Warrant on Microsoft’s Irish Servers Quashed

     MANHATTAN (CN) — The long arm of U.S. law cannot stretch across the Atlantic Ocean to enforce a warrant on servers that Microsoft maintains in Ireland, the Second Circuit ruled Thursday in victory for global privacy advocates.
     All three judges on the appellate panel endorsed quashing the warrant today, but one wrote separately to urge that Congress enact a law balancing global privacy with prosecutorial power in the digital age.
     Microsoft’s president Brad Smith hailed the ruling as a “major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments.”
     “The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs,” Smith said in a statement.
     U.S. prosecutors initiated the case in late 2013 by seeking the emails, associations, identifying information and contacts of an unknown Microsoft user.
     To this day, the suspect’s national origin is not publicly known, but the Microsoft server storing the target’s information was located in Dublin.
     Microsoft warned that turning over the data would have lasting consequences on Silicon Valley and international relations. It predicted eroded user trust over their private information, and countries upset over the intrusion of their sovereignty.
     U.S. Magistrate Judge James Francis called Microsoft’s objections “simple, perhaps deceptively so,” in an opinion finding that prosecutors’ demand “does not violate the presumption against extraterritorial application of American law.”
     The magistrate adopted the prosecutors’ view that warrants issued under the Stored Communications Act — passed in 1986, long before the age of cloud computing — served a “hybrid” function as a subpoena that had no sovereignty concerns against a U.S. company.
     Shockwaves rippled across Silicon Valley and onto privacy advocates and computing giants after U.S. District Judge Loretta Preska supported this position in July 2014.
     Multibillion-dollar companies like Apple, Amazon, eBay, Verizon and AT&T flooded the Second Circuit with friends-of-the-court briefs urging a reversal, joined by privacy advocates with the American Civil Liberties Union and the Electronic Frontier Foundation.
     A spokeswoman for the foundation cheered the Second Circuit’s “groundbreaking decision” today for helping protect privacy rights around the world.
     “In our amicus brief supporting Microsoft in this case, we urged the court to reject the government’s argument that the search warrant it obtained for email contents was like a subpoena that would require Microsoft to turn over information, regardless of where it was stored,” the EFF said in a statement. “The court recognized the vital privacy protections under the SCA [Stored Communications Act], and correctly ruled that the government can’t use a U.S. search warrant to force Internet service providers to reach email stored outside the U.S.”
     The Irish government submitted a brief opposing the warrant as well, supporting Microsoft’s predictions of diplomatic strain.
     At a September hearing, Microsoft’s lawyer E. Joshua Rosenkranz told the Second Circuit that quashing the demand was a matter of staving off “global chaos.”
     “This is a case about sovereignty,” he said at the time.
     The court found today that Congress could not have imagined these issues coming to a head in crafting the underlying statute.
     “When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider,” U.S. Circuit Judge Susan Carney wrote for the panel. “Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st-century demands for access and speed and their related, evolving expectations of privacy.”
     Prosecutors typically process international warrants through a Mutual Legal Assistance Treaty, or MLAT, with a specific country.
     Although the United States has an MLAT with Ireland, prosecutors said that these treaties can be unwieldy, delay a criminal investigation, and rely on cooperation from countries that may not want to comply.
     The Second Circuit showed sympathy for that argument, but also for the sovereignty of other nations.
     “Admittedly, we cannot be certain of the scope of the obligations that the laws of a foreign sovereign — and in particular, here, of Ireland or the E.U. — place on a service provider storing digital data or otherwise conducting business within its territory,” the 43-page opinion states. “But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to ‘collect’ from servers located overseas and ‘import’ into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.”
     In a concurring opinion, U.S. Circuit Judge Gerard Lynch rejected the view that this was a case of the government trampling on individual privacy.
     “I do not believe that that is a fair characterization of the stakes in this dispute,” Lynch said. “To uphold the warrant here would not undermine basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country.”
     Microsoft conceded that prosecutors would have been able to execute the warrant if the user’s data were held at its Redmond, Wash., headquarters.
     Lynch meanwhile emphasized “that the dispute here is not about privacy, but rather about the international reach of American law.”
     Agreeing that the Stored Communications Act is antiquated, Lynch called for Congress to update it.
     “My point is simply that the main reason that both the majority and I decide this case against the government is that there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case,” he wrote. “The SCA became law at a time when there was no reason to do so. But there is reason now, and it is up to Congress to decide whether the benefits of permitting subpoena-like orders of the kind issued here outweigh the costs of doing so.”
     The Manhattan U.S. Attorney’s office declined to comment.

%d bloggers like this: