Microsoft is resisting demands from the US government for it to cough up email hosted in its Irish datacentre in a case that could have dramatic implications for US cloud providers.
With suspicion of US tech companies already running high over the US government spying revealed last year by whistleblower Edward Snowden, Microsoft faces another battle that could — if it loses — undermine trust in US cloud providers.
The Washington Post yesterday reported that Microsoft is pushing back against a search warrant issued last December by a magistrate judge in New York that demands Microsoft hand over emails stored in its Dublin, Ireland datacentre.
The emails being sought by the government relate to a drug trafficking investigation, according to the paper. Microsoft announced its opposition to the government's efforts in April.
In documents filed with the court on late last week, Microsoft outlined objections to a magistrate's order that denied the company's previous motion to cancel a search warrant for customer information located outside the US.
"The government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility," Microsoft's lawyers argued, noting that Congress has never authorised US courts to issue warrants that reach outside of US territory.
Similarly, it can't force Microsoft to hand over the emails stored abroad when the government doesn't have the authority itself to do so.
At the heart of battle in Microsoft's view is a disagreement over the interpretation of the term "warrant" under the US Electronic Communications Privacy Act (ECPA).
According to Microsoft, the court says it hasn't actually issued a search warrant but some "hybrid" between a warrant and a subpoena under the ECPA — and therefore knocked back Microsoft's attempt to vacate the warrant.
Microsoft says the two are distinct: a warrant can't be issued for evidence located in foreign territory; if it's a subpoena, the government is required to order the target of the investigation to hand over the information, not Microsoft.
"The government takes the extraordinary position that by merely serving such a warrant on any US-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored," Microsoft's lawyers argued.
The New York Times noted in its report, the hybrid warrant was created under the ECPA to limit the disclosure of stored communications and place rules around how government could obtain it. Microsoft meanwhile argues that rules that apply in the physical world should apply online too -- which the magistrate who knocked back Microsoft's attempt to dodge the warrant clearly disagreed with.
In April, the judge explained why the hybrid warrant doesn't overreach US jurisdiction:
"It is obtained like a search warrant when an application is made to a neutral magistrate who issues the order only upon a showing of probable cause. On the other hand, it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question."
Still, Microsoft argues that rather than issue a warrant, the court should conform to the Mutual Legal Assistance Treaty negotiated between the US and Ireland if the government wants to access data on Irish territory.
As noted by the Post, Verizon lawyer Michael Vatis submitted a friend of the court brief warning of dire consequences to US cloud providers.
"If the government's position prevails, it would have huge detrimental impacts on American cloud companies that do business abroad," wrote Vatis.
Should Microsoft lose this battle, the case could further harm already strained relations between Europe and the US following the revelation of the latter's PRISM surveillance program -- and of course damage Europe's perception of US cloud providers more than what's already been done.
In a bid to restore trust in US cloud providers, Microsoft, Google and others have stepped up encryption programs and have become more vocal about resistance to government warrants for access customer data.
Microsoft's chief counsel Brad Smith last week detailed in a blog post the challenges Microsoft faces in Europe.
"With the advent of mobile devices and cloud services, technology has never been more powerful or more personal. But as I encountered in virtually every meeting during a recent trip to Europe, as well as discussions with others from around the world, people have real questions and concerns about how their data are protected. These concerns have real implications for cloud adoption. After all, people won’t use technology they don’t trust," he said.
Commenting on the current dispute with the court, Smith added: "The US government should stop trying to force tech companies to circumvent treaties by turning over data in other countries. Under the Fourth Amendment of the US Constitution, users have a right to keep their email communications private. We need our government to uphold Constitutional privacy protections and adhere to the privacy rules established by law. That's why we recently went to court to challenge a search warrant seeking content held in our datacenter in Ireland. We're convinced that the law and the US Constitution are on our side, and we are committed to pursuing this case as far and as long as needed."