
Microsoft fights U.S. warrant for customer e-mails held in overseas server - kenjackson
http://m.washingtonpost.com/world/national-security/microsoft-fights-us-search-warrant-for-customer-e-mails-held-in-overseas-server/2014/06/10/6b8416ae-f0a7-11e3-914c-1fbd0614e2d4_story.html
======
jonchang
As far as I can tell, the main issue here (ignoring jabs about the NSA, M$,
etc.) is the difference between a warrant and a subpoena. US law enforcement
would like to have their cake and eat it too, using a novel warrant-subpoena
hybrid. With a warrant, law enforcement officers are the ones that search and
seize the documents or data outlined in the search warrant. In a subpoena, the
party being served is compelled to produce the documents themselves and
testify in court.

In this particular case, it seems obvious that a warrant is inapplicable,
since US law enforcement officers don't have the authority to seize Microsoft-
controlled data located on servers in Ireland. If Microsoft had instead been
served with a subpoena, they would be required to hand over any documents that
they had access to, regardless of the data's physical location. However, there
are strategic advantages (for law enforcement) to favor warrants, since
they're much harder to challenge, and that treaty obligations with foreign
countries might restrict the kinds of data that can be retrieved from overseas
servers.

~~~
Fuxy
This is probably one of the few situations where I think Microsoft is right
and if they want the data they should abide by Irish law.

If it's that hard to get the necessary paperwork done for this they should fix
their system not complain to the courts that it takes to long.

~~~
merrua
Especially if they want to keep non-USA clients who have to obey different
laws with their own businesses data.

~~~
narrator
American institutions truly think their jurisdiction is global. Did you hear
the one about the NYPD cops that showed up in different parts of the world
demanding the governments in various jurisdictions respect them?
([https://www.techdirt.com/articles/20140107/21020425797/posti...](https://www.techdirt.com/articles/20140107/21020425797/posting-
nypd-officers-around-world-found-to-be-waste-embarrassment.shtml))

~~~
wazoox
And the BNP bank fined $ 10 billions for not respecting US law while doing
operations between foreign countries (under the preposterous argument that if
you use US dollar for a transaction anywhere in the world, it must respect US
laws).

[http://www.theguardian.com/business/2014/may/30/bnp-
paribas-...](http://www.theguardian.com/business/2014/may/30/bnp-paribas-
faces-10bn-fine-us-sanctions-investigation)

~~~
milesskorpen
The transactions WERE going through the US, which is why the US government had
jurisdiction.

~~~
wazoox
Absolutely not. The US courts used the argument that in last resort a US
clearing house _may_ have to survey the transaction because it was in US$.
However not a single dollar went through the US.

~~~
jessaustin
I'm puzzled by this:

 _On top of the potentially huge fine, BNP Paribas could suffer a temporary
ban on processing dollar transactions, a business that is essential to the
operations of an international bank._

Are USA officials able to enforce these sorts of restrictions on e.g. the
sidewalk moneychangers one finds in any developing nation? There are more
dollars (both physical and in ledger books) overseas than in the USA. At what
point does a bank in another country become vulnerable to this sort of
restriction? Are officers going to show up outside the bank and yell "give us
all your dollars!"?

~~~
Elhana
Banks don't move dollars in crates overseas, transfers in USD are going
through US banks:
[http://en.wikipedia.org/wiki/Correspondent_account](http://en.wikipedia.org/wiki/Correspondent_account)

~~~
jessaustin
Hmmm, that seems to contradict the assertion that "not a single dollar went
through the US". If this is the mechanism that BNP Paribas uses, they
shouldn't be surprised they are subject to USA laws.

------
cjg
What are the legal consequences for Microsoft if the US government succeeds in
forcing them to bring this data over from Ireland? Won't Microsoft then be in
breach of Irish law? What does a company do if forced to choose between
breaking one of two legal instructions? Perhaps they can just choose?

Alternatively, the Irish Microsoft corporation could decide to prevent the US
corporation from having access. It could be argued that they are legally
required to do this. Then the US corporation can say they no longer have
access. It doesn't matter that the US corporation is the only / majority
shareholder because the shareholders cannot compel the company officers to do
something illegal (i.e. provide access).

~~~
thomasahle
I guess the US government will force the US based part of Microsoft to
cooperate. No choice, possible in stealth. This might or might not be
discovered by the Irish part/government, which must then sue.

