
Judge orders Microsoft to turn over data held overseas - dreamdu5t
http://www.washingtonpost.com/world/national-security/judge-orders-microsoft-to-turn-over-data-held-overseas/2014/07/31/b07c4952-18d4-11e4-9e3b-7f2f110c6265_story.html
======
diafygi
I asked these questions on a previous thread but didn't get any answers. I'm
seriously interested in actual responses (i.e. these aren't rhetorical).

\-----

If you use AWS, is all the data (S3, EC2 filesystems, RDS data+backups, etc.)
now a business record of Amazon?

What about renting dedicated servers at your local datacenter? You're
basically renting bare hardware at that point, but the hard drives are still
technically owned by the datacenter. Is the data on those hard drives business
records of the datacenter?

\-----

Not being able separate the owner of the hardware and the owner of the data on
the hardware seems like it would have a ton of modern consequences.

~~~
rayiner
The legal status of something like AWS is up in the air.

On one hand, you have what the law has been to date:
[http://www.abajournal.com/magazine/article/the_data_question...](http://www.abajournal.com/magazine/article/the_data_question_should_the_third-
party_records_doctrine_be_revisited) ("In essence, the doctrine holds that
information lawfully held by many third parties is treated differently from
information held by the suspect himself. It can be obtained by subpoenaing the
third party, by securing the third party’s consent or by any other means of
legal discovery; the suspect has no role in the matter, and no search warrant
is required.")

On the other hand, you have the recent decision in California v. Riley: "The
United States concedes that the search incident to arrest exception may not be
stretched to cover a search of files accessed remotely—that is, a search of
files stored in the cloud. See Brief for United States in No. 13–212, at
43–44. Such a search would be like finding a key in a suspect’s pocket and
arguing that it allowed law enforce- ment to unlock and search a house." Slip.
Op. at 21.

It's difficult to reconcile the Third Party doctrine with Riley. Under the
third party doctrine, storing a document in the cloud is like leaving a box of
papers in your friend's garage--not protected under the 4th amendment. But
under Riley, storing a document in the cloud is like storing it locally on
your phone--protected under the 4th amendment.

How the two will be reconciled is something that has yet to shake out. Note
that Microsoft has already decided to appeal this: “We will appeal promptly
and continue to advocate that people’s e-mail deserves strong privacy
protection in the U.S. and around the world.” What the Second Circuit
ultimately says on this case will go towards figuring out how this will shake
out.

~~~
jsmeaton
> It's difficult to reconcile the Third Party doctrine with Riley. Under the
> third party doctrine, storing a document in the cloud is like leaving a box
> of papers in your friend's garage--not protected under the 4th amendment.
> But under Riley, storing a document in the cloud is like storing it locally
> on your phone--protected under the 4th amendment.

What about storing documents in a safety deposit box of a bank? Where does
that fall legally? I would imagine that storing documents on a box rented from
a cloud provider should fall under the same law.

~~~
rayiner
You do have a 4th amendment interest in the contents of safety deposit boxes,
storage units, and rented apartments.

So the question becomes: is the cloud more like your friend's garage, or a
safety deposit box in a bank? I think the relevant distinction is that when it
comes to a safety deposit box, or a storage unit, or an apartment, the
landlord no longer has unrestricted access to the unit, and indeed it can be
illegal for him to access the unit without your permission. Thus the
expectation of privacy is higher than with your friend's garage, which he can
continue to access whenever he wants without restriction.

So it might well be that there is a stronger privacy interest in something
like AWS, where Amazon doesn't look into your instances, than in other cloud
services that look at the data you store in them. That said, as I said,
_Riley_ makes me think that the Supreme Court is just going to give blanket
4th amendment protection to cloud services, regardless of the fact that some
are, in actual fact, much more private than others.

~~~
jsmeaton
Thanks, appreciate the information. I was thinking more along the lines of an
EC2 instance rather than a shared service like Gmail.

