Microsoft can refuse US demands for data stored overseas, important privacy ruling affirms
A US federal appeals court on Tuesday reaffirmed Microsoft’s legal right to refuse a government order to hand over data stored overseas in a case with important privacy implications.
A divided panel of judges in New York denied a petition by the US for a rehearing of a ruling last year in a case pitting Microsoft against the US government over data stored in servers in Ireland.
The case has been watched closely for its implications for privacy and surveillance in the digital age.
The December 2013 warrant directed Microsoft to turn over the contents of an email account used by a suspected drug trafficker.
Redmond, Washington-based Microsoft handed over account information it kept on US soil, but said the content of emails was off-limits because it was stored on servers in Ireland.
Microsoft chief legal officer Brad Smith welcomed the ruling while noting that “we need Congress to modernise the law both to keep people safe and ensure that governments everywhere respect each other’s borders.”
Many privacy and digital rights activists have supported Microsoft as a way of guarding against overreach by the US government, although some say the implications of the case are not clear.
Concurring and dissenting justices on the panel agreed that Congress that the 1986 Store Communications Act (SCA) that was at the heart of the case should be modified by Congress to better balance privacy, crime-fighting, and national security.
Judge Susan Carney said Congress did not intend for the law to apply “extraterritorially,” or outside US borders, and disputed the government’s argument claiming the data remained domestic because it could be accessed by Microsoft.
“Mundane as it may seem, even data subject to lightning recall has been stored somewhere, and the undisputed record here showed that the ‘somewhere’ in this case is a data centre firmly located on Irish soil,” she wrote in a concurring opinion.
Judge Dennis Jacob said in a dissent that the US was essentially not reaching beyond its borders when the information it sought was in easy grasp of a Microsoft computer terminal in Redmond.
If the recipient of a legal warrant “can access a thing here, then it can be delivered here” and it should not matter where the “ones and zeroes” are located in cyber space, Jacobs reasoned.
“Localising the data in Ireland is not marginally more useful than thinking of Santa Claus as a denizen of the North Pole,” Jacobs wrote.
“Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the snows of yesteryear?”
Judge Jose Cabranes wrote in dissent that the negative consequences of the panel’s decision could thwart law enforcement efforts and impede efforts to protect the US and its allies.
“The panel majority’s opinion has created a roadmap for even an unsophisticated person to use email to facilitate criminal activity while avoiding detection by law enforcement,” Cabranes wrote.
While Microsoft has received backing from most technology allies and digital rights groups, some activists say the case is far from clear-cut.
Jennifer Granick of the Stanford Centre for Internet and Society has argued that a Microsoft win could mean these cases are decided in countries with fewer privacy protections, and drive more companies to “localise” data in places where authorities can’t access it.
But Greg Nojeim of the Center for Democracy and Technology said a ruling for the government “could have resulted in chaos and a privacy disaster.”
Nojeim said that tech firms under such a ruling “would have been subject to conflicting obligations to an even greater extent than is the case today, and users’ communications privacy could become, over time, subject to the whims of not just the US government, but also other countries seeking their data.”