Think your cloud data is protected by local laws and safe from the prying eyes of foreign entities? Think again, especially if you're a customer of a U.S. cloud service provider.
New York-based U.S. Magistrate Judge James Francis last week ruled that local search warrants must include customer data stored in servers located outside the U.S., referring to a case involving a search warrant issued to Microsoft for a customer's e-mail data stored in Dublin, Ireland. The data center houses European citizen data.
Francis said the likes of Microsoft, Google, and other online service providers should hand over such data because, if U.S. law agencies were to coordinate efforts with foreign governments to secure such information, the "burden on the [U.S.] government would be substantial" and U.S. law enforcement efforts would be "seriously impeded".
Microsoft has complied with the search warrant involving data stored locally but filed a motion to quash request for overseas data. It said: "A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the [U.S.] government disagrees."
The ruling confirms previous statements that U.S. authorities can legally access data housed outside the country and questions the assurance given by U.S. tech vendors, such as Verizon, that they would not subject their customer's data to foreign scrutiny.
In a blog posted in February, Verizon's general counsel Randal Milch said: "The U.S. government cannot compel us to produce our customers' data stored in data centers outside the U.S. and, if it attempts to do so, we would challenge that attempt in court."
While it remains to be seen if Francis' ruling will stand following Microsoft's appeal, it poses very serious questions about cloud data sovereignty and puts significant doubt on pledges by cloud vendors, specifically U.S. players, that customer data is indeed secured.
It also further suggests the U.S. government has little regard for foreign citizens following revelations about its cyberspying activities on other nations, and indicates a certain level of arrogance that its laws should override all others.
As ZDNet reader "P K Pal" said: "The U.S. courts are going overboard with its laws which basically challenges international laws and its implementation. U.S. domestic laws have absolutely no jurisdiction outside U.S. and its territories. They are not international law enforcers of local U.S. laws. Period. Who gave them this right?"
If the U.S. succeeds in arm-wrestling its cloud companies into giving up access to offshore cloud data, what's to stop other governments from doing likewise?
Left unchallenged, the U.S. government's arrogance will result in serious repercussions for the entire cloud ecosystem and further exacerbates business concerns about cloud data security.