Next step?
MS asks the Supreme Court to rule on the constitutionality of the Cloud Act?
Unlikely to get anywhere, but a stalling tactic nonetheless...
/off to read the Cloud Act
The US government has issued Microsoft with a new warrant to get access to emails held on the firm's Irish servers, while asking the Supreme Court to dismiss the existing legal battle. The long-running wrangle began back in 2014, when Microsoft was taken to court by American prosecutors who wanted access to suspects' emails …
I suspect trying to apply it retroactively is enough to get it thrown out of most courts.
OTOH Trump has just made himself wide open to the next "Benghazi" because the new law will also allow non-US spooks access to data held on servers in the US. What could possibly go wrong? Okay, those provisions will probably be thrown out on constitutional grounds because of the protection that the US constitution offers to US citizens (the rest are just "aliens" and fair game for spooks, scammers, etc.).
"I suspect trying to apply it retroactively is enough to get it thrown out of most courts."
Ex post facto laws are in fact banned. But I suspect (and IANAL) that this would apply to data stored overseas going forward from the date of passage. No penalties for past refusal to comply with a warrant. But from here on out; hand it over.
Devil, because that's where the details lie.
I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.
A search warrant against specific individual individuals or countries causes no problem for the Irish. It's the direct access they object to, allowing the USA to use 'big data' methods.
I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.
Why do you assume that? I don't.
So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws, the Irish gubbermint will do whatever US big-tech tells them. In this case, it'll be "do as the MIB say", because that gives people like Apple a "get out of jail free card".
"So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws"
Well, this allows the EU to impose what's effectively a 4% global turnover tax on US companies. That probably far exceeds anything they'd have taken via a with-holding tax on EU turnover.
The ramifications of this go far beyond mere data protection. The US is, in effect, claiming sovereign rights over another nation. Frankly I don't think it's an overstatement that this is tantamount to a declaration of war. This is not America. You don't get to do just anything you like in our country.
American hegemony is not exactly new, but rarely is it this brazen.
If you're an American citizen or company operating in our country, then you are governed by our laws. If you or your government dispute this, then you need to leave. Period.
They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country.
If the data was held on a server belonging to an Irish company then the US would have no way to demand the data, and would need to apply for an order through the Irish court system.
The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.
Employees working for an entirely Irish owned company with no US parent company would not be answerable to the US government at all, and could only be compelled to perform any action by Irish or EU governments and courts.
If you're concerned about foreign governments interfering in your business, then support local businesses and only worry about your own government (which you cant avoid anyway, and theoretically have some control over).
@Joe Montana the data is on a server on Irish soil, owned and run by an Irish company, which just happens to be a subsidiary of a US company.
And regardless, the data is in Ireland and falls under EU and Irish law. If Microsoft US hands over the data, the board of Microsoft Ireland could face large fines and imprisonment for breaking data protection laws. Microsoft Ireland cannot hand over the data to a US organisation or US law enforcement without the written permission of all identifiable persons in the communications (if they are EU citizens) or a valid EU / Irish issued warrant.
So Microsoft US executives faces imprisonment and fines if they don't hand over the data and Microsoft Ireland (a separate entity) face imprisonment and fines if Microsoft US does hand over the data.
"They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country."
You actually believe that? It's data which is not owned by US company and it's not in US.
That's the definition of claiming rights over another nation. Even if you are not admitting it: That's irrelevant.
The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.
In most countries, working for a company doesn't mean that you are obliged to break the laws of your country because your superiors abroad order you to.
Exactly. Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people? I don't get the difference with what the merkins are doing.
By the way, I like the way you ended your post with 'period'. Very USA'ish. Full stop.
"Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people?"
I think we should
the US embassy in London refused to pay the congestion charge on the grounds of diplomatic immunity, but UK embassy staff in the US don't have that luxury as they have to pass through toll booths.
Data held in servers in the EU should be subject to EU law only - but in reality we know that the US will never respect that nor any other laws that they don't pass.
Remember the US is the country which granted itself the right to invade The Hague should any US citizen by arrested by the ICJ. Thinking they can do what they like in the world is par for the course.
See also Trump pre election thinking he could use compulsory purchase to acquire neighbouring properties for his Aberdeenshire golf resort. You can do that in the US but not here in Scotland.
Then there's that TV series where an FBI unit is allowed to travel the world with weapons and arrest/shoot/kill bad guys in other people's countries. That is just 'Merican wish fulfilment wet dream fantasy.
If that is their cultural reference this is little surprise. The EU equivalent with Donald Sutherland is much more realistic in terms of jurisdictional issues.
Ireland can't fight this. If they do, the tiniest US nuke could blow them up in a second.
Ireland could fight this by allying themselves with China, whom the US can't defeat, but if they do, next step is for China to demand all data held in Ireland, so they're not going to be any better off.
