US court demands e-mails kept on Dublin server
In a move set to put the US on a collision course with the EU, a court in New York has ruled that user’s e-mails and other data can be handed over to US law enforcement when issued a search warrant, even if the data is stored overseas.
Microsoft must hand over a user’s e-mails stored on a server in Dublin, ruled magistrate judge James Francis of the US District Court of the Southern District of New York.
In December, Francis authorised the search and seizure of the contents of all e-mails, records and other information regarding the identification of one of Microsoft’s webmail users.
While Microsoft’s Global Criminal Compliance (GCC) team turned over so-called non-content information stored on US servers, such as the user’s name and country as well as address book information, it refused to hand over the contents of the e-mails because they were stored on a server in another country. For this reason the company sought to quash the search warrant, arguing that US courts are not authorised to issue warrants for extraterritorial search and seizure of e-mails.
Judge Francis, however, disagreed and denied Microsoft’s motion to quash the verdict.
“Microsoft’s argument is simple, perhaps deceptively so,” Francis said in his ruling.
If the warrant had been a conventional search warrant Microsoft could have been right since there are territorial restrictions on those warrants, Francis said.
However, a search warrant on electronic communications is not conventional but rather a hybrid: part search warrant and part subpoena, he said.
“It is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question,” he said.
If the territorial restrictions applied it would be very easy for criminals to evade such search warrants, Francis said.
Service providers are not obliged to verify information provided by a new user when an account is created, he said. Since Microsoft assigns each newly registered account to the closest datacentre based on the country code that the user enters at registration, warrants could be evaded by simply giving false residence information causing the ISP to assign an account to a server outside the US, he said.
Moreover, if treated like a conventional warrant, “the burden on the government would be substantial, and law enforcement efforts would be seriously impeded,” Francis said. To obtain the contents of e-mails stored abroad, US law enforcement would have to comply with treaties that require the cooperation of two governments. Such requests could be time consuming or even denied, Francis said, adding that the US does not have such treaties with all countries.
Microsoft disagrees with the decision, said David Howard, Corporate Vice President & Deputy General Counsel at Microsoft in a blog post
While the law is complicated, the issue is straightforward, he said: “It’s generally accepted that a US search warrant in the physical world can only be used to obtain materials that are within the territory of the United States,” he said, adding that therefore, the US government should not have the power to search the content of e-mail stored overseas.
This procedure is just a start though. “When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a US district court judge and probably to a federal court of appeals,” Howard said.
“We’ll continue to pursue this issue because we believe we’re right on the law and because our customers have told us they value our privacy commitments,” he said.
The ruling puts the US in direct conflict with the EU, whose own data retention directive was thrown out of court last April for, among other things, failing to define the nature of data that can be requested about a user or specifying a period of time data can be held on to.