Basically there is no winning for Microsoft, except keeping it secret, having
the US government pressure the Irish not to sue, or having the NSA pay
possible fines.

~~~
belorn
Its not really that simple, since Ireland is part of the European union. If
Microsoft willingly break data protection laws, then the EU court would likely
sue Microsoft again.

Given the history of EU court vs Microsoft, and the market size of EU vs US,
Microsoft has no easy solution to the problem. The US government might
pressure the Irish, but would have a harder time against European union (which
I suppose is part of its design).

~~~
yxhuvud
Sadly, so far no company has been sued by EU for complying with american legal
requests.

I think the motivation is somewhat along the lines that the company didn't
have a choice in the matter. Personally I wish that didn't matter and that the
privacy breaches would have been prosecuted - I can think of nothing that
makes legislative changes faster than companies having to choose where to do
business because it would not be possible to do business both in USA and EU.

~~~
Silhouette
Agreed on all counts.

There have been some very shady dealings between Europe and the US, in areas
as sensitive as financial and travel information, where it seems the US has
demanded data and Europe has conveniently overlooked and/or hacked its own
privacy and data protection laws so they can provide it.

I suspect given the increasingly anti-EU sentiments in many European countries
and the outright hostile behaviour of the US toward foreign citizens in recent
years, this situation isn't going to last much longer. Someone in politics is
just waiting to make their career by telling a weakened EU administration
and/or the US where to go, presenting themselves as the people's advocate and
defender of basic human rights. This issue provides a convenient and
potentially very effective vehicle for anyone with such ambitions.

Put another way, the asymmetric legal, economic and diplomatic relationships
that have favoured the US for some time are essentially a bet that the US is
worth more as a partner than any cost that asking "how high" will incur.
Sooner or later, someone is going to call them, and at this point I'm not sure
whether they're just bluffing.

~~~
cinquemb
I think I would agree to what you are saying as to the logical conclusion of
what is happening now, but I hope no one will conflate such a possible outcome
with it's probable effectiveness as long as the technical capabilities allow
for governments, corporations, and individuals to subvert such systems.

Would citizens of the EU have faith in such a candidate anyway who will
basically play the same game as their predecessors? Would anyone with the
technical capabilities to develop and use encryption/steganography software
for things they deem necessary to encrypt, put any trust in such a candidate
over themselves?

Seems like a growing market to sell people on privacy as a service, which
means there will be a growing market for those who want to subvert such…

~~~
Silhouette
All valid points, but I would add two more.

Firstly, the means to make mass surveillance significantly more difficult and
expensive already exist, we just don't use them routinely as a society. This
lack of security and privacy awareness is harmful for many reasons, only a few
of which are related to potential abuses by government organisations, but part
of the reason they haven't been used more is because of the pressures imposed
formally and no doubt less formally by governments. There is always going to
be a balance here, because obviously there are bad people in the world and
governments are expected (reasonably or otherwise) to protect their citizens
and organisations against those bad people. I doubt any government is going to
willingly give up all possibilities to intercept communication, but I think
you could have a situation with much more transparency and oversight than we
have today to keep that power in check and directed to its intended purposes.

Secondly, one of the most disappointing things about this whole affair is that
our own intelligence and security services (I'm in the UK) seem to be more
concerned with covering their backsides and keeping tight with their US chums
than they are with actually, you know, providing for the security of their own
country. In an era when foreign surveillance is a significant threat to
everyone and so-called allies are among the prime culprits, the duty of our
services is to treat those allies as hostile to the extent that their observed
behaviour demonstrates they _are_ hostile, and to respond proportionately. US
spying on all our citizens' data? Promote encryption as standard and advise
businesses on how to keep their data out of US jurisdiction. If allies have
legitimate grounds for wanting sensitive information about British people (and
I'm certainly not saying they won't have legitimate grounds for doing so from
time to time) then let them request that information through proper channels
and in compliance with our laws (and make sure our laws provide for assisting
allies appropriately but with appropriate controls and oversight as well).

Ultimately, you can't rationally expect governments to protect their people
without allowing them to use the technical tools and legal powers necessary to
do so, but neither can you rationally protect your society and way of life by
destroying it. This debate is all about resolving that inherent conflict in as
fair and practical a way as possible, and to that extent, I think some fresh
views in politics could improve the current situation considerably.

~~~
cinquemb
_Firstly, the means to make mass surveillance significantly more difficult and
expensive already exist, we just don 't use them routinely as a society[…]but
I think you could have a situation with much more transparency and oversight
than we have today to keep that power in check and directed to its intended
purposes._

One has to acknowledge that it is also not presently in the interests of those
who have kept it so. Transparency is a two way street, if everyone as
individuals had access to such information that is in the hands of the few to
leverage, many aspects of our society could also be made better. After all,
"encrypt all the things" makes one wonder about the effort exerted is worth it
all, especially if it enables individuals to deceive/mislead/exaggerate to
others in the name of privacy.

