US judge: Our digital search warrants apply ANYWHERE Microsoft has been told by a US District Court that it must hand over e-mail details to an unnamed law enforcement agency, even though that data is held offshore. In a case that will exacerbate concerns in non-American countries about the extra-territorial reach of US laws, a magistrate in the District Court of Southern New …
The ruling is a blow to Google, Apple, Amazon, Facebook, and probably even non-US based companies (though enforcement would be more difficult)
But really it is a blow to US citizens. At least non-citizens can tell the NSA to fuck off and avoid or minimize data collected/stored on them by these US companies. OK, might be kind of hard to buy a smartphone when you can't go with Android, iOS or Windows Phone, not to mention that you'd be forced to use Yandex or Baidu since there aren't any non-US English search engines (to my knowledge) but I guess you gotta pick your battles...
Perhaps it's time for the Family Cloud. I'll explain...
There's a Linux distro called Zentyal that comes with an open source clone of MS Exchange called OpenChange. There's something else in it too called Sogo that apparently adds ActiveSync, CalDev, CardDev, etc; ideal for mobiles. This plus a light dusting of a domain name and dynamic DNS could form the basis of a small home server that offers cloud like things (storage, mail, contacts, etc), and could connect to and sync with other home servers at your parent's, brother's, etc.
In short, how hard would it be to do a strictly peer to peer small scale cloud that is hosted on small home servers in our own family homes with access restricted to the family + selected friends? Not very, the right ingredients seem to exist though no doubt there'd be a bunch of work to do. But it would mean that you and your whole family know exactly where your data is at any one time.
Oh, and if there were such a thing and it worked well that would be a real alternative to the big US owned services like MS, Google, Apple, Amazon, etc. This court ruling is bad news for those companies because it completely undermines their attempts to portray your data as being safe and sound in their custody. What I've outlined above is a way for an alternative to be provided without the need to build huge data centres all over the world.
A good idea, although I would drop the likes of OpenChange (which just entrenches MS's broken implementations) for something like PostFix+Dovecot. Chuck in some ownCloud and SugarSync goodness and things are a go.
If, of course, you have about £1,000 to spend on start-up and about £1,000 to spend on maintenance every year. Note for pedants: Costs include equipment, ISPs, domiains, certs, utilities, your time etc.
Considering that most users struggle to run Windows updates; how likely is it that they will be able to correctly configure, maintain and back-up a Linux install?
You can do this already on your average NAS, but you end up with the same problems that cause small companies to outsource some needs: competence and efficiency.
You'd have to be really well up with your family to explain why they cannot get to their holiday snaps when the thing goes offline while you're at work or on holiday, you need a fixed IP or a DynDNS setup and you assume you have the competence, patience and time to keep it all safe from online jerks who love nothing more than to abuse your resources for spam and storing snaps that are NOT family compatible.
This is why even the smaller ISPs exist: they run this stuff, keep it safe and do it at a volume that means it's not costing too much. The problem is, however, that if you use an ISP or service provider which is exposed to ANY US leverage, your data can be obtained without too much effort by people who think that Captain America is for real.
Well, screw that. It's really time privacy is becoming an important election item, maybe even in the US.
Question: is there any way for an American to "subscribe" to non-US ISPs, like say XS4ALL in the Netherlands or Free in France? Or is the closest thing subscribing to a non-US VPN service, like the ones listed in this article?
http://www.torrentfreak.com/ which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/
But there's no shortage in the world of mail/calendar/whatever servers.
What I'd fancy is something that came with the cloudstuff baked in. E.g. I want 500 Gigs of 'backed up storage' for my apps - I maybe allocate 2TB of disk space to the project, and it meshes with other like-minded people. Manages the distribution across the peer-cloud, and encrypts the life out of it.
Basically I can shout to the world I want my data and push out my public key, and the world gives me back my data.
Hmm. Something like this must exist - so I'll stop looking ignorant and have a google.
I can't find it.
Could some friendly startup assist me - the idea is gratis.
Identify your files with something portable (~torrent magnet) and pull your stuff back from the cloud as needed. Rank clients based on bandwidth and uptime (higher it is, the less your storage allocation to storage ratio). 'Cloud' would also dynamically reallocate your files - it notices your storage hosts are vanishing and automatically starts distributing your files.
