Oi, force Microsoft to cough up emails on Irish servers to the Feds, US states urge Supremes Microsoft should not be able to “shield evidence” held on Irish servers from US prosecutors, a group of 35 US state attorneys general has argued. The group – which represents Vermont, New Jersey, Illinois, Florida among other states – submitted an amicus brief to the US Supreme Court backing the US Department of Justice’s …
>Change "email" with "money"...
... and you see the same should apply to money stored offshore.
Doesn't work. It's more like if a US bank had overseas branches. The US courts should still be allowed to compel the company to reveal account info. They're not physically asking for the money to be moved, they're asking to see the balance.
I could understand if the crim used a different provider, one that wasn't a US-based company. But it's generally understood that even though you're using a worldwide accessible service, you're accessing the "local" version.
Don't get me wrong, I'm all for the courts being in Microsoft's favour. It's just, rationally, I find it hard to support
"Don't get me wrong, I'm all for the courts being in Microsoft's favour. It's just, rationally, I find it hard to support"
Rationally it's not at all hard to support. There's an established procedure for this, one which involves going to the Irish courts. They should have used it. There's no indication that they tried. Supporting due process of law vs taking short cuts isn't at all irrational.
No. The data is in control of a US company. Changing it from data to money really doesn't change a thing. They are trying to play a shell game in order to hide from the courts. The courts should not have any of it.
If a foreign corporation was doing this kind of thing in the US in order to hide from their own courts, I would have no problem with it going the other way.
This situation is nothing like hiding money in the Cayman Islands.
You will find that Cayman has one of the most transparent and well regulated financial regimes in the world. The journalism and politics of envy are always quick to rail against tax neutral territories but if you really want to find laundering, corruption and the hidden billions of despots and crooked regimes look no further that...yes you've guessed it... London! Right on the doorstep of the journos and SJW's that bleat so much about offshore. The irony would make Alanis blush. It's almost as bad as rain on your wedding day
"The US courts should still be allowed to compel the company to reveal account info. They're not physically asking for the money to be moved"
But they are not asking for "the balance". They are asking for everything. And as the information itself is what is of value here, so it is like they are remotely emptying your account as the best analogy! And more importantly on EU territory, EU law trumps US law, and personal data is legally protected in the EU.
And maybe the state attorneys should actually study the law, before opening their mouths.
It is their own incompetence that has led to this problem. There have been legal mechanisms in place for decades to get access to this data, without them having to act like xenophobic idiots and which, if there was any reasonable case, would have gotten them the information years ago, without all this stupidity.
Actually, it's exactly they want to set a precedent, or obtain a Supreme Court ruling. I guess those emails are now wholly irrelevant to the case. They want to extend their reach, so they don't have to bother with those pesky foreign jurisdictions. Just, they didn't dare with something - like money - which would have seen them shut down instantly.
This post has been deleted by its author
Hm, money stored offshore? As long as the bank does any business at all in the US, all such money owned by US individuals have to be reported to US authorities.
The law is very interesting.
Microsoft can't claim that because the servers are overseas therefore the court order isn't valid.
It is.
Note: We're not talking about an Irish citizen who lives in Ireland and the US courts wants his data. That would be a completely different issue. The question here is how do you handle jurisdiction of data.
To make this simpler... You have a criminal act in NY committed by a US citizen and resident of the state of NY, yet the data sits on a server in California. The defense could argue that because the server was in a different state that they didn't have jurisdiction.
Now, that doesn't sound right, now does it?
Move the server to Toronto...
The point is that because the data is accessible from the jurisdiction where the crime was committed, it should be admissible. That the location of the server is irrelevant.
Microsoft can't claim that because the servers are overseas therefore the court order isn't valid.
It is
for US Microsoft staff, but not for Ireland Microsoft staff.
If Ireland staff or government decided to cut power to the server there, nothing US do will restart the server. They will still have to wait until Ireland staff / government restart the server before getting any data.
US is not in full control of Ireland, therefore US law doesn't apply there unless there's an Ireland US agreement. End of story.
