Email and information surveillance

Of jurisprudence and jurisdiction

Blogs
Image: Stockfresh

1 August 2014

The recent ruling by a US circuit court judge that required Microsoft to surrender email data held on an Irish server has been upheld.

The company challenged the initial ruling, but Judge Loretta Preska of the US District Court, of the Southern District of New York, has rejected the appeal.

The issue is around an email address that was created with the US-based company where the account and content information were stored on Irish servers. Microsoft, supported by both Verizon and Cisco, challenged the initial order on the basis that the search and seizure warrant applies to jurisdictions outside of US territory and therefore do not apply.

The ruling comes at a time where there is already a certain amount of nervousness in the industry with the revelations around state spying and monitoring, data residency and the obligation on US companies, irrespective of where they operate, to surrender data requested to their government.

There are fears that this may lead to US companies being disadvantaged, compared to their European counterparts, when providing web-based or cloud services, as many users might see these kinds of actions as undermining security and privacy.

But what does it all mean?

Well, the first thing worth mentioning is that this is not some change in the law or the general practise of it, this is pretty much the way it has always been.

In the initial ruling US Magistrate Judge James C Francis IV of the New York court wrote that if the territorial restrictions on conventional warrants applied to warrants issued under section 2703 (a) of the Stored Communications Act, the burden on the Government would be substantial, and law enforcement efforts would be seriously impeded. The specific statue refers to covers required disclosure of wire or electronic communications in electronic storage by a US organisation. So the current case is more a first application of the specifics of what has been in place for quite some time.

Looking at this in a wider perspective though, and this does actually make some sense. Take for example, a scenario likes this: a criminal registers an email address with a US-based company that has a data centre in Ireland. The email address details are logged on a server in Grangecastle. The content related to that account is also on a server in the same place. The criminal then sends phishing emails to other US citizens within the lower 48 states and extracts money from them under false pretences. The authorities, in investigating the matter, will likely say that the actual crime was committed in the US, against US citizens by a US citizen, so what does it matter that the data requested in support of prosecuting the case resides on an Irish server? The issue then should be that a US court asks an Irish court to intervene and issue a search and seizure warrant for the data held within its jurisdiction. This is covered under an instrument known as a Mutual Legal Assistance Treaty (MLAT). But as Judge Francis points out, this is time a consuming and onerous rpcoess.

However, what happened here is that the US court issued the warrant and expected it to be executed by the US-based company, irrespective of the jurisdiction where the data resides.

Looking at a slightly different scenario, it becomes less clear cut. What if an Irish citizen registers an email account with a US-based company and the account and content are again stored on an Irish server belonging to the US company. That Irish citizen then distributes information that was classified by the US government, such the Wikileaks tranche from Bradley Manning. This is not a crime in the jurisdiction where the citizen lives. Should the US company honour a search and seizure order from the US court in this instance? Should the Irish government cooperate with the US government and issue a search and seizure order for the data in this instance?

From a more corporate perspective, the precedent set by this case would mean that companies outside of the US having data hosted by a US company within a jurisdiction obligated by the customer’s regulatory framework, might still be subject to a warrant from a US court. So an Irish company that is obligated to keep data within the EU could still have data seized under a warrant issued by a US court, simply because it resides on a server operated by a US registered company.

It must be borne in mind though, that the requirements to get a warrant have not been reduced in any way. Anyone requesting a warrant for search and seizure in the US must still meet the requirements of probable cause and the issue at hand must be of sufficient gravity to warrant the, well, warrant. Not only that, but this is one case under investigation and not the same as something that might come under the Patriot Act where there is no obligation by the service provider to inform the client company that their data has been surrendered to the US government.

But here’s another of speculation: what if, as for tax purposes, the Irish entity was actually an Irish registered company affiliated with the US-based company, would the warrant be applicable then? Is the parent company’s role as a data controller enough to say that the local entity is still subject to the warrant?

It’s all a bit thorny … and foggy. Or dare I say it, cloudy.

 

 

Read More:


Back to Top ↑

TechCentral.ie