Microsoft is defending a case involving a 1986 law that will have consequences for cloud vendors and law enforcement no matter how it turns out.
Microsoft is defending a case involving a 1986 law that will have consequences for technology vendors and law enforcement no matter how it turns out.
United States vs. Microsoft Corp., set to be argued Feb. 27, addresses whether reach of U.S. law enforcement extends to electronic communications stored outside the physical borders of the United States.
The case goes back to 2013, when U.S. law enforcement tried to serve a warrant to access the email account of a Microsoft user as part of a drug investigation. Because some of the data was stored on servers in Ireland, Microsoft said it was not bound by the order and refused to comply.
The case hinges on a reading of the Stored Communications Act, part of the 1986 Electronic Communications Privacy Act. Many in Congress have been seeking to update the ECPA statute, in part because it affords different sets of legal protections for communications stored on remote servers and those downloaded to a user's machine.
The legislation allows state, local and federal law enforcement to access remotely stored communications "only pursuant to a warrant." This requirement, Microsoft argues, implicitly puts communications stored outside the jurisdiction of U.S. warrants beyond the reach of law enforcement.
According to a 2017 report by the Information Technology and Innovation Foundation, the case exposes "cracks in the foundation of the current framework used by law enforcement agencies to access digital information and determine jurisdiction on the internet."
Microsoft argues that by complying with the warrant, the company would be violating the European Union's General Data Protection Regulation, which requires the use of an inter-governmental legal assistance treaty for obtaining private information as part of a legal case.
The U.S. and Ireland are party to a 2001 mutual legal assistance treaty (MLAT). In its amicus brief, the government of the Republic of Ireland said the treaty represents "the most appropriate means to address requests such as those which are the object of the warrant in question."
A consortium of trade groups and think tanks, including the U.S. Chamber of Commerce and New America's Open Technology Institute, are urging the court to reject the U.S. government's position, because of potential consequences to the cloud computing industry, while inviting retaliation.
Amazon, Google, Verizon, HP, Salesforce, Facebook and many other vendors observed in their own brief that "the modern notion of 'cloud computing' was at least a decade, if not two, away when the SCA was passed in 1986."
They argue that "Congress could not have contemplated that U.S. electronic communication providers would have the ability to store data belonging to hundreds of millions of foreign users on servers half-a-world away, and then be able to retrieve that data for U.S. law enforcement upon request."
The U.S., which is appealing the case after losses in lower courts, argues that this particular request doesn't trigger extraterritorial problems, in part because U.S.-based Microsoft employees "could prepare [the requested] disclosure without leaving their desks."
Sen. Orrin Hatch (R-Utah) is looking to pass new law to deal with the problems arising from using a 30-year-old law to govern modern data access by law enforcement. The CLOUD Act proposes new standards for cross-border investigative requests while extending the reach of U.S. warrants. Many cloud vendors are backing the bill, but privacy groups are generally opposed.
A legislative fix is needed, Hatch argues, because a court ruling in the Microsoft case will create problems no matter who wins. "Either law enforcement will lack the ability to obtain in a timely manner email and documents in the cloud that are stored overseas, or providers will find themselves caught between conflicting domestic and foreign laws," the senator said.