How one judge single-handedly killed trust in the US technology industry

Well that's certainly a phrase one US judge can nail on the casket of her career.
Written by Zack Whittaker, Contributor
US Judge Loretta Preska ruled Microsoft must hand over data it stores overseas
Image: Federal Bar Association

Some people volunteer at shelters. Some people play video games. Some work tirelessly for 80 hours a week for the sake of their startup.

Some destroy the global trust in the US technology industry.

In a single two-hour courtroom session on Thursday morning -- just in time for lunch -- US District Judge Loretta Preska ruled on a case that has massive global implications for US technology giants.

It's not like there was much left in the wake of the Edward Snowden disclosures, which threw nine Silicon Valley giants under the global surveillance bus more than a year ago. But we were coming to a point where our collective trust levels in these companies, which are fighting for their right to disclose government data request figures, were slowly rising -- at least in the US.

To the outside world, lack of trust was still a big issue. Particularly for Europe. As the closest continental friend to the US, there was a lot of work that needed to be done.

But as relations were beginning to improve, the US judiciary decided that, for the purposes of its own law enforcement and intelligence agencies, the world was its oyster and data stored outside of its jurisdiction was fair game.

US to Europe: We'll take what we want, when we want it

The US has a relatively long recent history of exercising its laws "extraterritorially" -- from drone strikes in Pakistan to overseas military activities, and in recent times, the bulk acquisition of data from foreign (and often friendly) states for intelligence purposes.

So it's little wonder that with this collective mindset, Preska decided to make the world's data available to the US government, in spite of foreign nations' own judicial and legal regimes, supra-national fundamental values, and even public international law.

"Microsoft contends that courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant."
-- US Judge James Francis

The ruling on Thursday follows from an earlier lower court, in which U.S. Magistrate Judge James Francis in New York ruled that a search warrant can be applied outside the country.

The theory was that because Microsoft, named in this case, owned and controlled a foreign subsidiary company based in Dublin, Ireland, any data stored in its overseas offices or datacenters still fell within US territory -- albeit loosely.

The official channels between countries that allow cross-border law enforcement operations to work, called mutual legal assistance treaties (MLAT), are "generally... slow and laborious," Francis said in his ruling. He added that the "burden" on the US government to work with other nations would be "seriously impeded."

Naturally, Francis did what any US judge would do and put the US population -- and the government -- first and foremost. It's not his, or any other justice's job, to worry about the effects on other states or nations outside his jurisdiction.

The Redmond, Wash.-based software giant was quick to challenge the ruling, pushing the case to a higher court.

Other major US technology and telecommunications giants lent a hand in the second stab at the case. Verizon submitted an amicus brief in Microsoft's support, concerned that its overseas data could also be at risk. Apple, AT&T, and Cisco also threw their weight behind the software giant.

But it's a surprise so few companies joined in, considering how the legal precedence of Preska's ruling would affect the entire US technology industry. When Preska was charged with handling the case, the burden landed on her shoulders to decide whether or not the US could legally (at least under its own jurisdiction) walk in to any foreign datacenter loosely associated with a US company and grab whatever data it wanted.

"It is a question of control, not a question of the location of that information," Preska said in the court ruling.

And so the verdict was set, at least until a higher court can take the case. Preska stayed the verdict until an appeal can be lodged, but the court had its say. Foreign data was as up-for-grabs as domestic data was.

It wasn't just a domestic case. The effects would hit the ceiling on a global scale. It was a very international problem.

Because Ireland is one of the 28 member states of the European Commission, the onus of responsibility for its laws falls between Dublin, and Brussels-based bureaucrats.

European law is relatively straightforward. Data must not leave Europe under any circumstances unless the country it's going to can guarantee the data will be treated as if it's still in Europe. Why? Because Europe's data protection and privacy rules, brought into force in 1995, are the strongest in the world. Any data held by a company in Europe still ultimately belongs to the citizen who generated it. A citizen can request access to his or her own data, and when it's no longer needed, it must be deleted.

That posed a problem for the US, which was at the time nurturing Silicon Valley-based startups, which would go on to be the technology giants who provide the services Europeans need -- from business data, social networks, and websites dedicated to kitten pictures.

Europe's data protection and privacy rules led major technology companies to build local datacenters in Ireland, Singapore, Australia, and elsewhere. It was a two-fold win: data would be stored locally, and it would reach their customers faster -- and in case of a massive facility failure, companies could "geocache" data so it can be pulled from other datacenters.

Because Europe realized Internet data still had to flow without being impeded, the Safe Harbor principles were introduced in order to create a channel between the two continents. These rules meant that US companies must promise to treat European data like it's still under European law, even when it's in their US datacenters.

If they fall foul of that, Europe can cut off the data supply. That could mean Facebook suddenly not working in the 28 member states. It's a worst case scenario, and largely unfeasible in this day and age, but those are the principles which the companies abide by.

It's not like this wasn't happening already

The US didn't always play fair, as the NSA disclosures proved.

The US government has for years, according to documents leaked by Snowden, allowed the NSA and other US intelligence and law enforcement agencies to bypass MLAT and swipe the data it wanted or needed using existing US laws.

Remember the Patriot Act? The Foreign Intelligence Surveillance Act? Both are crucial weapons in the NSA's arsenal because they can force the handover of overseas and domestic data and gag the companies from saying anything.

Both laws helped formed the basis of the NSA's PRISM program, used to take US and foreign data as and when the NSA needed it.

EU Justice Commissioner Viviane Reding, charged with protecting the data protection and privacy rights of more than 500 million Europeans, went nuclear at her American counterparts when the PRISM scandal broke. And for good reasons. She wasn't naive to think that friends don't spy on each other, but the scope in which the US was snooping on her fellow countrymen was far beyond anyone's expectations.

Reding said in the wake of the Snowden scandal that the US government must use the official MLAT channels if they want data in Europe.

But now, thanks to Preska's latest ruling, the US government has yet another legal backup line to use in order to grab what it wants, when it wants it.

There goes the global neighborhood

Questions remain over what happens next.

Some have called for Europe to take affirmative action. Remember Safe Harbor? Suspend it, say some. Data must flow, but not to a country that uses your data for its global data mining needs.

The US government and the European Union may have to hash it out in the so-called World Court. Formally known as The International Court of Justice, it's where governments take other governments to court, and remains the final arbiter of disputes between nation states.

European officials haven't ruled it out. But for now, there's little push from global governments, let alone the international court, to act. And at any rate, the US pulled out from the court's compulsory jurisdiction in the late 1980's, forcing any issue to be brought up at the United Nations -- if any state cares that much.

As for you? If you're based in the US, you may enjoy the freedom and the protections of the constitution. But you also know the risks (and are making the conscious decision) to live there.

As for the vast majority of foreigners not living in the US? The bottom line is simple, and it's a question rather than a statement.

Based on this ruling, why should you ever trust a US technology company again?

Editorial standards