A federal appeals court in New York on Thursday ruled Microsoft is not required to provide emails to U.S. law enforcement officials if those emails are stored on servers located overseas. The decision, which is a reversal of a 2014 U.S. district court ruling, is the latest development in a case that has been the subject of intense attention from across the technology sector, which fears that an ultimate judgment against Microsoft could imperil long-term viability of the domestic cloud computing industry.
The case involves an order by the Justice Department compelling Microsoft to provide information about the emails of a user on the company’s MSN.com webmail program as part of a drug trafficking investigation. Microsoft balked at the government’s request to turn over the emails, because the data was housed on a server in Ireland rather than the United States and the Irish government had not made the demand.
There is a mutual legal assistance treaty between the two countries, but circumventing that international process would make evidence-gathering significantly faster and easier for U.S. officials. Neither the identity nor the nationality of the suspect have been publicly released.
The ruling says that the 1986 Electronic Communications Privacy Act—which predates the near-universal adoption of email among Americans, as well as the World Wide Web itself—does not “authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers,” the court wrote in its 63-page decision.
“[This] rational policy outcome … [should be] celebrated as a milestone in protecting privacy,” Judge Gerald Lynch added.
Microsoft President and Chief Legal Officer Brad Smith praised the decision in a statement. “We obviously welcome today’s decision by the Second Circuit Court of Appeals,” he said. “The decision is important for three reasons: It ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”
Justice Department Spokesperson Peter Carr expressed disappointment about the court’s decision. “Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime,” Carr said.
The Electronic Frontier Foundation, which joined with a handful of other civil rights organizations to file an amicus brief supporting Microsoft in the case, hailed the decision for protecting the privacy rights of people across the globe.
“The court concluded that under the Stored Communications Act the government can’t use a U.S. search warrant to obtain a customer’s email stored on servers outside the country,” an EFF spokesperson said in a statement provided to the Daily Dot.
“In our amicus brief supporting Microsoft in this case, we urged the court to reject the government’s argument that the search warrant it obtained for email contents was like a subpoena that would require Microsoft to turn over information, regardless of where it was stored. The court recognized the vital privacy protections under the SCA, and correctly ruled that the government can’t use a U.S. search warrant to force Internet service providers to reach email stored outside the U.S.”
The reason for this industry-wide concern is the implications of the ability of the U.S. government to unilaterally access the data held by any U.S.-based cloud computing provider, regardless of where the server housing that data is physically located.
Following the revelations of the omnipresent government surveillance of electronic communications coming from a massive trove of classified documents made public by former NSA contractor Edward Snowden, there was an international shift from many American technology products. One study estimated that Snowden’s leak cost the U.S. cloud computing industry as much as $35 billion.
Firms like Microsoft have implemented data localization measures, like hosting cloud services outside the U.S., as a way to assuage those fears. However, if U.S. authorities can pull any piece of data any U.S. firm has located anywhere in the world, privacy-conscious customers, both individual and corporate, will likely take their business elsewhere.
“It makes clear that the U.S. Congress did not give the U.S. government the authority to use search warrants unilaterally to reach beyond U.S. borders,” Smith noted in his statement about Thursday’s ruling. “As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”
On the other side, many law enforcement officials worry that if Microsoft were successfully allowed to refuse to comply with data requests due to the physical location where that data is stored, it would make it significantly more difficult for investigators to quickly track down specific pieces of information.
Want to stymie U.S. law enforcement? Store your data in the cloud fragmented over many locations outside U.S.— Orin Kerr (@OrinKerr) July 14, 2016
The Justice Department is currently weighing its options with regard to what further steps it should take in the case.