 _Secondly, one of the most disappointing things about this whole affair is
that our own intelligence and security services (I 'm in the UK) seem to be
more concerned with covering their backsides and keeping tight with their US
chums than they are with actually, you know, providing for the security of
their own country._

I question how much "security" there needs to be when governments,
corporations and individuals go to such lengths to hide such information from
others to maintain the asymmetry of information from individuals of the
public, and wonder if they're would be more "security" provided if the public
who funds such boondoggles had access to such infrastructure. I'd rather have
API keys than the hand-waving/profiteering/"we know whats best for you"
media/policy makers and it's enablers tell us what they think we, the public,
should know of what they do on our behalf, because only they should be
responsible for protecting us, and not ourselves as individuals?

I never have expected any government to protect "their" people, when all of
them to some degree are actively harming them and continue to do so through
various means unaccountably with claims onto behalf of the public.

~~~
Silhouette
Just in case it wasn't clear, when I wrote "providing for the security of
their own country", I was referring to protecting their own citizens and
organisations from unjustified mass surveillance by foreign powers (whether or
not those powers purport to be allies). If the press releases and government
statements are any indication, there seems to be more emphasis right now on
collaborating with those foreign powers and even helping them to conduct their
surveillance than in reining them in or applying technological measures to
prevent or deter acts that are not permitted under our laws.

------
sschueller
A little off topic.

How does it work for companies that are separately incorporated in another
country?

For example: I had a argument with someone from Goldman Sachs Switzerland.
They are claiming that their data is out of reach from the US dept. of justice
because they are a separate entity incorporated in Switzerland. I have also
heard that as an argument from a datacenter provider (Equinix).

Don't profits from these Swiss corporation still somehow make it to the parent
company?

What does the parent company do when served with an NSL for data located in
the Swiss company?

BTW the funniest thing about Goldman Sachs Switzerland is that they do not
accept US customers as they are considered 'toxic'.

~~~
CaptainZapp

      BTW the funniest thing about Goldman Sachs Switzerland is that they do not accept US customers as they are considered 'toxic'.
    

Practically no Swiss bank accepts US customers at this time. This can be quite
a hardship for US citizens living in Switzerland. But they deem the risk just
too high and rather forgo the business.

To clarify what your Goldman friend meant.

Swiss banks are obliged to keep customer identifiable data ring fenced and
within the country. That is, it can't even be processed offshore. It has
nothing to do how the entity is setup legally.

For example (I work for a Swiss bank). I can easily remote access my desktop
from home, or, if I have my laptop and token with me, from any other location
_in_ Switzerland.

There is no way to access the systems from outside Switzerland.

Singapore, btw, has comparable laws and also ring fences data for use only in
Singapore.

~~~
ryanjshaw
> For example (I work for a Swiss bank). I can easily remote access my desktop
> from home, or, if I have my laptop and token with me, from any other
> location in Switzerland. There is no way to access the systems from outside
> Switzerland.

Can you remote access your home desktop from outside Switzerland? :)

~~~
gtirloni
While I understand and accept the technical possibilities where this could be
worked around, it actually misses the intent of the law.

If someone where to be caught doing that, she/he would not be able to say it
was technically possible so it's OK. It's technically possible but legally
forbidden. So the message is: do it at your own peril.

Reality and law don't always agree but when these things go to court, law has
the upper-hand :)

------
secfirstmd
This is a ridiculous situation and as an Irish person I would say, a gross
violation of our sovereignty. It's bad enough that GCHQ and the NSA do it on a
daily basis anyway, now the US is trying to do it via the legal route.

Imagine the uproar if China or Russia decided to do the same to data held on
US servers...

------
contingencies
In finance, the US pressuring people in arbitrary jurisdictions is considered
completely normal, though they've been overstepping themselves of late by
wholesale interference with intra-EU transactions conducted by European
private citizens, by collaborating with Israel to pressure Europe to block
Iran entirely from SWIFT, and by showing their cards by financially blockading
Wikileaks without any form of trial or due legal process whatsoever.

With the news here confirming that communications area resistance is beginning
on commercial grounds... and from well funded pockets like Microsoft's... a
ray of hope exists that the whole tide may be beginning to turn. The truth,
ladies and gentlemen, is that we can choose freedom - the natural result of
decentralization, encouraged by the jurisdiction-hopping internet - or we can
have a feel-good, artificial, dangerous kind of centralized-power-billed-as-
safety: one, or the other. It is pertinent to remember what Benjamin Franklin
said: _Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty nor safety_.

