Microsoft scored a major victory in their three-year battle against U.S. law enforcement last week when the Second Circuit unanimously ruled that the government cannot compel the tech company to hand over emails stored on a server in Dublin. The question now is, who will act first, tech companies or Congress?
It’s been a long road for Microsoft to get to this point. The case started years ago when the government served Microsoft with a warrant pursuant to section § 2703 of the Stored Communications Act (SCA) to obtain the content of emails for a customer on the company’s Outlook service. While they complied with demands to turn over account information stored on its servers in the U.S., Microsoft refused to give up the emails themselves, which were stored on a server in Ireland.
And initially courts did not seem sympathetic: Microsoft lost their initial bid to vacate the warrant, and on appeal with the District Court for the Southern District of New York they lost again. But now its appeal to the Second Circuit has—decidedly—brought the favor back around to the tech giant.
In an unanimous decision, the Second Circuit said that prosecutors went beyond what Congress had intended with the SCA, acknowledging that a lot of time has passed since the act was introduced.
“Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas,” said the court’s decision, written by Circuit Judge Susan L. Carney, which warned that allowing this warrant to be enforced would “replace the traditional warrant with a novel instrument of international application.”
It’s a big win for both the tech companies that house over a billion customers’ data, while also protecting the rights of consumers who might not be under U.S. jurisdiction. It’s also a reminder of how tangible borders can affect the laws of seemingly detached data.
“The case reminds us that even though a lot more information than ever before is stored electronically, it still matters greatly where it is stored. Crucially, electronic storage is not the same as accessibility via the internet,”Philip Segal notes on The Ethical Investigator. “Which jurisdictions the boxes are in can make all the difference.”
Which is sort of what the government is worried about here. Now that a court has upheld Microsoft’s defense here, it’s pretty easy to envision a future where technology companies simply store sensitive information or whole servers abroad where law enforcement couldn’t get at it under the SCA. And with an ongoing and public battle about the government’s intrusive behavior, it’s not out of the realm of possibility that a company might want to extricate themselves from that battle entirely by moving data centers and servers away.
But as Sarah Grace writes for A&L Goodbody’s International Blog, tech companies are rightfully wary of the sort of unlimited warrant upheld until now, as was the Second Circuit:
Over 80 amicus curiae briefs supporting Microsoft’s appeal had been filed by leading technology and media companies, trade associations, advocacy groups, computer scientists, and the Irish Government itself.The significance of the judgment notably turns on the rising concerns amidst the technology sector of a “free for all“, giving law enforcement authorities extensive powers to seize data stored outside their jurisdiction. The decision secures privacy protections for companies moving the data they hold to cloud systems outside the US.…Judge Lynch, concurring with the judgment, recognised the many problems of Internet privacy that the SCA does not address, and called for Congress to clarify and revise the “badly outdated statute”. In underlining the prosecution’s argument that the law as it stands allows companies like Microsoft to impede law enforcement efforts, he said that it was Congress’s role “to strike a balance between privacy interests and law enforcement needs”.
Which means that if the government really wants to see something change here it’s not Microsoft, or even the courts they should be arguing with. This decision—whether it ends up appealed to the Supreme Court (which seem likely) or not—seems to communicate clearly that the courts won’t be helping the U.S. circumvent the existing Mutual Legal Assistance Treaty (MLAT), nor will they be going against the newly-minted Privacy Shield’s arguments about respecting personal privacy.
It’s Congress that holds the keys to the kingdom in this case. For instance they could work on passing the International Communications Privacy Act, introduced this past spring in both the Senate and the House, which seeks to amend Title 18 of U.S. Code to reform MLAT and allow enforcement to obtain electronic communications relating to foreign nationals in certain circumstances. It could be just the start of how privacy rights have become murkier in the 21st century. Otherwise law enforcement might have to let Microsoft take the reins here.
“We hear from customers around the world that they want the traditional privacy protections they’ve enjoyed for information stored on paper to remain in place as data moves to the cloud,” said Brad Smith, Microsoft president and chief legal officer. “[The Second Circuit’s] decision helps ensure this result.”
No comments:
Post a Comment