Microsoft prevails in US Stored Communications Act ruling over Dublin servers | What does it mean for providers and users of cloud services?

Two years ago, I wrote about the US government's attempt to require Microsoft to hand over to it data within Microsoft's control regardless of the location of that information. Now, finally, Microsoft has prevailed in the case, which will be important for both providers and users of cloud storage services.

The dispute centred on whether the US Stored Communications Act (SCA) required Microsoft - as a US headquartered company - to produce emails to the US government stored on servers located in Ireland.

The case was closely watched because of privacy concerns raised by other governments, particularly in the European Union, and by interested advocacy groups - not least in the cloud sector where many EU-based cloud customers had become concerned about the US government being able to access their and their customers' data.

The SCA limits how service providers, such as Microsoft, that store user data can disclose that information. In particular, certain information can be disclosed to the government only if the government obtains a warrant. It has been interesting, over the years, to see how cloud providers have approached the threat of the SCA. Many prominent cloud providers - even those who offer ring-fenced EU-based servers - rely on a clause (usually hidden away in the small print) that preserves their right to disclose data demanded by the US government regardless of their customer's wishes.

In this case, the US government did obtain a warrant as required by the SCA, but Microsoft took the bold step of challenging the scope of the warrant. And it refused to produce the information hosted in Ireland, arguing that the SCA, and the warrant, did not apply to emails stored on servers outside of the United States, and thus that Microsoft could not be required to product the information in response to the warrant.

Microsoft argued, and the US appeals court finally accepted, that the because the emails were physically stored outside of the United States, it was not required to produce them pursuant to the government's warrant.

The key concern for many cloud (and, indeed, outsourcing) customers outside the US that rely on a US-based or headquartered service provider is the extent to which US laws in this area have extraterritorial application. Or, more simply, just how long is the long arm of US law?

In a key section of its judgement, the court concluded that the SCA does not permit extraterritorial application and so warrants to demand data disclosure do not extend beyond the borders of the United States.

Based on the conclusion that, under the SCA, a government seizure of emails is permitted only in the United States, the court also addressed the issue of whether the seizure of the emails would actually occur in the United States. While the government argued that Microsoft could - from the United States - access the emails stored on servers outside the United States and bring them back into the country, the court found that these facts did not support the notion that the actual seizure of those emails would indeed occur in the United States. In other words, because the data at issue, stored in Dublin, is within the jurisdiction of a foreign sovereign state, the warrant authorising the seizure cannot apply to that information: it applies only to information covered by the SCA, which is information within the United States.

So the court concluded that the warrant could not be applied extraterritorially and, in turn, could not be used to support the extraction of emails stored in Dublin to the United States under the SCA.

This ruling will provide comfort for US companies that provide stored communications services, such as email, on a global basis. For now at least, data of non-US entities held outside the US by US-based providers of cloud services do not appear to be directly accessible to US law enforcement through the use of warrants under the SCA. The key issue is whether the information is stored in servers within the territory of the United States.

While this judgement is encouraging for non-US entities worried about data disclosure, it may not be the end of the story. The Justice Department may either appeal or may seek a legislative fix.

Or the US government may fall back to rely on Mutual Legal Assistance Treaties, which provide a framework for countries to obtain assistance from one another to, among other things, obtain and execute search warrants in their respective jurisdictions.


Copyright © 2016 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act