
Google must turn over foreign-stored emails pursuant to a warrant, court rules - severine
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/02/03/google-must-turn-over-foreign-stored-e-mails-pursuant-to-a-warrant-court-rules/
======
drakenot
> _Electronically transferring data from a server in a foreign country to
> Google’s data center in California does not amount to a “seizure” because
> there is no meaningful interference with the account holder’s possessory
> interest in the user data._

So, because data can be copied and doesn't deprive the original account holder
of their data, this doesn't count as a seizure?

> _the electronic data disclosed by Google pursuant to the warrants will occur
> in the United States when the FBI reviews the copies of the requested data
> in Pennsylvania._

And because law enforcement will _review_ the documents in the United States,
this doesn't count as a "search" outside the US.

This line of reasoning seems really crazy to me. What if these had been
physical documents? Would this have been ruled in the same way? Say that the
US government photocopied a set of files outside the United States and planned
to only review them in the US.

~~~
Spivak
On the upside, I can't wait to cite this case whenever someone says that
piracy is theft.

~~~
segmondy
They said it's not seizure, they didn't say it's theft. Argument for piracy
has been that it's not depriving the original owner of the content, but that
has been argued against. So I'm not sure your argument will hold.

~~~
TazeTSchnitzel
Yes, the crime is copyright infringement, not theft, even if movie studios
like to spin the former as a form of the latter.

~~~
kahnpro
It's not a crime.

Stop calling it that. Copyright infringement is a civil offence. You get sued
by a movie studio for money, not prosecuted by the state and imprisoned.

But the industry is working to change that...

~~~
TazeTSchnitzel
Fair point, though it depends on your jurisdiction.

------
nsight
There seems to be confusion around what this specific decision is for.

This is not about foreign emails stored in foreign servers by Google. This is
about US emails that Google decided to store outside the US. Why do that? I'm
guessing Google has developed technologies like Spanner [1] that distribute
data on a global scale, to help with capacity, disaster recovery etc. Even for
data generated in the US and accessed in the US by US persons.

So if you have a US person's emails shipped outside the US by Google for no
other reason other than Google's convenience, do US warrants still apply to
the foreign-stored data? It's not a simple question.

The Microsoft Ireland case doesn't seem relevant as the person in that case
was a non US person. Or, to be more specific, the Ireland datacenter that MSFT
was running was meant for non US email accounts.

Overall, the US law seems to offer sufficient protection to non-US person with
data stored outside the US. This specific decision is not about that.

If I am missing something please let me know.

[1]
[https://en.wikipedia.org/wiki/Spanner_(database)](https://en.wikipedia.org/wiki/Spanner_\(database\))

~~~
magicalist
No, I don't believe this is correct. The source of the emails seems to never
be brought up. The discussion in the decision is pretty readable.

Essentially the argument seems to be because Google transfers data from
country to country in normal operations, the data currently stored outside of
the US is somehow different than the data Microsoft was permanently storing in
Ireland. As a result, Google could just transfer the data back to the US and
then the search is just a normal domestic search with a warrant:

> _Under the facts before this court, the conduct relevant to the SCA 's focus
> will occur in the United States. That is, the invasions of privacy will
> occur in the United States; the searches of the electronic data disclosed by
> Google pursuant to the warrants will occur in the United States when the FBI
> reviews the copies of the requested data in Pennsylvania._

Seems like the judge's argument would apply to _any_ user of a service with
multiple data centers that regularly replicate (or transfer) data between
them.

~~~
joatmon-snoo
You're right with respect to the point about the source of the emails.

> Seems like the judge's argument would apply to any user of a service with
> multiple data centers that regularly replicate (or transfer) data between
> them.

I find this decision even more onerous than that, which is disturbing on a
number of levels, specifically, this excerpt from the conclusion:

    
    
        under this court's interpretation, Google will gather the
        requested undisclosed data on its computers in California, 
        copy the data in California, and send the data to law 
        enforcement agents in the United States, who will then conduct 
        their searches in the United States. 
    

An important note is that this is not simply because the data in question is
sharded (and therefore cannot be guaranteed to be wholly present in some
single sovereign's jurisdiction - this conclusion is considered ancillary to
the SCA warrant extraterritoriality question).

------
israrkhan
Microsoft was in similar boat a while ago. They refused[1] to handover foreign
data, and court ruled in their favor[2]. Why does Google has to be treated
differently? This type of decisions pose serious threat to competitiveness of
US companies in a global market.

[1] [http://www.zdnet.com/article/microsoft-refuses-to-hand-
over-...](http://www.zdnet.com/article/microsoft-refuses-to-hand-over-foreign-
data-held-in-contempt-of-court/)

[2] [http://www.zdnet.com/article/microsoft-scores-privacy-win-
af...](http://www.zdnet.com/article/microsoft-scores-privacy-win-after-
appeals-court-decision/)

~~~
mynameisvlad
The real answer to your question is: Because the court system.