You've basically described Freenet, which is a sortof p2p cloud storage based on file hashes...
From: http://en.wikipedia.org/wiki/Freenet:
Freenet is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to store information, and has a suite of free software for working with this data store.Freenet works by storing small encrypted snippets of content distributed on the computers of its users and connecting only through intermediate computers which pass on requests for content and sending them back without knowing the contents of the full file, similar to how routers on the Internet route packets without knowing anything about files—except with caching, a layer of strong encryption, and without reliance on centralized structures. This allows users to publish anonymously or retrieve various kinds of information.
This post has been deleted by its author
@bazza Assuming that an Exchange clone is not a requirement and that some other mail server (Exim, Postfix, etc) will do, then this has been possible for years. The technical burden of maintaining a Linux system notwithstanding, the reason this approach is not main stream is that it assumes your connection is always on. Now I use Virgin Media at home and before that BT Home. I can assure you that they are not always on. Therefore it is necessary to have an SMTP endpoint outside your house at which point you are back to square one. And with a maintenance headache.
Yeah, compared to probably over a hundred known vulnerabilities in Android & Co. BTW: what BB10 release are you talking about? BB10 does get regular software updates (which unlike with Android don't potentially make your handset obsolete) and we've left the original and admittedly buggy 10.0 release way behind.
The fact remains that Blackberry takes security much more serious than any other smartphone OS vendor out there (the NSA could only tap Merkel's Nokia phone but not her Blackberry Z10, and so far all other platforms have failed to get approval for areas where Blackberry is the only option). And I guess being a Canadian and not an American firm does help to maintain that reputation.
"The EU simply needs to make supplying or facilitating the supply of such data a much more serious crime with much longer prison sentences and much larger company penalties than to not do so in the US. Problem solved."
At what point will this turn into a jurisdictional battle? If EU says data from Ireland (EU) can't be validly searched based on a US search warrant, and US says that it's warrant is valid on all data worldwide*, what happens? If someone in the US can be prosecutable in EU for retrieving such data, and prosecutable in US for NOT retrieving such data, it's madness.
More curious as to how the US will look at opposite claims ie if Russia or China lay claim to data of Russian / Chinese clients or companies held on US-based datacenters of Russian/Chinese companies (possibly with US parent company)?
*as long as it's retrievable from the US, I guess?
"If EU says data from Ireland (EU) can't be validly searched based on a US search warrant, and US says that it's warrant is valid on all data worldwide*, what happens?"
Then the USA (or their trained attack puppy the UK) will just grab the data. Nothing must stand in the way of USA jurisdiction.
"More curious as to how the US will look at opposite claims ie if Russia or China lay claim to data of Russian / Chinese clients or companies held on US-based datacenters of Russian/Chinese companies (possibly with US parent company)?"
Those will be blocked. No one other than the USA may spy on USA citizens. This why the USA demands on-sided treaties. Just ask their attack-puppy.
At what point will this turn into a jurisdictional battle? If EU says data from Ireland (EU) can't be validly searched based on a US search warrant, and US says that it's warrant is valid on all data worldwide*, what happens? If someone in the US can be prosecutable in EU for retrieving such data, and prosecutable in US for NOT retrieving such data, it's madness.
It already IS a battle. Why do you think the EU has been throwing bricks at the US' attempt to renew Unsafe Harbor and the unsavoury extrajudicial information theft efforts disclosed by Snowden?
For the first time since decades, the EU finds itself with serious political leverage to stop the US from its traditional grabbing whatever the hell it wants under threat of blackmail and trade sanctions (which is what gave us Unsafe Harbor v1), and it's turned into quite a fight, a fight started by Google flat out ignoring coordinated warnings from CNIL they had to do better re. privacy.
As observed above, this is not a small fight, ladies & gentlemen - this is hardcore. This is a fight about the very ability of any US company hosting data and services to supply to EU clients. Given the size of that market, this could very well kill off quite a few of them, not in the least because the EU stance could encourage other governments to finally end their leniency as well.
As it stands, US federal law actively prevents any US company in several ways from credibly claiming they can protect privacy, and thus any EU company that makes the mistake of using a US provider will be immediately in breach of EU regulations. The US cannot fix that problem overnight (they are, however, trying to bury it under a load of BS such as FTC enforcement and some state privacy laws), so expect other "solutions" to emerge.
I'm not normally much into law or politics, but ever since 9/11 I started paying attention, because there was far too much talk about ends justifying the means, and super powers which would be "temporary".
>Then the USA (or their trained attack puppy the UK) will just grab the data.
>Nothing must stand in the way of USA jurisdiction.
That's what was more worrying about this - it isn't the NSA or CIA grabbing the data, we know they are above the law. This was a low level judge in a local court. Suppose some judge in East Texas as a favour to a golf buddy decides that all your medical data is subject to a warrant from his friends in a local insurance company?
If it is hosted by a company that has a single US office, or possibly a single US citizen on the board then, it's free
It seems to me the solution is logically simple, if not politically so. The solution is for jurisdictions like the EU (or China or India or Australia, etc.) to only allow a company to claim they store data within that jurisdiction if they are able to do so legally. That is, they can demonstrate there is no tie to another jurisdiction which might make it possible for the company to be required to let an extra-judicial authority access the data. Then a Microsoft could store data in, say, Ireland but could not make claims about limits of access.
But maybe we in the EU have only ourselves to blame. Why is it that we use services offered by Microsoft, Google, Apple, Facebook, etc. and not those of an EU supplier? One reason is cost. Most services offered by EU vendors are substantially more expensive.
> The ruling is a blow to Google, Apple, Amazon, Facebook, and probably even non-US based companies (though enforcement would be more difficult)
Big blow, sounds like they are ripe to end up piggy in the middle here. The victim of this intrusion can presumably sue MS for non adherence to EU data protection laws.
This ruling is like the proverbial stake through the heart of the strangely persistent myth that any US company or multinational with US headquarters can credibly protect any personal or corporate data.
Or, let me translate that: this ruling has in one stroke declared the whole of Silicon Valley and any US partnering offlimits for EU companies holding client data or IP that needs protecting - also because the US arm providing the data will thus cause the supplying EU entity to break EU law.
But it will stop those of us working for said US companies on government projects from facilitating any data transfer - and informing the authorities if attempts are made to sideline us. British IT workers do have some backbone and morals, even if some of us work for foreign companies.
"not to mention that you'd be forced to use Yandex or Baidu since there aren't any non-US English search engines (to my knowledge)"
You haven't heard of IxQuick.com, based in the Netherlands? Its sister site StartPage.com gives you Google results, but encrypted and safe from Google's prying eyes. They are soon to release a (paid, but everything free really seems to come at a hefty price otherwise) encrypted email service called StartMail.
Now, this is going to sound reeeeally far-fetched and nasty, but maybe the U.S. should have been subjugated by that mustachioed Austrian tyrant 70 years ago. Seems that all the countries that were -- Germany, the Netherlands, Norway, Sweden, Poland (etc.) -- are practically Banksyesque in their obsession with privacy. Or maybe it's just that the U.S. government is comprised of a bunch of greedy, hegemonic SOBs who still, to this very day, practice many of the same tactics as totalitarianists in the name of "enduring freedom." Whatever that is.
Every other country where US firms have a presence should apply the same law.
Local Microsoft/Amazon/Google entity? Any search warrant from local law enforcement applies to any datacentre globally, including the US.
See how the US likes the look of that efficiency argument then.
It probably won't bother the US government as much as the people and the companies. There's a cost involved to the companies and that will be passed on to the customer. Then there's the privacy and sovereignty issues...
But, if we can do it, so can every other country in the name of crime-fighting. So if you have nothing to hide and have done no wrong, you have nothing to fear... right? </sarcasm>
This post has been deleted by its author
Re: In the interests of efficiency
As an example off the top of my head:
Amazon have been building a cloud service for the CIA and IBM/hp/Microsoft have many government assets including federal email contracts. Say the German government had reason to suspect that US agents had been gathering intelligence through illegal means (far-fetched as that sounds) they could use a law like this to compel those US firms to release data held in the US that is pertinent.
They obviously wouldn't comply, and it would cause an unholy shitstorm, but that's why this ruling is so dumb. Using multinationals as an extension of your intelligence services is not going to work out well for anyone.
> Using multinationals as an extension of your intelligence services is not going to work out well for anyone.
