and don't make it. It's up to the Congress to deal with the issue if the ruling stands.
    Buster Friendly
    • I agree, but

      The interpretation will depends on what possition US think they are. If they think they are the ruler of the whole world, then the US law will be applied to the whole world.

      US usually put themselves in the wrong position. They can even invade Iraq to arrest the president of that country.
      • Another example

        The feeling of guilty or not also depends on who you think you are and what you should have. For example, if a head of a department think he is the king and all members are his slaves, he will not feel any guilty to ask a lady to show the breast
        • Dear Smiling Guy

          Asking a woman judge to show a breast isn't worthwhile.

          I imagine your a white middle-aged male.
          • Malcolm

            Check the grammar from S.G......unlikely a "white" middle-aged male.
            tim bo
          • Pathetic

            I imagine *you're* a semi-literate young white male who's been trained to reflexively damn whiteness and maleness to gain politically correct approval. Good work. Go get your cookie and pat on the head. Or grow some balls and intelligence. Your choice.
      • The issue isn't just with US law

        It's the view of the US that the laws of other nations don't matter, and whatever they want goes.
        Not that this is a new view of the US Government, they already think they rule everyone, but it's going to hurt your economy...........
        • U.S. immunity to international law

          This idea has been especially pushed by Conservatives who believe that any international laws are a least potential and often real assaults on U.S. sovereignty. No one should be surprised by some judges agreeing with this.
          • International Law

            The US is immune to international laws in the US. Likewise Europe is not bound by US laws over there. There can be agreements and arrangements that are acceptable to both.
          • There already are

            there is a decades old agreement in force between the USA and Ireland for obtaining just such information.

            But it is slow and long winded and requires the US authorities to make contact with people "that talk funny". Why do that, when you can make a corporation act illegally and put its employees at risk of prosecution in a foreign country?
          • and yet

            Had you read the Constitution of the United States, it specifically states supremacy over all other law, meaning originally and as interpreted by true judgement, that no international law or body has any jurisdiction over the United States.
            Just as our enemies have always struck at us when possible, the US must take measures to prevent them from doing so.
            The problem is intelligence, and preventing another 9-11. The same government officials rushing to microphones to whine that Bush "should have prevented" were the ones which created the laws preventing intel from working together to piece the information into a prediction.
            Will we be doing the same?
          • no it doesnt

            You are referring to Article Six of the Constitution.

            This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.

            The US is a signatory to numerous treaties and international agreements that are applicable to this case and the US is legally bound by those treaties. A judge does not have the authority to overrule or abrogate them.
          • Treaties are subordinate

            to the Constitution. This has been ruled so numerous times.
          • Likewise

            European law trumps US law in Europe. As the servers are owned by an Irish company on Irish soild, which, last time I looked, was part of Europe, not the USA, that means that a US warrant has no validity in Ireland and for the Irish company owning the server.

            Which means Microsoft USA will have to act illegally in Ireland and put the employees of Microsoft Ireland at risk of prosecution, if they follow the US warrant.

            Microsoft just has to chose who is more expendable, Satya Nadella or the executives in Ireland...
        • Reagan...

          Did not Reagan call this the evil empire...oops, sorry, that was Russia.
          • No - that was the Soviet Union.

            Though Russia seems to be trying to resurrect it...
          • while shes at it

            Can she at least demand the IRS hand over hard drives for independent data recovery? (I mean seeing as they all kept email locally and not on email servers with no tape backups kept offsite - as almost every other business does)
        • ...and the US has to realise...

          ...that they are no longer a trusted nation. The EU is very wary of the US, as are many of oriental countries. The current ruling will be seen as intolerable and incompatible with e.g EU law and there will inevitably be repercussions, unless the US acts quickly.

          In Europe we already have limitations on our ability to collaborate with US partners because of the perceived weakness of US data protection legislation.

          If the US effectively says that local legislation has no bearing, then we have a big, big problem.

          Try reversing the roles and imagining the consequences and how the US government might react.
          • They do realize it.

            The U.S. government just doesn't care whether anyone trusts them. They're out to create a one-world government with themselves at the top. Everyone else should realize that most of the educated citizens of the U.S. don't like these bullying tactics any more than the EU likes them. We have the illusion of a democracy in the U.S. We are given the choice between two candidates who are both hand-picked by a shadowy group of the world's rich and powerful (Bilderberg Group) to push one or another part of their one world government agenda. Our leaders are nothing more than puppets. Sadly, most of your leaders are controlled by the same group. As they say in the "training sessions" held in secret for the most wealthy people in the world, "Own nothing. Control everything."
        • All nations have this attitude