The UK takes a view similar to that advocated by the US DoJ in this case, under the UK's RIPA, DRIPA and IPA laws, which are taken to apply to companies operating in the UK, even if they are based elsewhere, and hold data elsewhere. Their arguments ignore some of the complexities of independent, extra-territorial subsidiaries (in a way that seems at odds with the tax-avoidance-friendly interpretation of the nature of "independent" corporate entities) and the interplay of the IPA with EU data protection rules (which mean that any entity storing data of EU citizens already has to comply with various obligations, which also include specific exemptions for law enforcement). Perhaps they wish to gloss over these subtleties and nuances in order to curry favourable treatment from the US DoJ when attempting to access data held in the US, just as the parliamentary "debates" about other aspects of the IPA effectively glossed over and ignored key aspects of critical ECJ rulings.
But, in this case, we are talking about Irish servers, owned by an Irish company on Irish soil, which just happens to be owned by an American company.
Microsoft can't legally hand over the data to the US without an Irish or EU warrant under EU and Irish law, regardless of what the US supreme court decides.
The article clearly states that MS can access the data from within the US. In which case, why can't they legally access it and hand it over after a legally binding US notice to do so is served to them in the US?
I have no interest pro or anti any of the parties in this case, but surely where the information is accessible from, and by whom, is just as important as where it's physically stored? Otherwise, all reasonable law enforcement in the digital realm could quickly become impossible (and before you start cheering that prospect, just consider the case where you're the victim of some massive privacy or financial theft that could be solved if that was the guiding principle.....)
"The article clearly states that MS can access the data from within the US"
Where do you see this in the article?
Do you mean this: The prosectors argued Microsoft is an American corporation and therefore should obey an order from an American judge; where the data sought existed was immaterial – it could be accessed from Redmond's US offices.?
Or this: “The court reached this conclusion even though Microsoft could easily access the stored data from its United States offices,” the group said, echoing a key argument in the DoJ’s case against Microsoft.?
In the first case note that this is an argument by the prosecution and in the other the group referred to is the not entirely disinterested group of state attorneys general in it's a claim in an amicus brief.
Neither of these constitutes evidence. Neither is clearly stating fact.
"I have no interest pro or anti any of the parties in this case, but surely where the information is accessible from, and by whom, is just as important as where it's physically stored? Otherwise, all reasonable law enforcement in the digital realm could quickly become impossible"
How many times does it have to be pointed out that if the authorities have a case to justify a warrant there is an existing process whereby they present it to a court in Ireland in whose jurisdiction the data resides? So reasonable law enforcement is not impossible. The fact that they have not done so gives rise to grave suspicions that something else lies behind it - anything from initial ignorance of the due process backed up by pig-headedness or a severe case of willy-waving to embarking of a fishing trip with no case at all. It doesn't need any interest in the outcome of the underlying case to be deeply concerned about due process in accessing it. Due process of law should be of interest to us all.
The ease with which one can perform an action has no bearing on whether that action is actually legal.
I find it quite shocking that this is actually presented as an argument on the prosecution side. I can only assume they came up with better arguments when they were law students, otherwise it is hard to see how they ever got qualified in the first place.
"surely where the information is accessible from, and by whom, is just as important as where it's physically stored?"
Not really, unless you want to make it legally impossible for *any* company to operate outside of the country where its head office is located.
One of the reasons why companies have subsidiaries abroad is to make the operations of those subsidiaries subject to the laws of those countries, thereby making it easier and safer (and in some cases, just plain legal) for customers in those countries to do business with those subsidiaries. I would argue that the practice ought to be more widespread and that all sales to consumers in country X ought to be conducted through a subsidiary in country X and taxed according to the laws of country X.
"why can't they legally access it and hand it over after a legally binding US notice to do so is served to them in the US?"
Because it would be illegal under EU law. And the penalties for Microsoft in the EU are WAY higher than likely for ignoring a US judgement precisely to trump such an attempt to sidestep EU rules.
"The article clearly states that MS can access the data from within the US. "
It doesn't say that at all. It says that the DOJ are presuming that they can.
Microsoft run a Windows Active Directory type security model which is quite capable of denying access to data even to administrators. This is one of the many advantages of that model over say *Nix where you have no concept of denying root access to a file system. This is likely why for instance Google just roll over for these type of requests and comply.