Just to say that intelligence services have been subcontracted for years (all collection, analysis and handling aspects--e.g., see who Mr. Snowden used to work for). The actual government intelligence agencies are essentially mere administrative centres manned by 9-to-5 pen-pushing civil servants.
@AC
"Every other country where US firms have a presence should apply the same law.
Local Microsoft/Amazon/Google entity? Any search warrant from local law enforcement applies to any datacentre globally, including the US.
See how the US likes the look of that efficiency argument then."
That is asking something dangerous. Our countries would love to do that I bet and having public backing is justification for many wrongs. Instead heavily taxing US companies outside of the US for the additional data regulation and protections (or some other excuse) should change the mind of the US.
Much as I agree with the sentiment of your post it wouldn't phase the US at all.
They would just ignore any requests quoting national interest, which can encompass anything from panic about terrorists to losing money for Apple. (See Gitmo or the refusal to join the ICC as examples)
Not fines - as mentioned before, they are simply costs. Personal liability for the directors and staff working in the country where the breach took place in the form of arrest, bail restrictions, and a court hearing with the possibility of custodial sentences - that might focus their minds.
Hi Number6,
Obviously it'd depend upon the firm's legal department, but the key point is that US authorities will be able to get at senior officers of the firm, so, if that was me, I'd rather not go on record as being the person to decide not to comply with a subpoena. Is that a "do not pass go" contempt of court to do that?
Which is a shame really, as it's just reinforcing the perception that - even if they didn't want to - US firms are legally required to place zero value on your privacy (as an individual) or your commercial confidences (if you're a firm) - so if you have competition in the US, the only safe option is not to use any US-affiliated firm for storage or compute.
Ad
"Can American courts compel a citizen to commit a crime in another country?"
Yes. Mainly based on the fact that the citizen is *here* [US] and can be sent to jail, whereas the place they might be breaking the law is a safe ocean away. That's the way most people who it affects will see it: Better to break a law without consequence or reach than the one in which one lives.
As someone far from the signed up tin foil hat brigade, to me this was just a public display of the imperial actions expected from the US. I am totally unsurprised.
No doubt Putin will restart his murder on the streets campaign as demonstrated several times in London - not that he ever stopped
No doubt Putin will restart his murder on the streets campaign as demonstrated several times in London - not that he ever stopped
Sorry, I don't seem to have enough caffeine in my blood yet to enable me to track how this relates to the topic at hand. Care to elaborate?
"Sorry, I don't seem to have enough caffeine in my blood yet to enable me to track how this relates to the topic at hand. Care to elaborate?"
I think that he means that breaking another nation's data security laws is the same as using state employed assassins to murder civilians on the streets of another country.
I was enjoying this packet of Frazzles, but I've now realised that eating them is just the same as wading into a pig pen with a pair of machetes, high on PCP, sating my hunger with raw liver, torn from the corpse with my teeth.
"I was enjoying this packet of Frazzles, but I've now realised that eating them is just the same as wading into a pig pen with a pair of machetes, high on PCP, sating my hunger with raw liver, torn from the corpse with my teeth."
I love the way you Britishers talk (comment?). You guys are so much more eloquent and witty than the 'Murkans. You should see the kind of incoherent crap that Yahooligans and Fox News fanatics spew. Nowhere near as entertaining as that comment. I'm officially stealing it for my tombstone.
Sorry if that was too simple for you, since the USA has shown utter contempt for the laws of ALL other countries why should the Union of Slave and Subservient Republics under Putin not continue to do the same? If someone in another country annoys you just murder them, after the native laws of that country do not matter. He has form refusing to extradite any of his natives when they commit crimes including murder in another country.
Most would recognise the Yank action as confirming a very dangerous status quo -
'The laws of other countries, whatever they are do not apply to the USA'.
The rest of the world should, (but will not) go equal opportunity, if we do not like the anti British rhetoric and anti competitive Obama ignore all the crapple patents and tax all revenue generated within the UK by all US companies as though it was generated here, which it was. Apply a 100% surcharge for each of the past year's transgressions plus interest. This should pay off most of the national debt, which of course would no longer be recognised under our new laws, if it is not owed here it is not owed at all.
Apply that to the Russians as well, the property they bought must have come from criminal activity so they no longer own it, bank accounts, they do not own them either.
This is where not recognising laws should logically take you, even if you are a dumb arse like the pratt in a court in the bad old United States of Arrogance.
There, simple enough for you.
Is the Microsoft that holds the data in Dublin the same Microsoft that is based in Dublin? After all, aren't separate companies part of the way that multinationals avoid^H^H^H^H^H reduce their tax bill?
If they are different companies how can one be forced to follow the court order given to another?
"Is the Microsoft that holds the data in Dublin the same Microsoft that is based in Dublin? After all, aren't separate companies part of the way that multinationals avoid^H^H^H^H^H reduce their tax bill?
If they are different companies how can one be forced to follow the court order given to another?"
Perhaps in granting himself - sorry, his court - jurisdiction over all of Microsoft's international entities as you point out, he is merely showing his desire to accept personal liability for their entire global tax bill? Was he acting on behalf of the state or federal system - we need to know on whose behalf he has accepted that bill? Clearly by saying that his court has rights he is also accepting it has responsibilities, as the two automatically go hand in hand, so all the rest of the world needs to know is where to mail that bill and to whom it should be addressed; if he didn't mean to accept the responsibility for the bill on behalf of other US citizens, he simply has to pay it personally. Easy.
We'll take a cheque.
There's no way in the long run that governments will be prepared to live with a situation where law and tax breakers and evaders ( multinationals that's you as well as the Criminals) take advantage of national boundaries to evade oversight. We'd soon end up with Panamanian or Liberian data centres of convenience...
If you provide the service to customers in the UK, or USA, or Western Moldoslovakia or what you should and eventually will be under the oversight of their tax and legal authorities, no matter where the boxes are. In a cloud world nothing else makes sense.
"But a data centre in one of those countries that was owned and run by local people would still be outside the reach of US laws."
Yep - and you would need to manage the access control / security with something with proper Constrained Delegation like Windows Server / Active Directory to ensure that remote administrators and other IT staff can't access the data they are not supposed to.
The article doesn't make it clear they are chasing domestic data in foreign lands. Indeed it comes across as chasing foreign data in foreign lands, without the decency to consider asking the foreign courts permission.
We really need to distance ourselves from this rogue states petulant behaviour and start to consider creating an international state, with its own regulations, to govern the whole worlds internet activity.
At present we have an international community governed by some 193 individual countries, all eager to suck up that data under any pretence with no arbiter in place to counter excessive or unjustified intrusion.
Once your data is travelling along the wires, it should come under the sole jurisdiction of an International body, that can demand individual nations conform to data protection rules under penalty of being dos'd into oblivion.
For now, it seems, manoeuvring your data away from American companies is all you can do.
@ Rol
Lovely idea - but....
The US refuses to become subject to the jurisdiction of an international body such as the International Criminal Court. What makes you think that they would ever respect any sort of Internet Governance body that issued rules on data protection that were inconvenient.
If something is held in another country, you must go through due process in that country to enable law enforcement access, that due process might be a treaty that says a warrant issued in one country is also valid in another, or it might be that you have to obtain a warrant in both. What's wrong here is a US judge making international law on the fly.
JimC is right, you can't allow multi-nationals to move stuff offshore to prevent government oversight, otherwise you would have a situation where all business was transacted off shore, and would thus be out of the reach of any government. Us business done in Ireland, Irish business done in the US. Thus no tax, no consumer protection, no law enforcement.
What you need is a proper treaty that says that a transaction is subject to the domestic law of the country in which it originates. So an eMail sent from a terminal in a country is subject to that countries laws even if the server is in another country. This is actually fair.
@JimC
You've missed the point somewhat. There are already access procedures and laws in place that cover this sort of thing - so your point is somewhat moot.
The story is about a narrow minded judge using a very broad interpretation of a USA-ian law to try to do an end run around international law and treaties propably in the interests of a TLA who has dirt on him.
You've missed the point somewhat. There are already access procedures and laws in place that cover this sort of thing
Yes and no - there is some slippage in that protection that mainly has to do with the exact avoidance scenario on display. If you are a US company that hosts its data in another country, that data is still seen to be owned by the US company - this even applies under Swiss data protection laws.
Hosting abroad doesn't absolve you from your responsibilities under local law to produce data when ordered, which makes sense. What you can NOT be asked to do is provide data of another owner, because that would be inciting you to commit a crime (I suspect that that doesn't mean you may not be "encouraged" to do this anyway if you have the ability).
This is why having a HQ in the US is not good news for a multinational: it means you own the data globally, and can thus be legally leveraged into providing access. If your HQ is elsewhere and you host US data, you're well advised to make sure that is properly segregated from the rest of your data storage and cannot be used as a staging post for hacking into the rest.
The story is about a narrow minded judge using a very broad interpretation of a USA-ian law to try to do an end run around international law and treaties
It's not the first time this has happened. From an old article here: Kentucky judge OKs 141-site net casino land grab. It's almost as if concepts like non-USA law and territoriality doesn't exist.
There's no way in the long run that governments will be prepared to live with a situation where law and tax breakers and evaders ( multinationals that's you as well as the Criminals) take advantage of national boundaries to evade oversight.
The problem is that it's that law makers who are (a) avoiding oversight and (b) seek to avoid probably cause and due process with their surveillance dragnets. Nobody is against proper law enforcement (OK, apart from those with criminal intent), but what we have here is hardcore abuse of powers and a flagrant ignoring of morality. People outside the US are getting sick to the teeth of this sanctimonious BS about "protecting democracy" and "protecting Human Rights" when it becomes more and more apparent that the day job of most of these people seems to be mainly the opposite.
Seem to be that they are making an already strong case for preemptive (read: before cloud) data encryption even stronger.
If the world at large goes into strong encryption as default, then will the NSA and likes really be in a s**thole as there won't be enough processing power to make sense out of the digital noise, thus, then will their funding shrink back to "normal spy agency" level as throwing more funds into it would just be a case of throwing good money after bad.
It would be even more efficient to dispense with evidence and the hassle of trials altogether. Why not use the DMCA reasoning, and just allow licenced organisations to decide on guilt and punishment. "Justice" Licences could be bid for and sold in much the same way as radio bandwidth.
"law enforcement efforts would be seriously impeded"
Yes, I imagine they would be. Just as they are seriously impeded by not being allowed to round up everyone within a mile of a crime incident and torture them until someone confesses.
Law enforcement is supposed to be impeded by civil rights. The police and courts are deliberately limited in their powers.
The company has criticised countries like Australia for policies that require government data to be stored locally: now, it will be fighting a ruling that extends US search warrants' reach into offshore data centres.
The Australians (and everyone else) are going to need to reveiw that policy, with rulings such as this it will no longer be good enough to just store data locally, it'll have to be stored locally by a company who operates only in Australia.
Surely Microsoft will just have to set up a legal entity which it "works with" offshore and therefore cannot access data without that entities permission in that offshore country. A legal device to mitigate these concerns for oversees customers?
The problem is that such an entity really has to be really standalone or it will be seen as a device to deliberately circumvent the law (otherwise every crook would do this). As soon as you own a chunk of that entity, the protection no longer exists.
Well i knew & i think we all knew this was going to happen. What i did not realize was that the US are so bold to do this in the open as they do and wash over every other privacy law. I always thought they would snoop and do it quietly as they normally do. I have never used cloud, i will never use cloud and all because of the Americans doing just what they like. Always keep your data with you no matter how safe you think these other clouds are, nothing is safe from the paranoid, overbearing YANKS!!
This is a brilliant argument. By extension, they should issue some laws to compel criminals to turn themselves in to the nearest law enforcement agency post to save them money on investigating and then prosecuting. Mete out the (harsh) sentence to themselves and incarcerate themselves at their own expense, in not-so-rare instances injecting themselves with an appropriate lethal concoction and burying themselves, hopefully abroad, to save the State cost of a burial.
And then they came for the judges...
Mete out the (harsh) sentence to themselves and incarcerate themselves at their own expense, in not-so-rare instances injecting themselves with an appropriate lethal concoction and burying themselves, hopefully abroad, to save the State cost of a burial.
I think you have just nailed why they have not been able to implement proper gun control laws. Thanks, it had me puzzled.
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose...
Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries...
The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad...
Last update: 25/11/2013
So if the above is true, MS (and whoever), would have to break EU law to satisfy American law. Holland has already stated Dutch government will not be using Google / MS etc cloud services due the Patriot Act - and, even tho' under no illusion of UK privacy, I feel the British government should follow suit, to remain within EU law.
America is fast becoming a rogue state and the sooner we sever ties with them the better, IMHO.
I sincerely hope the American people can do what they did before and rid themselves of a cancerous ruling elite (and that's from a Brit!).
All your data belong to us.
And until that's repealed it always will.
American Official in American Court >> Local privacy law.
Your options are a)Live with it and exist that anything in your MS run email system is available to the USG or b)Keep your email system in house.
The choice is yours.
The questions which immediately come up are:
- Is the "unnamed individual" an US citizen?
- Would this global reach of US law enforcement extend to companies which aren't US companies (or subsidiaries of US companies)?
If the "unnamed individual" is US citizen or resident, and used facilities abroad, then the data should indeed be handed over as M$ is US based, too.
However, if the "unnamed individual" is not a US citizen or at least resident and/or the data was stored with a non-US company abroad, then all US law enforcement is entitled to get is a polite "Fuck off!"
The article doesn't make it quite clear, whether the judge's decision only extends to US companies abroad, or indeed any company anywhere, and who they are after. It's quite important though, because establishing this sort of global reach and expecting to get access to any data regardless of where it is and with whom it is stored, is borderline insane. (Though it's not unimaginable, unfortunately.)
So by your logic if, say, a Pakistani man is caught stealing in the UK we should chop off his hands or give him 100 lashes as per Pakistani law? How about, say, a Pakistani woman living in the UK who owns a cell phone? Should we stone her to death? After all it's Pakistani law, right?
Aside from some parts that regulate immigration afairs, laws and punishments are generally independent of the nationality of the perpetrator, which is a good thing. It really does not matter if MS is an Irish or American company, or if the data owner is Irish or American. The only relevant fact should be the location of the data. And as this happens to be Ireland then the only law that is relevant is Irish law.
Well didn't we?
The only shocking thing was the intake of breath when we heard it for real no?
I suppose a reasoned person might wish to think about causation and application.
For example, defence (which also perversely means offence), legal (which also conversely means illegal), and security (which also inversely means insecurity).
But here in the UK we know that because we have Royalty that is not royal and does what its told otherwise it gets allowances cut, elected parliament (well, one of them) that does what its told by its loyal civilia servantia or gets diselected next time or far worse than that: exposed in the Times!
And civil servantia that rules it all but prefers to be discreetly avoided in all communications (unless the BBC intends to make it a "commercial" feature for broadcast know wot I meen 'arry?)
Indeed, the problem here is that it is the due process of the country who's physical space is being used to host the said data that is being bypassed. This will violate that countries laws and so place US companies in a situation where they can not do right. This has been a problem brewing for a while with internet based information, who's laws can apply when laws are often in conflict across different countries. To make good in one state can often be to make bad in another, you cant run a different website or data centre or whatever might be in dispute in every country you operate in. Something has to change.
Just a thought, and probably a bad one.
Could the issue be circumvented by MS (and others) "leasing" a hard-disk (virtual or real) to the customer?
Then the data is no longer in the data-centre (although it is) but on the customers own hard-drive (although it isn't).
If MS can then demonstrate that for the US government to get their mitts on the data they would have to physically transfer data from the customers hard-disk, in a foreign country, across the network to the government, and not just fish it out with a query, would the warrant still be valid?
this cant be something that's been said that frequently* but if only Ireland was a member of NATO - then they could ask for the State Department's assistance to fight the US courts that are invading Ireland's territory and infringing at the very least Articles 2 and 4, not to mention the entire spirit of such forms of international cooperation for decades.
* yes, had Ireland been a member of NATO over the last decades that could have made both Irish and US goverments' attitudes to "armed attack" even more confusing.
I suppose in all of the above it's important to differentiate between a person and the decisions of a person's guvmint or civil serventia?
For example: Americans, Ruskies, ... are okay people in general but such-n-such a policy in said country is great/mediocre/appalling.
No?
Tsk! Earthlings! Really?
Article doesn't mention the judge citing this, but what would prohibit an American from having their data stored outside of the US. That would effectively allow said American to be out of the reach of <Insert US Gov Agency> if they were limited to the US only.
I don't agree with the decision, just thought this was an interesting angle to look at.
This keeps being mentioned like its a bad thing, how about owning property abroad? Not the same? Money then, should the US be able to annex assets abroad without regard?
