
United States v. Microsoft Corp. Dismissed [pdf] - ahakki
https://www.supremecourt.gov/opinions/17pdf/17-2_1824.pdf
======
btown
You can hear the (fascinating) oral arguments to the Supreme Court here:
[https://www.oyez.org/cases/2017/17-2](https://www.oyez.org/cases/2017/17-2) .
I didn't know these were publicly available!

An interesting tidbit:

Sotomayor, at 09:44, pushes back against the U.S. attorney, referencing what I
assume to be the CLOUD act as a more reasonable compromise than what the
attorney has been advocating:

> And the problem that Justice Ginsburg alludes to is the fact that, by doing
> so, we are trenching on the very thing that our extraterritoriality doesn't
> want to do, what our jurisprudence doesn't want to do, which is to create
> international problems. Now I understand there's a bill that's being
> proposed by bipartisan senators that would give you most of what you want
> but with great protections against foreign conflicts. There are limitations
> involving records that are stored abroad.

~~~
aerotwelve
Thanks for introducing me to Oyez as a source for oral arguments. The audio is
much easier to follow when it's paired (and synced) with the transcript.

This is probably the best we can get until that fabled day when they finally
allow cameras in the courtroom.

~~~
alschwalm
Shameless plug: If you enjoy that, you may like a version that I made that
sinks the audio and transcripts with puppies[1], available here:
[https://www.youtube.com/channel/UCn1ibFnn3NcXjQHY47o0yWg/vid...](https://www.youtube.com/channel/UCn1ibFnn3NcXjQHY47o0yWg/videos)
Though this particular case is not available yet.

[1]: The idea was originally inspired by Last Week Tonight, I just
automatically generate them.

~~~
btown
Amazing! What API are you using to weave together the clips - just ffmpeg, or
some other tool?

Also I love that you coded cutaways to observers and the chicken stenographer
- it makes it incredibly natural seeming. Did any news outlets end up using
your outputted videos?

Also, any chance it’s open source? :)

~~~
JoblessWonder
Not OP, but it looks like it is:

[https://github.com/ALSchwalm/PuppyJusticeAutomated](https://github.com/ALSchwalm/PuppyJusticeAutomated)

------
dx034
So if you want your data to remain out of scope for US warrants the only way
is to choose non-US companies? Drastically reduces the options, I can only
think of OVH and Hetzner that would qualify..

Or are the German data centres of Azure safe as they're run by a German
company?

~~~
lallysingh
I don't think #2 (Azure) applies. Your best bet is to store cryptographic keys
offsite and leave the data in the cloud. There's a market opportunity for
someone who can wrap that up in a reasonable API/library for use on
EC2/GCP/Azure.

~~~
dx034
Why not use a non-US provider then? Maybe this will lead to more support for
those. I can imagine that some EU companies will now struggle even more using
AWS/GCP/Azure.

~~~
lallysingh
Depends on where your customers are and the applicable scale/latency costs of
not using the biggest providers.

~~~
isostatic
If you want 20ms latency to customers in the US, you're going to be hosting in
North America, damn relativity and all that.

------
rantagram
"On March 23, 2018, Congress enacted and the President signed into law the
Clarifying Lawful Overseas Use of Data Act (CLOUD Act), as part of the
Consolidated Appropriations Act, 2018, Pub. L. 115–141. The CLOUD Act amends
the Stored Communications Act, 18 U. S. C. §2701 et seq., by adding the
following provision:

A [service provider] shall comply with the obligations of this chapter to
preserve, backup, or disclose the contents of a wire or electronic
communication ... within such provider’s possession..., regardless of whether
such communication, record, or other information is located within or outside
of the United States.”

So, all US companies are now forced to store a backup, or copy, of all data
they store off shore? To make sure this doesn't happen again?

~~~
jiveturkey
No. per your own quote, it "just" extends discovery protections to data held
outside the US. So you can't deny the US government access just based on the
data being offshore. It's captured in the first paragraph of the decision:

> _a U. S. provider of e-mail services must disclose to the Government
> electronic communications within its control even if the provider stores the
> communications abroad._

[https://www.congress.gov/bill/115th-congress/house-
bill/4943...](https://www.congress.gov/bill/115th-congress/house-
bill/4943/text)

The requirement to backup, preserve or disclose is exactly the current
requirement for data in the US, and only applies at the provider is given
notice to produce evidence. It means the provider cannot destroy evidence once
compelled to produce it. It doesn't mean you are required to preserve data
"just because".

It also only applies to data > 180 days old.

------
GCU-Empiricist
SCOTUS oral arguments are some of the best sardonic comedy you will ever find.
It's nine well educated professional masters of their field basically who only
have to care about each others opinions, grilling two very accomplished
journeymen arguing opposing viewpoints. Find a case your interested in, listen
in and you will probably be entertained.

~~~
timb07
Eight. Sure Clarence Thomas is there, but he rarely speaks.

It was news when he asked questions in 2016 for the first time in 10 years:
[https://www.npr.org/sections/thetwo-
way/2016/02/29/468576931...](https://www.npr.org/sections/thetwo-
way/2016/02/29/468576931/clarence-thomas-asks-1st-question-from-supreme-court-
bench-in-10-years)

------
arciini
To clarify on the legal history - this dismissal merely states that the case
no longer matters thanks to the CLOUD Act. The CLOUD Act resolves this by
allowing the US Government use a warrant to force US companies to turn over
data on any US citizen that it has stored abroad. To me, the CLOUD Act is a
reasonable compromise. It continues to grant the US government access only to
US citizen information.

It is not a ruling on whether the US government can access other data stored
by US companies abroad.

The original case started because Microsoft argued that the US Government has
no right to access data stored abroad, because that would give unprecedented
access to non-citizens' data. The government argued that it did.

~~~
gowld
Do you mean citizens or residents?

------
quantumwoke
Rather long, but I think important. The views are my own, based only on my own
limited experience.

I've been a web user since the early 90s and I honestly that we are going a
little astray from the original spirit of the web. Back then, it didn't matter
what you posted, anonymity was the default and people used to say that no
personal information should ever be shared. This move by the United States
government feels like they are crossing the Rubicon towards a highly regulated
and almost dystopian view of the web.

It is my opinion and I think a lot of others on HN would agree that privacy
should be the norm. Certainly, law enforcement has a right in some cases to
extra information but when governments are able to reach across the ocean and
pluck personal data from each other then there is a serious problem. This
happened to my friend who ran a startup in the financial sector who was
compelled to reveal a user's data. There was no recompense for him as he
didn't have the resources of a big company like Microsoft at his disposal.

Tech companies and law enforcement should more of a conversation about these
issues before they are forcibly put into law.

~~~
austincheney
It is harder to be a troll when anonymity is removed. People, at least some
people, will be more hesitant to post stupid things if their stupidity is
associated with their real world identity for all to see. It would also be
more challenging to be a criminal or fraudster online when anonymity is
voided.

Just think how much less toxic Reddit would be if there were no anonymity and
employers, parents, and neighbors could see what people are really thinking
about.

Also, privacy is not anonymity.

~~~
kej
Sure, but it is also harder to be a whistleblower or to speak out against a
powerful government or business when they have the power to retaliate against
you.

~~~
jack9
You mean to say, when they can identify you. Most of the time, powerful people
have the power to retaliate against anyone.

------
ttul
And this, friends, is why it’s important to encrypt information that you want
to remain private.

------
jacksmith21006
What is amazing is these companies fighting the government while we have Apple
hand all their customers data over to the China government.

"Campaign targets Apple over privacy betrayal for Chinese iCloud users"

[https://www.amnesty.org/en/latest/news/2018/03/apple-
privacy...](https://www.amnesty.org/en/latest/news/2018/03/apple-privacy-
betrayal-for-chinese-icloud-users/)

Incredible contrast.

Then the cherry on top was Apple removing the VPN apps from their store in
China and cutting their users off at the knees in being able to protect
themselves.

"Apple removes VPN apps from the App Store in China"

[https://techcrunch.com/2017/07/29/apple-removes-vpn-apps-
fro...](https://techcrunch.com/2017/07/29/apple-removes-vpn-apps-from-the-app-
store-in-china/)

------
arbie
This reinforces the fact that the internet is decoupled from geography.

~~~
dx034
In my view it reinforces that the internet is dominated by the US. All data
stored at any of the large cloud providers falls under US jurisdictions.

EDIT: it also appears asymmetric. I doubt a French court can issue a warrant
that forces OVH to turn over data stored at their Canadian data centre
(similar with OVH and Finland).