------
click170
This is fantastic news because I've recently been looking for a VPS with 0
ties to the United States and it can be tricky to determine who owns who.

With this ruling, I expect more companies to be advertising the fact that they
operate entirely outside of the US and thus are not subject to these data-
grabs. This will make choosing a VPS provider much easier for me.

~~~
thematt
Will it? As much as I disagree w/ this ruling, grabbing data isn't isolated to
the US government. Don't you also have to be concerned that _those_ countries
may subpoena the VPS provider?

~~~
ChrisAntaki
Right, and that's assuming the hypothetical host country has the formality of
subpoenas. Some countries would just send armed forces and demand access. I've
heard firsthand stories of how Russia's tax collectors essentially hold
businesses at gunpoint, by surprise.

~~~
atmosx
I think he was referring to countries like Norway, Switzerland, etc. who are a
bit more pro-human/business rights than Russia.

------
yread
Holy shit! I work in a medical setting and our institute was considering using
Azure to offload some HPC. Azure promises to be the only cloud that has
georedundancy but all within EU (AMS and DUB) protected by EU data laws. If
this goes through we won't be touching it.

What is wrong with the US judges these days?

~~~
anigbrowl
EU laws apply to data on EU residents. You can't dump your US-originated data
into an EU jurisdiction and use EU law as a legal shield. Most developed
countries have reciprocity arrangements with each other about access to data
for legal proceedings in cross-border litigation, eg courts in one country
will recognize properly-issued warrants/subpoenas from another.

EDIT: I should have mentioned that the major international treaty about this
is the Hague Convention (which also covers a bunch of other things). You can
find all about the rules, which countries are signed up to it as regards
evidence-sharing, and so on here:
[http://www.hcch.net/index_en.php?act=text.display&tid=23](http://www.hcch.net/index_en.php?act=text.display&tid=23)

~~~
stdgy
It's my understanding that Microsoft's complaint is that the US Government
isn't bothering going through the proper international channels setup through
treaty arrangements in order to retrieve this data, and is instead relying
entirely on domestic procedures.

Is that not the case here?

~~~
guan
Yes, the government is arguing that going through Mutual Legal Assistance
procedures would be too slow.

[https://cdt.org/insight/microsoft-ireland-case-can-a-us-
warr...](https://cdt.org/insight/microsoft-ireland-case-can-a-us-warrant-
compel-a-us-provider-to-disclose-data-stored-abroad/)

~~~
serge2k
as opposed to a court case with multiple appeals?

------
davidgerard
Well, that about wraps it up for US companies in Europe. Well done.

I wonder if Ireland can prosecute Microsoft if they _do_ hand over the data
without a local warrant.

~~~
toyg
Ireland suing one of their major trading partners and local employers, over
something as ephemeral as privacy laws? Not going to happen.

~~~
davidgerard
Ireland is in fact just a bit pissed off, though:

[http://www.irishtimes.com/business/sectors/technology/micros...](http://www.irishtimes.com/business/sectors/technology/microsoft-
fights-us-request-for-irish-held-data-1.1884243)

~~~
toyg
That was filed _in support of Microsoft_ in the case, by a _former_ minister
who is also a senior counsel.

There is no indication whatsoever that the current Irish government would do
anything to Microsoft over this matter; I bet Irish politicians would rather
pay with their own money to find a convenient solution for everybody, rather
than risk jeopardizing the relationship. Microsoft and the Irish establishment
have been really close for decades now, they desperately need each other and
this won't change because of some silly rule about helping US police or
judiciary.

------
dreamdu5t
> Microsoft also argued that the United States would not be in a position to
> complain when foreign governments do the same and insist on access to e-mail
> content stored in the country.

------
josephschmoe
Why can't we just use the same laws we have for physical media for this?

Because the government wants to use this as an excuse for a power grab.

~~~
rayiner
If you printed out your emails and left them at a Microsoft data center in a
box, the government would be able to use a subpoena duces tecum to get the
emails, and you wouldn't be able to assert a 4th amendment claim over them.

We _are_ using the laws applicable to physical items. The problem is that in
general, those laws say that unless there is a special situation (landlord-
tenant, etc), you can't invoke an expectation of privacy over property that
you leave in the hands of a third party.

