U.S. judges will decide if Microsoft has to turn over data stored outside American borders. A multibillion-dollar industry hangs in the balance.
The Justice Department and lawyers for technology giant Microsoft are waging a high-stakes war over whether federal prosecutors in the United States can gain access to email stored on servers in Ireland, a case that could have far-reaching implications for the future of law enforcement in the digital age.
At issue is Washington’s demands for emails belonging to a suspect in a narcotics investigation. The Justice Department first sought the emails in December 2013, but Microsoft refused that request, saying U.S. authorities have no power to enforce a warrant for data stored overseas. The following April, a federal judge agreed with U.S. prosecutors and ordered Microsoft to hand over the records. Microsoft again refused, was found in contempt, and now the 2nd U.S. Circuit Court of Appeals has been asked to settle a case that is being closely watched in both Washington and Silicon Valley. Oral arguments took place last September, and a ruling is expected imminently.
The dispute has emerged as a test case for the era of cloud computing, which allows customers of firms such as Amazon to store their data on a network of servers around the world and retrieve it at will. Microsoft is a major player in this rapidly growing industry, which brings in annual revenues of more than $20 billion. According to Synergy Research, the industry’s four major players — Amazon, Microsoft, IBM, and Google — control slightly more than half the cloud market, with Microsoft’s market share amounting to 12 percent.
And as Microsoft’s flagship Windows operating system struggles to keep pace with the broader shift from desktop computers to mobile devices, the company has looked to cloud computing as a key way to bolster its bottom line. In quarterly earnings released in October, the company said its “intelligence cloud” services pulled in $5.9 billion.
Now, the company is going to the mat to keep those dollars flowing — and raising the specter of an Orwellian future to help make its case.
Microsoft argues that compelling it to give U.S. prosecutors data from the Irish server could allow law enforcement authorities in an authoritarian state like China to demand the company turn over the emails of, for example, an overseas dissident group. As Microsoft sees it, the U.S. government has taken an outdated law — the 1986 Stored Communications Act — and interpreted it in such a way to give itself maximum police power. “According to the U.S. government, private papers or photos stored in the cloud lack the basic legal rights of the same material stored in your desk drawer or on your hard drive,” David Howard, a deputy general counsel at Microsoft, told Foreign Policy in an interview.
Other top Microsoft executives have gone even further. “This issue is about the future of technology,” Brad Smith, Microsoft’s then-general counsel and current president, told the Council on Foreign Relations in August. At stake, he said, are “the future of the Internet, privacy, respect for borders, and public safety.”
The U.S. government argues that the emails in question are standard business records under the control of Microsoft and that by not turning them over the company is thumbing its nose at the Justice Department. On April 25, 2014, the U.S. District Court for the Southern District of New York upheld a search warrant and probable cause, finding that Microsoft was in possession of records relevant to a major investigation. Microsoft has appealed that decision, and the dispute now rests with the appellate court.
The bitter fight between Microsoft and the Justice Department wouldn’t have been possible before the advent of cloud computing. Today, Microsoft operates data centers around the world, and it generally places customer data as close as possible to its users. While a user in Thailand could access her Hotmail emails while stored on a U.S. server, placing that data in a Hong Kong data center allows Microsoft to improve what’s known as network latency, or the speed with which data is delivered to the user.
And when Internet service companies compete with one another on speed and reliability, quickly delivering data becomes a business imperative. But that imperative also has profound consequences for U.S. law enforcement. Moving data abroad may make it more difficult for law enforcement authorities to access digital evidence at a time when the FBI argues U.S. companies aren’t doing enough to enable their investigations.
Elsewhere in the world, authorities in individual countries are similarly asking Microsoft to turn over data from servers stored outside their borders. In Brazil, authorities arrested a Microsoft executive in January 2014 for his company’s refusal to produce Skype data belonging to the target of a criminal investigation. Microsoft said that data was stored on U.S. servers and that the company was bound by U.S. privacy laws not to turn it over.
Indeed, American data laws present a thicket of hoops that foreign law enforcement agencies have to jump through in order to obtain the contents of customer data — such as emails — held in the United States. The Electronic Communications Privacy Act requires foreign law enforcement agencies to present a request for the data to the Justice Department. The department reviews that order, and it is then forwarded to a U.S. attorney, who goes to a judge, obtains a warrant, and presents it to the company in question. The requested data is then routed back to the foreign government via the Justice Department, a process that can take on the order of 10 months.
“The more law enforcement looks to digital forms of evidence, the more they face these massive delays because of things like requirements in U.S. law,” said Jennifer Daskal, an assistant law professor at American University who has written extensively about data location and privacy.
U.S. prosecutors face similar obstacles when trying to obtain data that is stored abroad. In their brief to the 2nd Circuit, lawyers for the Justice Department argue that they need direct access to Microsoft’s data in part because of the slow process for retrieving data stored abroad through Mutual Legal Assistance Treaties that are meant to facilitate cooperation between law enforcement agencies.
“We obviously need a system that will allow law enforcement information to flow across borders when necessary, but we shouldn’t rely on laws and processes from the 80’s to do it,” Howard said. “We need modern solutions built for today’s technology that help law enforcement by permitting efficient information flow and protect privacy rights at the same time.”
But tech firms are deeply hostile toward the Justice Department’s argument in the Ireland case, which relies on a precedent set during the prosecution of disgraced billionaire Marc Rich in 1983 to compel Microsoft to produce business records held abroad. In the Ireland case, the U.S. government argues that the emails in question are no different than the company’s own business records and that the company can’t shield them from the government merely by spiriting them out of the country.
Microsoft — backed by a who’s who of tech companies, including Apple and Cisco, and civil liberties groups like the Electronic Frontier Foundation — argues that the government is inviting a global free-for-all in which multinational firms are aggressively petitioned to turn over user data. The Redmond-based giant has argued that such a ruling would likely lead to customers fleeing Microsoft for foreign competitors that don’t comply with U.S. government orders, dealing a major blow to the future of the company.
In recent years, several countries have considered passing so-called data localization laws, which require companies to store data on a country’s users within its borders. Moscow implemented such a measure in September last year, and Russian authorities are pledging to carry out increased audits to ensure compliance with that law, which effectively allows Russian intelligence agencies to access their citizens’ data.
Moreover, U.S. prosecutors believe that the sluggishness with which they are able to provide assistance to their foreign counterparts has contributed to this trend. “The delays in responding to requests for ISP [Internet service provider] records in particular threaten the competitiveness of ISPs and our model of Internet governance,” the Justice Department noted in its fiscal year 2016 budget request. “Because of the difficulties in timely responses to foreign requests for ISP records, we have seen increased foreign calls for moving or mirroring U.S. ISP data storage overseas.” In fiscal year 2014, the Justice Department had more than 11,000 pending requests for assistance.
Beyond the concerns of law enforcement, the current case also has steep implications for Microsoft’s ability to compete with smaller, more aggressive counterparts. Users seeking to avoid U.S. government orders for their data could sign up with foreign firms or embrace strong encryption tools such as those offered by companies such as San Francisco-based Open Whisper Systems. The designer of the popular encrypted messaging app Signal, Whisper offers communication products designed in such a way that the company is unable to turn over data to prosecutors. In an email to FP, Whisper’s founder, the hacker Moxie Marlinspike, said the government no longer bothers to ask the company for user data. It knows it can’t get it.
Photo credit: STR/AFP/Getty Images