Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft wins federal appeal over warrants for data held outside US (rt.com)
153 points by vezycash on July 14, 2016 | hide | past | favorite | 31 comments



This is great news (for consumers world-wide and for American companies). Bad for European companies which could have used this as a competitive advantage.

As someone else said in this thread, it restores some sanity to US extraterritorial jurisdiction.


> As someone else said in this thread, it restores some sanity to US extraterritorial jurisdiction.

It doesn't seem that obviously sane to me, since it means we have a largely arbitrary distinction between electronic documents and physical documents.

For instance, suppose you loaned me a valuable physical document of yours. I put it in a safe deposit box at a bank in the United States. You ask for the document back and I refuse. You could go to court and get a court order telling me to return the document to you.

Now supposed instead I had put that document in a safe deposit box in a bank in Mexico. You would still be able to get a US court order telling me to return the document to you. To avoid contempt of court, I'd have to go to Mexico and retrieve the document.

Yet this would not be seen as the US court trying to exercise extraterritorial jurisdiction over Mexico or Mexicans. Mexico has no problem with me going there and retrieving items from my safe deposit box [1]. It is irrelevant to them why I've decided to retrieve the document from my safe deposit box.

We also have a kind of similar thing with money. If I owed you $1 million, and you sued to collect, a court might order me to transfer $1 million to you. If I had arranged things so all of my money was in a foreign bank account, and I only had a few thousand dollars worth of seizable assets in the US, the court could still order me to transfer the money from my foreign bank account, and that would not be seen as extraterritorial jurisdiction.

If we make a slight change, so that I've lost the key to my safe deposit box and the bank is refusing to bypass this and open the box for me, and the court ordered the bank to open the box and turn over the document, then it would matter where the bank is located.

If the bank was in the US, no problem. If the bank was in Mexico, then the US court attempting such an order would be attempting to exercise extraterritorial jurisdiction. The difference is that now they are trying to compel Mexicans to do something.

OK, now let's switch to an electronic document. So instead of storing it in a safe deposit box in the above scenarios, I'm storing it on a server. Let's say I have servers in both the US and in other countries. When I store a document, I pick where to put it based on considerations such as available capacity at my various servers, network latency, storage cost, and other things like that. Assume I'm in the US, and I control all my servers from my office in the US.

I can't see any reason to treat this different than the safe deposit box or money scenarios.

Basically, if I have control over something and can legally move it around or transfer it, then a court that has personal jurisdiction over me ordering me to move that thing around or transfer it is just exercising its personal jurisdiction over me. It is not trying to exercise jurisdiction in or over the place where the thing resides.

[1] well...I'm just assuming that foreigners are allowed to have safe deposit boxes in Mexican banks. If Mexico restricts foreign use of safe deposit boxes, pretend that instead of Mexico I picked some country that does allow foreigners to use safe deposit boxes.


For instance, suppose you loaned me a valuable physical document of yours. I put it in a safe deposit box at a bank in the United States. You ask for the document back and I refuse. You could go to court and get a court order telling me to return the document to you.

Now supposed instead I had put that document in a safe deposit box in a bank in Mexico. You would still be able to get a US court order telling me to return the document to you. To avoid contempt of court, I'd have to go to Mexico and retrieve the document.

This case isn't about discovery, it's about search warrants. In the case of discovery, it's pretty established that a parent company is, generally, required to produce documents of a foreign subsidiary.

The requirements for search warrants are different. Generally, search warrants are only valid for the jurisdiction in which the application comes from. In the case of documents/servers/safe deposit boxes/etc in Mexico, the US would not have jurisdiction, and would be required to gain the cooperation of Mexican law enforcement.

This is why this case is even being heard. The US wanted to force Microsoft to allow a search of a foreign subsidiary's documents, knowing that the law enforcement of the country in question would never execute the search (since it's illegal in Ireland).

Edit:

A key difference between a search warrant and the discovery process is who the courts are ordering to take the action in question. "A search warrant is a court order that a magistrate, judge or Supreme Court official issues to authorize law enforcement officers to conduct a search of a person, location, or vehicle for evidence of a crime and to confiscate any evidence they find."[0]. Contrast that with "A motion to compel asks the court to order either the opposing party or a third party to take some action. This sort of motion most commonly deals with discovery disputes, when a party who has propounded discovery to either the opposing party or a third party believes that the discovery responses are insufficient."[1]

In the search warrant case, the court is authorizing a law enforcement to take an action. In the motion to compel case, the court is ordering the non-compliant party to take an action.

[0] - https://en.wikipedia.org/wiki/Search_warrant

[1] - https://en.wikipedia.org/wiki/Motion_to_compel


I honestly don't think I've ever seen or heard a legal analogy that was legally analogous at all.


If they didn't win why would any country want to use an American cloud provider? The USA could be shooting themselves in the foot in a big way. Trust is key to adoption.