Julian Assange's strong statement in _Cypherpunks_ that we are galloping in to
a new transnational dystopia is certainly correct. Yet it is also true to say
that, with massive transnational corporations even so blindly led as by the
profit motive, commercial interest in reaping the custom of the decentralized
masses actually aligns with the disempowerment of rogue nations acting
continually in defiance of international law and other jurisdictions' right to
self determination (such as the US) and instead acts to benefit the
preservation of basic digital freedoms for the many.

It's far too early to see what kind of world we will pass on to the next
generation, but we are at least blessed to live in interesting times.

------
marincounty
I think we will hear a lot of these stories, but they will be for show only.
The American government has access to all the server files. Companies will act
like they are fighting for our privacy, but the NSA will still be viewing the
files. The NSA might not ever say they are using the information found on
servers, but they will be looking for criminals and terrorists. When they find
the perps, they will use illegial wire taps and other means to get whomever
they want. I don't doubt for a second those Irish servers have back doors tied
directly to the NSA. Oh, Microsoft, Facebook, Google, etc. will all put up a
very public fight though. I have a guestion about cryptanalysis; In the
ninties, a Hacker named Iceman was arrested for a Card Swap Forum. He thought
he bricked his hard drives with encryption, but a eastern company broke the
encrytpion--easily. What form of encryption was he using? Thanks-

------
namesakes
Who cares whether it's subpoena or warrant, thats not the point. The point is,
you can't compel international company to break law in another country, f. ex.
suppose chinese court would order (subpoena?) microsoft to hand over emails
and pictures of a known political dissident, that are kept on US server, what
the hell do you expect microsoft do? comply? stop doing business in any
country that has laws that conflict those of US? It's _very_ easy to imagine
such scenarios, in all areas really, patent law, finance, whatever. I think
the only real solution is those MLATs, or international agreements on handing
over data. Or maybe, in future, an international court, that could issue
subpoenas valid in all member nations, when investigating crimes with similar
enough laws in member nations.

------
ig1
The US government don't seem to realize that this could equally well be used
against them, for example another country where MS operates could file a
warrant requiring that Microsoft handover US government files.

~~~
rayiner
No, the U.S. government understands the situation isn't symmetric. It spends
$700 billion a year ensuring asymmetry.

~~~
jessaustin
That money would be better spent on _any other purpose_.

------
motters
"The judge opined that the search would take place only when the e-mails were
opened and read"

That's a silly argument, because it's like saying I'm going to grab papers
from your home, but I'm not searching your home because the papers will only
be read back at the office.

------
oneandoneis2
Anyone else remember Microsoft cheerfully getting a US judge to overrule a
German court decision? Only to now insist that a US court can't compel them to
hand over an Irish server. Their views on jurisdiction matters seem to be
remarkably flexible...

------
madaxe_again
I guess this just goes to reinforce the fact that the US is a very hostile
environment for business, particularly web based businesses. Incorporate in
the EU!

------
tendom
America won the digital age, but the post-digital age will be won by whomever
builds the most progressive laws into privacy and digital rights. America is
at risk right now, and although momentum carries (hence why we even talk about
Microsoft decades after any real innovation), but if America doesn't quickly
course correct, they're soon going to find that the thing that made them great
was freedom to innovate and thrive. In this new era, America is no longer the
leader in freedom or the American dream. I hope whoever wins the next election
is at least aware of this, as a country that focuses more and more on IP as a
significant exportable product, if no one trusts or uses those products, and
the natural resources have already been significantly exploited, this does not
bode well for the long game.

~~~
gnopgnip
Besides a no true Scotsman fallacy here why do you think Microsoft is not
innovating?

~~~
tendom
Can you give an example where Microsoft has been innovating? Innovation mean
'novel change' and I've not seen anything outside Azure that was even the
slightest bit novel. Balmer was not a risk taker, but the Azure and VS teams
have been turning that ship, but it'll be years yet before I acknowledge
anything as novel.

BTW a logical fallacy cannot apply to a personal value judgement.

------
comex
The link to the filing in the article is currently broken. I think this is it:

[https://archive.org/download/gov.uscourts.nysd.427456/gov.us...](https://archive.org/download/gov.uscourts.nysd.427456/gov.uscourts.nysd.427456.15.0.pdf)

------
IanDrake
>Moreover, they say, imposing limits sought by Microsoft would “lead to absurd
results and severely undercut criminal investigations.”

The most dangerous argument made by government. There is no end to it. Someday
the exact same argument will be used to ensure we all have a telescreen in
every room of our homes because not having it would "severely undercut
criminal investigations.”

------
Faust1985
In Ireland a large momentum is gathering behind this, it's an insult to Irish
Sovereignty and recognition of its right to make it's own laws.

Which in fairness the country has only had for a very short amount of time and
takes very seriously.

------
jmnicolas
What is harmful to cloud providers is secret warrants and intelligence
gathering, not an open warrant for drug trafficking.

MS is fighting the wrong battle here.

~~~
hrrsn
So because the accused are in the middle of a drug case, that makes this okay?

~~~
jmnicolas
No it makes it OK because everything is in the open.

When you're in a middle of a drug case it's pretty normal that they read your
emails.

It's not normal that they read secretly my emails when they have nothing
against me.

------
Ihmahr
Is there some NSA influencing online discussion in this thread? I mean
seriously, why the down votes?

~~~
sz4kerto
I don't think so :), we're not that important. So far only 3 comments have
been seriously downvoted -- one of them presented seemingly unfounded
information, the other one was simply unfunny trolling that should not be on
HN, the third one was mostly off-topic.

Because of - to some extent understandable - reasons MS hate is still quite
strong among this community but destroying an MS-related thread is
unnecessary.

~~~
dangero
Do you really think a site has to be "important" to be targeted? To influence
public opinion it seems like you'd just want to blanket influence as many
popular websites as possible. It wouldn't take that large a team to do it
given the right software.

~~~
sz4kerto
I was a part-owner and later a mod on a quite big forum (>500k registered
users, etc.). There were many people who always claimed that others who
disagree with them are paid shills -- I happened to know that they aren't at
all.

~~~
girvo
Heh, same here. If everyone who accused someone of being a shill was right,
then everyone would be a shill, almost. Hilarious stuff, literally insinuating
that someone had built up a reputation on a tech magazine forum over half a
decade to shill products. In fact, I think in the years I was a mod/admin, we
banned maybe one "shill", and even that was debatable and mainly because they
didn't post any relevant information for anything else.

------
comrade1
This is why my European clients are no longer using Amazon Web Services. For
awhile they let us put their projects on AWS's ireland zones but even with
that they were reluctant. After the NSA revelations (I know that this
particular story is unrelated) they don't even allow that.

The projects were only content management system projects with minimal privacy
concerns. One project did have some customer data but the others were mostly
just marketing material.

Stories like this are just going to dry up the final remaining non-u.s.
customers for u.s.-based cloud computing companies. It's almost like the u.s.
government is trying to screw u.s. companies.

------
EdSharkey
Dear Microsoft,

I love it when you play rough, you sexy beast! DO NOT FORGET WHO OWNS YOU,
SLAVE! YOU ARE MINE!

Love, Obama and the NSA Spooks

P.S. I left you a little something extra on the nightstand, get yourself some
makeup.

------
dude3
For show and press. Microsoft was the first company to cave in giving the NSA
total unrestricted access to user information.

~~~
stinos
The first? Source?

~~~
adventured
I assume the parent is referring to this:

[http://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sli...](http://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_slide_5.jpg)

~~~
dude3
Yes, I was thanks for finding that.

~~~
MichaelGG
And exactly no information on how Microsoft cooperated or caved. For all you
know, the slide might just be indicating the NSA implemented Microsoft-
specific parsers before others. Or that they tapped MS fibre or datacenters.

------
hadoukenio
"Microsoft, one of the world’s largest e-mail providers, is resisting a
government search warrants blah blah blah"

[http://en.wikipedia.org/wiki/NSAKEY](http://en.wikipedia.org/wiki/NSAKEY)

Edit: Why the downvotes?

~~~
pling
Because it's bollocks?

To be honest I'm more worried that the crypto service providers as supplied
aren't available in their shared source license.

~~~
hadoukenio
Crypto? My favourite red herring:

"I love crypto, it tells me what part of the system not to bother attacking"
\-- Drew Gross, forensic scientist﻿

~~~
pling
How to debunk that comment:

OpenSSL, GNUTLS, Secure Transport

Done!

~~~
hadoukenio
OpenSSL and GnuTLS? Have you been under a rock the past couple of weeks?

~~~
adamnemecek
That's what he's talking about. Does the quote have a different meaning than
the literal one? Because otherwise I'm not sure I understand what you are
trying to convey with it.