Microsoft have publically stated that their security model has the capability of requiring a local data custodian to approve access requests to local data from other territories. So it is possible that if such a request broke Irish law as seems probable then Microsoft USA physically could not provide the data.
OK, so Microsoft (CN) Azure employees working out of the North China Region can technically access and migrate data from another Azure region, say South Central US or US DoD East...and they receive a legal court order from the Chinese government to do so. Just because that breaches US law is that a reason for them to ignore the court order? Surely where the information is accessible from and by whom is just as important as where it's stored physically?
"But, in this case, we are talking about Irish servers, owned by an Irish company on Irish soil, which just happens to be owned by an American company."
Right, though I'm not sure why you say "but"; my observation was that the UK governement's view on extra-terratorial jurisdiction prima facie supports the US DoJ's position in this case. In fact it seems even broader/more extreme: according to UK government's reasoning the US DoJ should still legally be able to require data to be handed over even if Microsoft itself were registered in Ireland, Iceland or Switzerland etc., (regardless, it seems, of the views or laws of the countries in which the data were held, or the companies were registered).
Of course I am not saying that the UK government or US DoJ are right here (and my earlier comment alluldes to some sleight-of-hand in the UK government's amicus brief), just that the US DoJ is not unique in its attitude to extra-terratorial jurisdiction: other "civilised" countries make similar, or stronger, claims.
If a criminal in the US sends messages to his crime partner in the US planning a crime in the US, but EmailHostCo has their server in another country and could easily retrieve those emails at one of their facilities in the US, why in the hell should the police have to involve the government of another country just because the emails are located on some server there? As long as police are getting a warrant from a real court that has jurisdiction over where the emails originated or terminated, why should it be necessary to involve some other country? It dosn't make make any sense to me, and certainly makes it easier for criminals.
Of course, I'd like to see ANY access by police to email servers controlled and require an order from an actual regular court whose actions could be reviewed, as opposed to some secret court with no responsibility to anyone, like we currently have in the US.
This whole situation highlights the serious need for more and better international agreements regulating this sort of thing. Right now it's practically the Wild West as far as international computer crime goes. And if the U.S. even tries to police criminals who attack U.S. computer systems or (in this case) even commit crimes in the U.S. but there's some kind of foreign computer involvement, in come the lawyers, and it all goes pear-shaped when it should have been fairly straightforward. The EU, USA, Russia and China (for starters) should get together and sort this out. Possibly there should be an international "computer crime court" or something like that which can issue warrants good in all countries, something like an EU warrant. SOMETHING better than we have now, at any rate.
"why in the hell should the police have to involve the government of another country just because the emails are located on some server there?"
Well in the case of the EU it would be because personal data stored in the EU is protected under the GDPR regulations, and companies that break the rules by say moving that data outside of the EU without specific informed consent can be fined up to 10% of global turnover. Per incident! And or responsible executives imprisoned. It was designed to be exceeding painful for any company that breaks EU law partly to defeat exactly this sort of extra territorial over extension of local law.
Well in the case of the EU it would be because personal data stored in the EU is protected under the GDPR regulations,
Not quite. GDPR applies to the personal data of EU citizens or resident immigrants. It does not cover foreign nationals or transient visitors so emails belonging to an American citizen/resident stored in Ireland are outside the scope of GDPR.
Not quite. GDPR as it stands also applies to personal data stored in the EU about natural persons residing outside the EU.
Under a plain reading of Recital 14, yes however that is subject to the provisions of Art. 2 S2(a) which provides limitations and Art. 3 S1 which is ambiguous in terms of the interpretation of the word "establishment" due to the second clause of the sentence. This sort of thing will take case law to clarify so, as things stand, one can only be certain that GDPR protects the personal data of persons resident within or citizens of the EU in the context of activities taking place within the jurisdiction of the ECJ (Art. 2).
The trouble is that the data in question is protected by Irish and EU law. What the feds demand will, if it happens, be interpreted in Ireland as a criminal hack, and the individuals and companies implicated will then be in much the same uncomfortable position as Laurie Love.
Indeed, it does raise the rather delicious prospect of Ireland demanding the extradition of USSC justices as accessories to the crime. Who would hear *that* case, I wonder?