Ultimately the only recourse to the pious people of Ireland is that the Lord in his infinite mercy may grant them an afterlife where they'll not be so weak and abused by other nations. I pray for that.
This post has been deleted by its author
But that would have ruined the apparently user friendly (but deeply citizen unfriendly) backronym.
So it's no longer safe dealing with US subsidiaries if you want your data secure.
Don't deal with US companies for data storage or transmission at all.
America Rogering Someone Else, AKA ARSE Act.
MS are between a rock and a hard place. Uncle Sam says they must, Europe and Ireland say they must not. It's not often I feel sorry for the Redmond land sharks but this time? I can't see a way they can obey either without falling foul of the other.
In other news, several imps have perished due to the unusual cold spell in Hades.
Exactly Chronos.
If the CLOUD Act holds up to scrutiny, companies with a US presence will have to decide, whether they want executives in the USA to face fines and imprisonment or executives in Europe to face fines and imprisonment...
The Microsoft model for data centers in Germany will be interesting, going forward, they are owned and run by T-Systems on Microsoft's behalf. MS don't get any physical or electronic access to the datacenter or the information in it, they have to request it from T-Systems and the DoJ would still need a European warrant to get access, just like they did before the CLOUD Act.
It would appear that the DoJ are trying to add the case in retrospect. The law wasn't there when the case started therefore they shouldn't be able to apply the law retrospectively.
Oh, sorry I forgot this is in the US that thinks it rules the world and make laws that overrule the laws in sovereign countries.
"It would appear that the DoJ are trying to add the case in retrospect"
actually no. it's a new action related to an old case.
I think everyone knew this was coming. Now Micro-shaft can say "we tried" and make themselves APPEAR as if they care about user privacy. But, based on EULAs and actual BEHAVIOR, they obviously do NOT.
it's a new action related to an old case.
Which makes it different to restrospective in what way exactly? It would set a very dangerous precedent if it succeeds. I would not be in the least surprised if the most conservative judges come down the hardest on this aspect. Will be fun to see Trump moan about judges he picks but can't sack.
"actually no. it's a new action related to an old case."
...but referencing the same warrant, not a new one. Although they are claiming that the CLOUD Act negates the need for a warrant. It's all moot anyway as they already have a legal, treaty based method to get the data. This is all about getting around the treaty method of requesting specific data in relation to specific evidence and trying to get unrestricted access to anything they feel they might want to grab.
I think that is exactly what they are attempting to do. Should they have a valid need for the data they could issue a warrant in Ireland for the data. They haven't. This either means they don't have a valid need for the data or they wish to set a precedent to circumvent international treaties and access any data they wish without appropriate oversight.
Microsoft will resist and Google and Amazon should be trying to assist them otherwise no one in their right mind will be looking to buy cloud storage or compute services from an American based company.
There's nothing retrospective going on at all. They are making a request in the present for something that exists in the present.
Retrospective would be fining Microsoft for not handing over the data before the new law came into force. Now the new law is in force companies and people are now required to comply with it.
Countries or regions like the EU with an interest in protecting individual privacy, will rule that for a cloud provider to hold data on individuals there must be regional or country bound stewardship of the data where the cloud provider is able to enforce local protections (such that CLOUD Act warrants cannot be served because the data is not under the control of an entity affected by such a warrant).
Countries or regions with an interest in extending access to information for government organisations will apply reciprocal arrangements so that, for example, if a cloud provider wishes to operate in the region, they must provide access to any data under their control whether in the region or not.
IANAL and some of this probably already exists, but this does seem like an awfully big can of worms to write in to the US legislative framework.
The current laws already state that. The data cannot be transferred out of the EU (unless the destination land has equivalent levels or data protection or things like Privacy Shield being an exception) and cannot be handed to third parties, including legal authorities, without a valid EU issued warrant.
That means it would be illegal for Microsoft US to hand over the data under the CLOUD Act and would leave Microsoft Ireland in a very sticky situation.
Current laws already state that. I know for certain of at least one company, and suspect several more, knowingly breaching that law. The company I know of was audited by the FCA and given a clean bill of health. The FCA simply looked the other way when it came to cloud data storage....
So the law is worth exactly the paper it is written on.
Slowly but surely, the only option left to EU governments to implement the privacy protections guaranteed by their own laws will be to demand that private data must be held in European data centers operated by independent European companies, which have no need to obey US demands. I'm not sure they will go that far, or that they care enough about our privacy...
which makes Office365 and Google Documents, as used by governments, a bit of an embarrassment when it turns out the USG can slurp it all when they feel like it.
Some while ago, we got a company wide memo reminding all staff, sales people in particular, to NOT use Google docs etc for business related activities.
"Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash... There is thus no longer any live dispute between the parties, and the case is now moot."
You can not pass laws in your own country and expect all other countries to follow your laws. Sorry but it doesn't work that way. That law doesn't apply to a different country.
Anyone would think they passed this law to get back at Microsoft.