~~~
astura
Lets talk about the actual facts of the case here.

Its important to note that United States v Microsoft involved a US company
(Microsoft) controlling and storing data (emails) on behalf of a US citizen.
The emails were physically stored on a server that was located in Ireland. MS
argued that a US judge doesn't have the authority to issue a warrant for data
that is stored outside the United States and the FBI needed to go through
cross-boarder channels.

I haven't read the bill but everything I read about the CLOUD Act seems to
indicate that the act is meant to apply to US companies and US persons, not to
foreigners as a rule. It's an extremely unjustified jump to conclude that "all
data stored at any of the large cloud providers fall[s] under US
jurisdictions." Unless you have more information than me that you aren't
sharing.

~~~
dx034
I referred to "any of the large cloud providers" because they're all US
companies (Amazon, Google, Microsoft, DigitalOcean, Linode, Vultr). Not sure
if the case would've been very different if it had been for data of a foreign
citizen. But from what I read, the fact that Microsoft had sole control of the
data was important, and that would apply to EU citizens as well. But that
might change under the Cloud Act.

------
mgoetzke
Does this apply to data of US citizens only ? If a non-US citizen stores data
on a non-US server provided by e.g Microsoft, can it be accessed by the US gov
?

~~~
dx034
As far as I understand, it applies to ALL data stored at any US company. A US
warrant against a French company could be valid for all their data in the
cloud without a confirmation by a local court even if all data is stored
outside of the US (which would be necessary for physical assets)

------
mrleiter
My legal two cents:

1.) What 18 U.S.C. §2701 et seq. actually now says is that if you are a
service provider in the US, you must have a backup of any record of your
customers in the US. So if you use a cloud service that is situated outside
the US, you still need to produce a backup in the US.

2.) The case is to be dismissed as mooted, because the government applied for
a new warrant that replaced the original one. So the case has new grounds.

~~~
cosinetau
It would be interesting to see how this mandate will work in the US with GDPR
in Europe.

------
thsowers
From the transcript [0], when Justice Kennedy is asking if human intervention
is required to retrieve the records, E. Joshua Rosenkranz responds:

> A human being doesn't have to do it. It is a robot.

> A human being in, let's say, Redmond tells the robot -- it sends the robot
> instructions.

What does he mean by robot? Is this just software, or does an actual machine
have to go spin up some servers in storage?

I feel like something about the use of the term seems to imply more than just
"software". Is there a legal advantage to using this word instead of "the
program" or "software"?

[0]:
[https://www.supremecourt.gov/oral_arguments/argument_transcr...](https://www.supremecourt.gov/oral_arguments/argument_transcripts/2017/17-2_j4ek.pdf)

~~~
jzwinck
The moving part of a "tape library" is known as a "tape robot." For the past
few decades there really have been physical robot arms retrieving data from
long-term storage. This is still an area of development today, because tapes
are cheap but only if you don't need a drive for each one.

[https://en.m.wikipedia.org/wiki/Tape_library](https://en.m.wikipedia.org/wiki/Tape_library)

~~~
thsowers
Thanks! I was unaware of these

I wonder if a similar system is used for AWS Glacier..

------
mirimir
This is bad news, for sure. But it's no surprise, in the current environment.
I mean, when it's the feds vs Microsoft, Congress can just change the laws.
And the EU is moving in the same direction. Also China and Russia, obviously.

So anyway, the only option for those who want protection against warrants is
to hide. Sure, go with providers in places that are more privacy friendly. But
that can't be the only defense. At this point, I believe that the best option
is local encryption, plus network connectivity through nested VPN chains plus
Tor.

Edit: tone

------
us0r
I still think there is a lot more to this case. The risk of losing on both
sides was way too high for a drug dealer. Why wouldn't they just request the
data using Mutual Legal Assistance Treaty? They had no problem doing it for
the kickasstorrents guy ([https://torrentfreak.com/images/KAT-
complaint.pdf](https://torrentfreak.com/images/KAT-complaint.pdf)).

------
foobarbazetc
The CLOUD Act is ... really not great. More about big corporate than
protecting privacy in any way.