Specifically, because the magistrate that heard Google's case disagreed with
the other judge's ruling. It's specifically mentioned in the first paragraph
of the article, linking to the article as well as another one stating that a
rehearing on the Microsoft case was denied. Judges seem to be very split on
the issue, so it's a matter of who you get.

~~~
fennecfoxen
> Judges seem to be very split on the issue, so it's a matter of who you get.

This is generally when the Supreme Court starts to consider getting involved:
it is the venue to resolve discrepancies between lower courts.

------
rl3
> _The court also argued that this outcome was needed to avoid absurd
> results._

Sometimes it feels like the law is just a means to an end. USG wants access to
data regardless of jursidiction, so that's what it gets.

------
electic
Emails aside, this is more about using cloud in services in general. If you
use Google Compute or AWS, you are in this boat. This is why U.S. tech can't
be trusted.

~~~
rayiner
> This is why U.S. tech can't be trusted.

Do they not have warrants in other countries?

~~~
the8472
The issue is that the US law enforcement _should_ use a foreign legal system
to request legal assistance if they want to do a search in a foreign country,
which would allow affected parties to use the local court system to defend
themselves.

How would you (assuming you're american) feel if the english police entered
your corporate office to seize documents and told you if you had issues you
would have to deal with it in england?

That's how everyone else feels about the US thinking they have jurisdiction
over their documents stored on some 3rd party providers which - under local
laws - have obligations to maintain the customer's privacy.

~~~
rayiner
I hadn't thought of that, thanks.

------
emptybits
So should we soon expect courts to reject copyright infringement or piracy
claims?

So says the court in the article: "Electronically transferring data from a
server in a foreign country to Google’s data center in California does not
amount to a “seizure” because there is no meaningful interference with the
account holder’s possessory interest in the user data."

My point is there could be analogies drawn. If taking copies of an email
without the email owner's permission doesn't violate the owner's interest,
then perhaps taking copies of media works without the owner's permission
doesn't violate the owner's interest either? I'm suggesting strictly viewing,
non-commercial use.

~~~
dragonwriter
Copyright infringements is not, even in principle, about seizure or possessory
interest, so there is no relation between your question and the quote it is
supposedly based o .

~~~
WildUtah
Neither is search and seizure about a possessory interest. It's about privacy
and security. Even in the eighteenth century it was about "persons, papers,
and effects." It was always an information security question.

~~~
dragonwriter
A seizure is defined, basically, as something that harms a liberty (if a
person is the subject) or possessory (if the subject is not a person)
interest; without that there is no seizure, reasonable or unreasonable.

Likewise a search is something that harms a privacy interest.

------
linkregister
I wonder what effect this has on international relations and treaties. How
will the U.S. government respond when a European Union country's authorities
furnish a warrant to Google for information about U.S. persons, using the same
precedent?

I find it hard to believe this doesn't conflict with at least one of the
treaties the U.S. has signed with the EU.

~~~
electic
Doesn't work that way. The thing is as long as the people in the Justice
Department get what they want, they are happy. They don't care about you.

Just like the NSA. Once they figure out a 0-day, they use it to hack foreign
entities. They won't help fix it by telling the U.S. software company. In
other words, they don't care if you get hacked.

~~~
linkregister
None of what you said addresses what I wrote.

U.S. courts are constrained by existing treaties, as long as they are ratified
by the U.S. Senate.

~~~
hadfgdasf
Please name a data privacy treaty the U.S. has ratified.

------
throw2016
I think democratic states who set themselves up as models of free societies
have a higher responsibilty to live up to these values.

The fact that fascist or authoritarian states passed laws to support their
excess does not change our perception of them or make anything 'legal'.

Authoritarianism couched in legalese is still authoritarianism. We are now 10
years into using the legal system to set extremely dangerous precedents and
are guilty of insidiously corrupting and trivializing the democratic movement
set up after the second world war.

