A definitive victory, for now…
The US federal court decision to uphold Microsoft’s appeal against an earlier judgement compelling it to release email information stored on a Dublin server has been broadly welcomed, not least by Redmond.
The issue, in a nutshell, was that an email information from a suspect in a drug investigation resided on a Microsoft server in Dublin. The US government wanted to get that information. Nothing new here then. As part of criminal investigations, there are all sorts of agreements, arrangements and legal instruments to allow just such access.
However, in the past, certain instances of these requests, one of which is mutual legal assistance treaties (MLAT), took too long or were legitimately refused, leading the US government to seek other methods.
“The 1986 act was never meant to cover jurisdictions outside of the US and so does not apply as far as a Dublin server”
One of these was a seizure order under the 1986 Electronic Communications Privacy act which has no specification of geographical distinction for where the data covered may reside.
Microsoft said that it was happy to comply with any normal instrument by which it would surrender such evidence, such as MLAT, but that this request was essentially going against all the privacy assurances it had provided. More specifically, Microsoft, and many others in the industry, recognised that complying with this order without objection would essentially portray US services in this arena as being entirely open to US surveillance and so may threaten the ability of any service provider to operate outside of the US, and specifically within the EU.
Fast forward to this week, and after an initial awarding of the order, an appeal, and counter appeal and now this federal court win, the upshot is that the 1986 act was never meant to cover jurisdictions outside of the US and so does not apply as far as a Dublin server.
It appears as if Microsoft has been entirely justified in its stance which relied on a few main points. Namely that a range of instruments and methods existed, and which it has complied with in the past, to cover such request and that no new short cut was needed. On the downside, it also pointed out that inadequacies, perceived or otherwise, in such facilities that resulted in delays or refusals, were no fault of Microsoft’s.
Secondly, that the act cited did not extend to the Irish jurisdiction.
Thirdly, that there would be a threat to the very industry in complying with this ill-conceived endeavour that would ultimately undermine the ability of US companies to provide such services at all, with longer term implications for their participation with governments and the public sector worldwide.
So, with the first two planks vindicated, what about the third?
The backing that Microsoft received, around the same time as the whole FBI looking for an iPhone backdoor debacle, would seem to add weight to the argument. The likes of Verizon, Apple, Accenture and Rackspace, among others, all voiced their support for Microsoft’s stance. Indeed, our own government rowed in too.
Support and admiration
And today, there have been other messages of support from leading industry figures, such as Simon Crosby, CTO and co-founder at Bromium, formerly of XenSource and Citrix.
“Although privacy advocates will claim that this is a major win, it is really a win for the rule of law,” said Crosby.
“Microsoft has long maintained that if the US Government wants data stored on a server in Ireland, it can do so by pursuing its claims through the Irish legal system. Microsoft’s position has been vindicated. This is an excellent outcome and we all owe Microsoft our gratitude for preventing the US Government from overreaching its authority. If it has succeeded here there would be negative effects on the tech industry, in particular cloud and SaaS providers — in effect a chilling consequence on the computing industry.”
However, the story is unlikely to finish there.
Quoted by IDGNS, Roy Hadley, a lawyer with cybersecurity expertise for US firm Thompson Hine, opined that the issue is likely to be far from over, despite the federal court ruling.
“There’s a fine line between privacy and national security,” he said. “And it’s a difficult line to walk.”
Hine reckoned the US government would appeal.
Another legal commentator in the field, Craig Newman, Patterson Belknap Webb and Tyler, said that while the tech industry is no doubt breathing a sigh of relief, the real work is in turning legislation from the analogue past into something workable for the digital present.
So, where to from here? Another round of appeals and counter decisions, or will it just miraculously disappear as did the iPhone backdoor case, when the another technological solution is found?
Hard to say, but it is unlikely we have heard the last of this.