US arrogance puts further doubt on cloud data sovereignty

US arrogance puts further doubt on cloud data sovereignty

Summary: Customers of U.S. cloud providers should seriously rethink their service contracts, following a U.S. judge's obnoxious ruling that local search warrants must include customer data stored overseas.


Think your cloud data is protected by local laws and safe from the prying eyes of foreign entities? Think again, especially if you're a customer of a U.S. cloud service provider. 

New York-based U.S. Magistrate Judge James Francis last week ruled that local search warrants must include customer data stored in servers located outside the U.S., referring to a case involving a search warrant issued to Microsoft for a customer's e-mail data stored in Dublin, Ireland. The data center houses European citizen data. 

Francis said the likes of Microsoft, Google, and other online service providers should hand over such data because, if U.S. law agencies were to coordinate efforts with foreign governments to secure such information, the "burden on the [U.S.] government would be substantial" and U.S. law enforcement efforts would be "seriously impeded". 

Microsoft has complied with the search warrant involving data stored locally but filed a motion to quash request for overseas data. It said: "A U.S. prosecutor cannot obtain a U.S. warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States. We think the same rules should apply in the online world, but the [U.S.] government disagrees." 

The ruling confirms previous statements that U.S. authorities can legally access data housed outside the country and questions the assurance given by U.S. tech vendors, such as Verizon, that they would not subject their customer's data to foreign scrutiny. 

In a blog posted in February, Verizon's general counsel Randal Milch said: "The U.S. government cannot compel us to produce our customers' data stored in data centers outside the U.S. and, if it attempts to do so, we would challenge that attempt in court."

While it remains to be seen if Francis' ruling will stand following Microsoft's appeal, it poses very serious questions about cloud data sovereignty and puts significant doubt on pledges by cloud vendors, specifically U.S. players, that customer data is indeed secured.

It also further suggests the U.S. government has little regard for foreign citizens following revelations about its cyberspying activities on other nations, and indicates a certain level of arrogance that its laws should override all others.

As ZDNet reader "P K Pal" said: "The U.S. courts are going overboard with its laws which basically challenges international laws and its implementation. U.S. domestic laws have absolutely no jurisdiction outside U.S. and its territories. They are not international law enforcers of local U.S. laws. Period. Who gave them this right?"

If the U.S. succeeds in arm-wrestling its cloud companies into giving up access to offshore cloud data, what's to stop other governments from doing likewise?  

Left unchallenged, the U.S. government's arrogance will result in serious repercussions for the entire cloud ecosystem and further exacerbates business concerns about cloud data security

Topics: Cloud, Data Centers, Legal, Privacy, Security


Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently a freelance blogger and content specialist based in Singapore, she has over 16 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't blame the judge

    I have to assume he was interpreting the law as he saw it (which is his duty). Responsibility should rest with the politicians who wrote the law and those not trying to repeal it.
    John L. Ries
    • No , the judge is imposing his own judgement

      He is not interpreting a law, he basically wrote that it would be just too much trouble for prosecutors to have to go to the other legal entities and follow the other entities rules.
      • International Laws gone to the dogs in US

        P K Pal
      • Idiot Judge

        What is so difficult about asking the Irish government to subpoena the relevant data on the servers in Ireland?
        • They just might refuse :)

          Can't have that.
          • If refused

            If the Irish refused it is probably because the Irish courts did not believe the US had enough evidence of any criminal activity to authorize a warrant.
          • Exactly.

            And I'm sure the judge would be singing a different tune, if it was a Russian court forcing MS to hand over data about US citizens.
          • Depends...

            ...on whether the US has any laws on the subject, but it wouldn't matter to the Russian court one bit.

            While it's true that US judges do sometimes seem to follow their own sense of justice and then rationalize it based on some distorted interpretation of statute and case law, they're not supposed to, and we really shouldn't encourage them to do it, as it:

            1. Lets Congress and/or state legislatures off the hook instead of forcing them to take responsibility for their own mistakes.

            2. It makes the written law pretty much meaningless, making it very hard for non-lawyers to know what the law really is.

            3. It's flat-out dishonest.
            John L. Ries
          • Forgot some more reasons

            4. It reduces respect for the rule of law.

            5. It makes a mockery of the very concept of democracy.
            John L. Ries
    • There can be no legal basis for

      extra-territorial sovereignty, unless the US believes it has a sovereign claim over the entire world.
      • But it is sovereign...

        ...over US chartered corporations, which is at the heart of the problem. In the end *all* corporations are creatures of the state and obligated to follow the laws of the states in which they are incorporated. There is no such thing as a sovereign or stateless corporation, nor do I think there should be.

        Call it the fundamental contradiction of laizzez faire capitalism.
        John L. Ries
        • But

          the data is held on servers subject to EU Law. MS cannot hand over the data without a valid EU warrant without facing prosecution for breaking data protection laws.

          And the data is probably held by the Irish subsidiary, not MS USA.
          • MS could stop doing business in Ireland

            If a corporation can't follow the laws of both its home jurisdiction and all of the foreign jurisdictions in which it does business, then it really has no choice but to withdraw from as many of the latter as necessary to eliminate the conflict.

            And withdrawing would put some needed heat on our politicians.
            John L. Ries
          • Difficult

            the problem is, that would mean pulling out of Europe completely, which is a bigger market than the USA. They'd also have to stop doing business in pretty much any country, other than the USA. If all large Internet companies start having to do that, the USA will end up pretty isolated and their balance of payments will fall off a cliff.
          • Exactly right, at least in the case of the EU

            If the judge is right, and I strongly suspect he is, then that is exactly what MS will be compelled to do, unless either Congress or the European Parliament changes their respective law.
            John L. Ries
    • Under EU Law

      Companies like Microsoft cannot hand over personally identifiable data belonging to EU citizens without first being served a valid EU warrant or getting the written permission of the person(s) involved. If they hand over the information, they are liable to prosecution for breach of the Data Protection laws in the EU.

      The servers are outside US jurisdiction and the data is held under other laws.

      I'm not sure if the judge thinks his surname should be Dredd, or if he thinks he is part of Team America: World Police, but he is definitely stepping outside the bounds of what is legal.
  • Which law?

    Since I can't find the ruling, do you know which law he's supposedly interpreting? I'd be very interested in a law that says it's all right to violate another nation's sovereignty when it's too difficult for US law enforcement to follow established procedure.
  • Judge's obnoxious ruling?

    Why, because he took into account both US and EU laws and had no choice but to rule that way?
    • ? What are you talking about?

      When you say the judge took the EU laws in to account, you mean he chose to ignore them because they are inconvenient?

      The server is listed as containing EU citizens data, not US. The judge ruled that US law enforcement can make a US company give up personal information of a foreign country, that is physically hosted in a foreign country.
      So just because Microsofts headquarters are located in Washington state, that technicality allows jurisdiction?

      If a German company was handing over your information from a computer here, just because the German government asked for it, you'd be singing a different tune.

      If the server was in the US, there would be no reason to subpoena since the NSA copies and stores all email.
      • It's not his job to interpret EU law

        A US federal court's rulings have to be made on the basis of the Constitution and laws of the US, and the treaties to which the US is a party. I can't say that all federal judicial decisions based on impartial readings of the above, but such is the theory. And we really don't want US courts trying to figure out and apply the laws of foreign jurisdictions anyway (much better for each jurisdiction's courts to apply its own laws); their existing job is hard enough as it is.
        John L. Ries