@veti:"What the feds demand will, if it happens, be interpreted in Ireland as a criminal hack, "
Irish law relating to hacking is pretty much nonexistent; unauthorised access to a computer comes under the Criminal Damage 1991, and the penalties are pretty light.
There is a cybercrime bill in the pipeline I think, but if or when that gets implemented is anybody's guess.
Somebody in Dublin needs to call the US ambassador in for tea, biscuits and a bollocking but yeah, probably not going to happen.
Somebody in Dublin needs to call the US ambassador in for tea, biscuits and a bollocking but yeah, probably not going to happen.
Not the problem here. If USA pulls this one, watch the data protection regime between USA and Eu unravel in an afternoon. It will not even need a Schrem to use this as a precedent that USA does not give a flying f*** about any Eu Data protection law. That is something we all know, but an obvious precedent to be presented to the ECJ has been missing so far. These idiots are hell bent to create one. Well, fine, let them do it. All of the American high tech companies will be moving HQ offshore shortly thereafter making USA a subsidiary.
So it will not be the US ambassador called for tea and scones (what biscuits in Ireland?). It will be all valley companies having a kind word with whatever congresscritter they purchased last.
@veti: "The trouble is that the data in question is protected by Irish and EU law."
Not only that, but, as far as I understand, MSFT specifically and intentionally segregate data storage by geography, at least partly to comply with the various data protection laws, and that is written into the TOS. It is not, "Oh, yes, we could download the stuff from our Redmond office... Oh, sh!te, we didn't think of the legal aspects..." It was made legally inaccessible from other jurisdictions by design and with a lot of forethought.
There was another case involving Google that was covered by El Reg, and there the judge decided that it was different from the MSFT case because there was no geographical separation by design. It made sense to me at the time.
" why in the hell should the police have to involve the government of another country just because the emails are located on some server there?"
They don't have to so why are they doing it?
There's no need to involve the government of another country. All they have to do is involve the courts of that country by following existing agreed procedures. So why do they try to go barging in heavy handed in a way that gets governments involved in defending their sovereignty?
"This whole situation highlights the serious need for more and better international agreements regulating this sort of thing."
ROFLMAO. The international agreements of which you write already exist. This entire episode is the result of the authorities in this case choosing not to use them.
All they have to do, assuming they have a case, is to present that case to the relevant court and get a warrant. Microsoft Ireland would be bound to abide by that warrant. The Irish government would not be involved. (Technically, I suppose, it would have already been involved in negotiating with the US the relevant treaty which the US authorities are now ignoring.)
So why are they getting themselves in this position. Is it that they don't have a case? Do they have a case but can't be bothered to get off their arses and present it to the relevant court? Are they trying to establish a precedent whereby they can go to a complaisant US court for fishing expeditions when they really don't have a case and know they'd be laughed out of an Irish court? Did the read the word 'foreign' and think they'd have to present the case in a non-English language? If it's that I can assure them that they speak excellent English in Ireland. Do they just fancy throwing their weight about internationally to bully smaller countries, given they're not doing very well with Russia or the Norks?
If they get their way with this things will not go very well with a large swathe of the US tech industry in the future. The Privacy Figleaf can be expected to shrivel up and die and it will be very difficult to persuade anyone in the EU to have another shot at replacing it. Any US business that depends on the Figleaf this will find EU business drying up. Other markets might follow. You might find yourself reminiscing about the halcyon days when the US had an international tech industry.
"There's no need to involve the government of another country. All they have to do is involve the courts of that country by following existing agreed procedures. So why do they try to go barging in heavy handed in a way that gets governments involved in defending their sovereignty?"
Because the courts have a perfectly good argument as to why they shouldn't provide access. Governments, on the other hand - at least, the UK - can easily be leaned on and in fact have an interest in changing the law so they can get at the data their own laws put off-limits.
The EU, USA, Russia and China (for starters) should get together and sort this out.
Err? they have, hence why people keep referring to other existing mechanisms the US could have used to legally access the data.
I suspect the question that you and others in the US should be asked is: Why, if the pre-existing agreements aren't up to the job, the US has not taken the initiative and convened a meeting involving at least the EU, to review the existing arrangements and propose changes...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
