A US judge has ruled that US-based providers must hand over customer emails even if they are stored in a location overseas.
The decision comes amidst a challenge from Microsoft with regard to an Ireland-based customer, claiming that as the US government does not have jurisdiction overseas the company should not be forced to disclose user data.
Yet Judge James C. Francis has dismissed this claim, further jeopardising the data security of US cloud providers.
Judge Francis explained the issue at stake. “Federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States,” he noted. “Therefore, Microsoft concludes, to the extent that the warrant here requires acquisition of information from Dublin, it is unauthorised and must be quashed.
He continued: “That analysis, while not inconsistent with the statutory language, is undermined by the structure of the SCA (Stored Communications Act), by its legislative history, and by the practical consequences that would flow from adopting it.”
How so? “When the SCA was enacted as part of the ECPA (Electronic Communications Privacy Act), the Senate Report, although it did not address the specific issue of extraterritoriality, reflected an understanding that information was being maintained remotely by third-party entities,” Judge Francis continued.
The judge also noted that, in terms of practical consequences, Google had reportedly explored establishing true ‘offshore’ servers; server farms which are located at sea and not subject to any territorial jurisdiction.
“Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law,” Judge Francis concluded. “Accordingly, Microsoft’s motion to quash in part the warrant at issue is denied.”
Microsoft has hit back at this, with a blog post from deputy general counsel David Howard confirming their intention to appeal.
“When we filed this challenge, we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a US district court judge and probably to a federal court of appeals,” Howard wrote. “Today the Magistrate Judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge.
“This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States,” he continued.
The upshot of this is potentially bad news for any company that employs a US cloud provider – they might have their data searched and taken at any given moment.
The timing of this judgment is also intriguing. With the days ticking down to the first anniversary of the NSA PRISM revelations – and the reputational damage US CSPs suffered as a result – there’s a genuine interest in how US providers store cloud data.
Have you got any data stored with a US based cloud provider? Does this ruling worry you?