Our evangelism of free and democratic values will now lack authenticity and
will inevitably be perceived as self serving posturing and hyprocrisy. This
loss of the moral high ground is a high price to pay for some generational
politicians and NSA bureaucrats tinpot tendencies. The system is not working.

------
eriknstr
No surprise there. Doesn't help where the servers are as long as the company
is in the US.

~~~
bifrost
It does somewhat, Google transferred the data to the US.

~~~
dibstern
US companies and the data they control is obviously going to be under the
jurisdiction of law enforcement where the company is located, in the US.

Especially if the data storage location is, for all user purposes, arbitrary.

~~~
the8472
They are also under the jurisdiction of their foreign offices and have to
adhere to privacy laws abroad. Which means it may be illegal in other
countries for google to execute that order on foreign soil.

And that is why we have separate jurisdictions in the first place, to avoid
such irreconcilable conflicts.

------
k-mcgrady
Could someone explain whether this has an impact on the EU Privacy Shield law?
Is this a workaround those? Does it only apply to data of US citizens held
outside the US or can the FBI now seize data of non-US citizens, held abroad,
without going through local (non-US) authorities?

If this is a workaround for EU privacy laws it'll be the final straw for me
and I'll be moving my data from Google but it's a complicated area so some
clarification would be nice.

------
dibstern
I don't understand why this is bad.

The argument makes sense. If you are conducting your business via email using
an American provider, expect it to be subject to American law.

I don't see how this could be unusual or a shock to anyone.

~~~
pyrale
If you start behaving like that, expect foreign governments/clients to
ban/boycott american providers.

Jurisdiction is an important concept, and if the american justice starts using
the good economic position of its companies to bypass or expand its
jurisdiction, it should be expected that the feedback will effect said
economic position.

While this case seems to be a bit different from the Ms case, the court
essentially orders a private entity to take action in a foreign country,
something which it could not do itself. This seems wrong to me. Instead, the
issue is probably that this info should probably not be foreign if the
producers were domestic.

~~~
WildUtah
_If you start behaving like that, expect foreign governments /clients to
ban/boycott american providers._

If it were a real concern to anyone, the EU countries would have simply used
their big stick and started banning Google and Microsoft from doing business
until they cleaned up their acts.

And they'd have done it years ago.

As long as it's the US government violating your privacy, those EU countries
are perfectly happy to see their data privacy laws neutered.

~~~
pyrale
The situation is not immune to change. E.g. the election of Trump, and more
specifically the executive order he passed calling for the stripping of any
expectation of privacy for all foreigners may spur europeans to action.

At least currently, there seems to be a trend in the EU pleading to shield
ourselves from US interference, and the tech cos are probably the obvious
first target.

------
ww520
Encryption all the way.

------
herbst
I mean it does not surprise me at all. But pretty sure that is theoretically
illegal from my POV.

------
tomrod
It's been fun, Gmail, but I think it may be time to go.

Not that I have anything to hide, but I don't like my protections being
whittled away.

Any suggestions on what provider to seek out now? Lavabit?

~~~
sbov
How about yourself?

~~~
tomrod
I'm not sure where to start. What do you suggest?

~~~
pmlnr
[http://www.iredmail.org/](http://www.iredmail.org/) for mail,
[http://radicale.org/](http://radicale.org/) for contacts and calendar,
[http://www.rainloop.net/](http://www.rainloop.net/) for better webmail. Ask
[https://indiehosters.net](https://indiehosters.net) to set it up for you for
a minor fee.

------
ComodoHacker
I find WP's new "subscribe to read" policy extremely abusive. It will result
in some random unfortunate people receiving unsolicited crap into their
inboxes. I hope someone will collect their complaints and sue WP for this.

------
mtgx
> _Indeed, according to the Stipulation entered into by Google and the
> Government, Google regularly transfers user data from one data center to
> another without the customer’s knowledge_

Seems like this one is completely on Google.

So if you want to be protected against this type of seizure, stop using
Google, or any other American service that brings its data from its EU servers
over to the U.S.

EDIT: And why is this an "opinion post"? It didn't have to be one. I thought
the Washington Post was using its recent surge in profits from covering Trump
non-stop to hire more investigative journalists, not pay for more biased
opinion pieces?

Orin Kerr is one of the original proponents of a "golden key" for encryption,
so I would at least take his suggestions with a pretty big grain of salt.

~~~
pcl
I haven't read the Google ToS, but I wonder if it would matter to the USG if
the Google ToS made stipulations about transparently moving data _within_ a
region versus _between_ regions.