~~~
X-Istence
Except that in this case the box was left in the hands of Microsoft Ireland,
and Microsoft USA might have access to the property they don't have the right
to touch Microsoft Irelands holdings...

------
secfirstmd
As an Irish person, I find this violation of my country's sovereignty
disgraceful. It's bad enough that GCHQ has violated our communications systems
for decades (and the NSA no doubt also) but now the US is trying to do this
through legal methods?

Our forefathers didn't fight for the right to hold our own courts so that we
could be bullied by another large country (this time US not Britain). Only
when the Irish people have voted in referendums to release sovereignty (like
during EU Treaties involving European Courts) should this ever be allowed.

If any of our politicians had a backbone they should come out and say that US
Laws have the same power in Irish Courts as those of a Golf Club - absolutely
nothing...If the US wants the data it should go the normal route and through
various inter-government treaties...Unfortunately the words spine and Irish
politician don't go in the same sentence.

Lets just see what happens when a Chinese or Russian company does the same to
data stored in the USA.

------
ivanca
> The government’s position is that the warrant is more of a hybrid — part
> search warrant and part subpoena.

That covers it, you can get any data you want as long as it is an "hybrid".
Maybe Russia should do the same "hybrid" over the Microsoft representatives
there and get the email of all US politicians.

------
blisterpeanuts
The fight's not over yet. Microsoft is appealing and it remains to be seen
whether this decision will be upheld. In the meantime the order to turn over
the data has been suspended.

------
DomreiRoam
Since Microsoft US and Microsoft Ireland are to two different entities. The
former is a 100% shareholder of the second but technically there is an Irish
CEO that is report to Irish board representing the owner of the Irish
Microsoft company. The Irish company doesn't operate in the US. Should the US
judge send a letter rogatory to an Irish court to get the evidence?

------
McUsr
I have no problems with getting emails by a search warrant from an overseas
server. Drug trafficking is global, so should the law enforcement be. I know,
I am addressing this particular case, I am not saying "go" on a general basis.
But I cases like this, with a search warrant, that turns up during an ongoing
investigation, I really have no problem.

By the way, in Norway, blood samples are taken from murderers. 23% of all
murderers had thc in their veins.

------
vaadu
What if the Irish government seized the data?

------
ChrisAntaki
Citizens should be able to nominate & disbar judges.

~~~
fleitz
Ugh. No.

The judicial branch is not a political one, as the Supreme Court wisely
declared the other day it is not up to them to question the will of the
people.

If the people elect a congress that passes dumb laws (including those in the
constitutions) it is not for the judges to overrule them.

If you can't get the people to elect a congress to make suitable laws, how is
electing judges going to help?

I don't disagree that this ruling will hurt US businesses, it's just that that
is a political question, and not a judicial one.

~~~
ChrisAntaki
The power to elect Senators and Representatives empowers the public to make
their government reflect their will.

The more positions are electable, the more accurately the will of the public
can be reflected.

~~~
penrod
The more positions are elected, the more power the majority have to impose
upon minorities.

It is well known that pure democracy does not invariably promote liberal
society, which is why the Founders of the US Constitution specifically
rejected majoritarianism.

~~~
Natsu
And yet we call systems that are ruled by very small minorities
"dictatorships" so it's not something you can optimize in one direction, as
it's one thing to protect minorities and something else for minorities to
order everyone else around.

I have not seen any clear indication that the Founders collectively had
anything against majorities per se, though, or even that they were trying to
promote a liberal society (at least for any modern meaning of that word), as
they simply required super-majority rules for more fundamental changes (e.g.
changes to the Constitution) and seem to me more concerned that a minority of
people in power could not do everything on their own, though I think there was
some debate on that between the Federalists and those opposed to them.