This is a land grab, they're granting themselves access to personal data wherever it is, with little to no oversight and retroactively applying US laws to it.
@jubtastic1
"should the US be able to annex assets abroad without regard?" No. they should just play by the rules, and ask foreign law enforcement authorities to get the data and accept a yes or a no. Or Microsoft et al should just tell us that any data on their sever anywhere belongs to the US authorities. The funny thing is that to help Microsoft et al we should stop using them as much as possible because they have no point at all if they cannot prove they are loosing business. An other question is of course if they actually give a shit about protecting anybodies rights and privacy.
Hmm. This sounds like it could turn very nasty, which might be a good thing, if it exposes the American "authorities" ( I use the term loosely) for what they seem to be - a bunch of conniving, scheming, low-down, paranoid, nasty pieces of work that appear to be trying to rule the world by attempting to apply their laws to other countries. We have seen this already in the case of Mr. Dotcom, Richard O'Dwyer (a case I have never, ever understood) and others that have seen their lives altered by their own governments who have caved in to to the ever-mighty USA. Time, I think for a revolution!
Rulings like this will make a future Internet where everyone is their own destination server for their own email. Once delivered that is it, it is sitting on the local hard disk, and not on a central server. Maybe the data is synced to a local non multinational cloud provider for backup purposes.
The rules on the export of personal data (of which the content of an email between individuals would be an example) are clear and covered under the European data protection laws. It is an offence to 'export' data without the recipient being designated a data processor and the relevant contracts already being in place. See the Reg article here : http://www.theregister.co.uk/2010/05/19/eea_personal_data/. It is also very clear that it is the location of the data controller that is the key - and data controllers must be in the local EU jurisdiction.
There is clearly no blanket exclusion to this that would allow companies whose ultimate ownership is outside the UK to export personal data, even where the legal authorities in the requesting legal jurisdiction demanded it. In fact there are specific agreements in place with the US for the sharing of airline passenger information with US Homeland Security.
The implications of allowing, for example, any foreign jurisdiction to force the export of criminal history, medical history, DNA information, financial transactions would be quite substantial. As someone pointed out, much (probably most) of the UK government's data is held in data centers owned and run by US companies such as IBM, HP etc, so allowing this would mean that an arbitrary US court could request pretty much anything they wanted.
There are so many new (and often untested in court) laws around data privacy and security that this is likely to take some time to play out. It's even possible that it would be a serious criminal offence (aka computer misuse act) for a US based Microsoft employee to access private data held in Ireland against the local regulations - this would be considered the equivalent of computer hacking.
My understanding is that if Microsoft were to fulfil the request from the US court, then (assuming the data is personal, and is related to a EU citizen) then the registered data controller for that data in Ireland would have failed in their duty to protect the data and so Microsoft Ireland could also be fined.
If the data is pertaining to a US citizen located in the US then there is probably no breach, however if the individual purchased a service from the local service provider (i.e. the US based individual directly contracted for the service with, in this case, an Irish provider) then the law starts to become a little murky. I have no idea what the situation is if the US citizen happens to be in the US ...
All this, of course, depends on the T&Cs of the service that was purchased, and of course we all always read that small print, don't we ....
My understanding of Microsofts cloud offering is that even if you nominate your data to be kept in the EU (Ireland), they will hold at least 3 copies of the data, one each at your primary and secondary DC locations and a 3rd archive/DR copy at another location.
There are two Microsoft DCs in Ireland, therefore the 3rd location would be US.
I agree with other commentards that it's both bad law and bad precedent but if pressed MS may have to admit a copy of the data is within the juristiction of the court and possibly subject to search.
..I can see a group of tech companies buying an island, declaring independence from any other nation's juristiction, recruiting an army and equipping said army with the most technologically advanced gear they can both buy & 3D print.
Coming back to reality (maybe), is there a reason MS, Google and Apple are forced to stay in the US?
For communicating/e-mailing others within your country's borders, with 2,048bit encryption, using an encryption system designed and programmed in Norway.
When an e-mail is sent, there's no 'sent items' folder.
When an e-mail is read, it is automatically deleted.
I'm sure there'd be a few criminals that'd love such a system. hehe.
Hey! Maybe they could pay for it?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