If I understand this correctly this means a corporation could buy an independent island, store the data there and the US could not issue a warrant for information from those servers. I wonder what this means for servers on barges as well. Google had a plan to build floating server farms a few years ago.


The ruling in this case means that they do not even need to buy an independent island. They already have one, i.e. Ireland. This ruling just restored a little bit of sanity to the state of warrant procedure and US extraterritorial jurisdiction.


But they don't need warrants to get information intercepted by Ireland - they freely trade information with their security services


Yes, but first someone in Ireland has to get a warrant to allow someone t intercept those information. And with a very good reason that violates Ireland laws.


Comity still applies, so the Feds could ask Ireland to issue warrants to get whatever data they need.


Buying a private island doesn't give you sovereignty over it. There's pretty much no land that's not part of a sovereign state these days.

Further, the ruling is based on an interpretation of Congressional statute, not the Constitution. If American companies began moving their datacenters overseas en masse, Congress could just change the law.


China's strategy of building their own islands seems to have been overruled as well, although I think the wrinkle of datacenter islands being in (previously?) international waters might be different enough.

What happens if an underwater volcano goes off one night, and the next morning there's a new island in international waters? Presumably there wouldn't be any guano to fall prey to the US Guano Islands act [1].

[1] https://en.wikipedia.org/wiki/Guano_Islands_Act


>China's strategy of building their own islands seems to have been overruled as well

The rulings of international courts on such matters are irrelevant. Unless someone militarily stops them, or applies enough leverage elsewhere to convince them to stop, they will continue to build the islands and they continue to treat them as Chinese territory. The constant and aggressive American naval presence is the only thing stopping China from claiming the South China Sea as territorial waters.


I think such rulings would be quite relevant to a private company with no military to speak of. While the Philippines or Japan can't quite tell China to shove off, they could certainly tell Microsoft or Google, and this ruling says that it's quite within their rights to do so.


Tell Google to shove off over what? I don't follow.

Google building a island, claiming sovereignty, and hosting from there, as opposed to from some third country, would be without consequence regardless of whether their claim to sovereignty is deemed legitimate by some international court.


wat ... It's crazy that this is a thing


No need for an independent island. That would be messy and require a political revolution, after all. Instead, just build a really, really, really big ship. Use solar arrays / wind turbines to generate electricity. Sensitive data resides on the ship, which then floats hither and thither through international waters.

But maybe there's some Law of the Sea thing that makes that infeasible. (Not to mention the technical ridiculousness.)


How many 'independent island's are out there for sale.


There are probably several entire nation-states that you could buy with $100 billion, if you thought it would be a worthy investment.


Microsoft is already researching this:

http://natick.research.microsoft.com


any cost they would save on cooling would be lost on the incredibly expensive repairs process of getting the pods out of water or getting someone down there to fix it.


It says foreign - which I think means under other sovereignty ...

Basically the case was - there was no way MS to comply with US laws without breaking Ireland's ones.

Also independent island could be turned into very dependent extremely fast by a team or two of Navy SEALs


It doesn't even appear that this ruling took Ireland's laws into consideration. If this summary is accurate, then the appeals court merely ruled that a domestic warrant could not be used to retrieve foreign materials.

The proper procedure here is to work through the State Department to get a warrant in Irish court. Presumably they didn't do that because they knew it would be futile, in light of Ireland's data protection laws.


It seems like access to data on US soil is a competitive dis-advantage for American companies.


Or perhaps an advantage. Data stored on US soil is subject to more legal protections. Data stored in other countries is fair game for American intelligence agencies, the most sophisticated in the world by far, to hack and steal. This case was just about whether the US government could compel Microsoft to hand it over with a warrant.


Legal protections like what, FISA court orders?

http://www.motherjones.com/mojo/2013/06/fisa-court-nsa-spyin...


Intelligence agencies have no issue breaking the law, so no, keeping data in the US does not keep it safe from the NSA/CIA et al.

This was about Law enforcement, they do need warrants to get and use the data obtained. Data in the US would only need a domestic warrant, which is never going to be hard to obtain. Microsoft was arguing that data in Ireland was out of the domain of US domestic warrents, and the judge agreed.

Your data is safer from the US when it is outside the US. At least law enforcement doesn't have carte blanche access to it.


Right, because No Such Agency has thus far demonstrated such careful regard for whether the packets it's sniffing are foreign or domestic. My data would totally be safest from my own government within its borders, where things like FISA and NSLs work.


The US will appeal the ruling?

Also, does Rule 41 changes from SCOTUS due Dec 1 basically make this ruling obsolete?

https://fcw.com/articles/2016/06/30/wyden-rule-41.aspx


My reading is no, since the Rule 41 changes still require the warrants to be issuable under US law, just removing the requirement that the actual data be held within the geographic jurisdiction of the particular court to be affected. As this ruling turned on the presumption against exterritorial application of US law and not on the geographic jurisdiction of the particular court issuing the warrant, it would be unaffected by the changes.





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: