back to article Nuh-uh, Google, you WILL hand over emails stored on foreign servers, says US judge

Google has been ordered by a US court to cough up people's private Gmail messages stored overseas – because if that information can be viewed stateside, it is subject to American search warrants, apparently. During a hearing on Wednesday in California, magistrate judge Laurel Beeler rejected [PDF] the advertising giant's …

  1. Doctor Syntax Silver badge

    Europe really must insist on data sovereignty, proper arms-length operation of European DCs. The US cannot be trusted with data.

    1. Bill Gray

      ...The US cannot be trusted with data.

      Errmmm... which government can be?

      1. Mephistro Silver badge

        Yeah, but...

        ... different shades of grey, as in US=99%black and EU=30%black.

        Wouldn't you agree that choosing the lesser evil is the better course of action when there's no better alternative?

        1. ckm5

          Re: Yeah, but...

          Hmm, the two places with the highest number of wiretaps as a percent of the population are the Netherlands and Italy. http://www.npr.org/2013/07/28/206231873/who-spies-more-the-united-states-or-europe

          It's nice that the EU governments are so much better a propaganda than the US, but that doesn't they are any better - probably much worse, actually.

          1. Voland's right hand Silver badge

            Re: Yeah, but...

            Hmm, the two places with the highest number of wiretaps as a percent of the population

            Targeted court wiretap of a person vs blanket surveillance of the entire population.

            1. John H Woods Silver badge

              Re: Yeah, but...

              "Targeted court wiretap of a person vs blanket surveillance of the entire population."

              I'm encouraged that NL has a relatively high number of wiretaps: it suggests they *need* to do so to monitor the bad guys, which indicates they may not do as much general hoovering up of everything.

              I have no problem with targetted surveillance. I'm not even that bothered about whether the Security Services need warrants or not. What I am more bothered about is some unvetted desk-jockey in the Food Standards Agency or other government department being able to examine every single piece of anyone's internet history, any time they feel like it, without auditing or oversight, and perhaps even much in the way of justification. Or some hacker breaking into the barely secured archive of my web history that my ISP is forced to keep. etc.

          2. Rich 11 Silver badge

            Re: Yeah, but...

            It's nice that the EU governments are so much better a propaganda than the US, but that doesn't they are any better - probably much worse, actually.

            I like the way you cherry-picked that article to produce your speculative conclusion.

        2. aeio_

          Re: Yeah, but...

          "Wouldn't you agree that choosing the lesser evil is the better course of action when there's no better alternative?"

          So 99% black vs 98% black -- We're TWICE as good as those other guys*

          So only 30% of your emails have leaked to the world, instead of 99%. Gee, that makes me feel MUCH better!

          * Note: some minuscule computational errors might have occurred. Some minor events, all fatal, have been reported while taking Claridryl.

          And really, no -- evil is still evil. If you're only 22% (2/9th) pregnant with Satan, you're only partially evil. In 2 more months you're now averaging "normal" evil. Sometimes "No" IS the correct answer. Flush them all and try again.

          ----

          Actually, I agree with the judge in this case. Can you bring it up on your console? Are you (Google) within my (the judge) reach? We're done here.

          Or even plan B. Isn't that a fully owned and controlled subsidiary you have over there? Can you order it done? Again, we're done here.

          Sorry -- you want the tax independence and freedom of being another company in a separate country? Then Be Another Company with completely independent controls.

          1. Richard 12 Silver badge

            Re: Yeah, but...

            The Law doesn't work like that.

            Have an example:

            You work for Company A Ltd in the UK.

            Company B Inc in the US owns all the stocks in A. That makes A a wholly-owned subsidiary.

            Company B orders you to break the law in the UK.

            What do you do?

            1. Voland's right hand Silver badge

              Re: Yeah, but...

              What do you do?

              You do not execute an illegal order. I have done it more than once. It is quite difficult, but usually all it takes to explain the US company the legal liability. That is a language they understand quite well.

            2. Ian Michael Gumby Silver badge
              Boffin

              @Richard 12 ... Re: Yeah, but...

              The answer is rather simple.

              You comply with the laws of your country regardless of the ownership.

              In other words you politely decline to do the work stating that it would be a criminal act in the UK.

              In both countries, it would be illegal for Company B to order you to break the law in the UK, even if it were not an illegal act in the US.

              Sorry but your example is silly.

              1. Richard 12 Silver badge

                Re: @Richard 12 ... Yeah, but...

                Do I really have to spell it out?

                The parent company is breaking the law by not complying with a court order.

                So, which law gets broken?

                Does your boss force you to break the law or do you force your boss to break the law?

            3. Doctor Syntax Silver badge

              Re: Yeah, but...

              "What do you do?"

              What you don't do is set up the arrangement you describe.

              You could, for instance, have an arrangement where company A is a UK company, owned by UK shareholders and operates under UK law. It is a franchisee of company B. The franchise arrangement is also drawn up according to UK law. It includes strict terms that company B is not allowed to have access to data of company A's clients.

              US government orders company B to break UK law.

              Company B can't.

            4. TheVogon Silver badge

              Re: Yeah, but...

              "Company B orders you to break the law in the UK. What do you do?"

              Tell them no, that's illegal, or go to prison...

        3. William 3 Bronze badge

          Re: Yeah, but...

          Choosing the lesser evil does not make you good.

          That's a logic failure on your part.

          Consider this.

          A. Death by torture over a period of weeks

          B. Death by a bullet to the back of the head.

          Obviously A is more evil than B, but you're still dead.

      2. Uffish

        It is not so much which government, more which organisation can be trusted with data.

        1. Anonymous Coward
          Anonymous Coward

          Which is why now, more than ever, we must encrypt end to end. No org/gov should have access to what I share between me and the other party, be they a corp or individual or my own archives. Now, it seems, I need to encrypt anywhere and everywhere just to cover all bases with respect to data privacy, as the corporations will eventually be forced by the nearest gov to hand over the dox, lest "National Security®" be thwarted in their endeavor to protect us from our privacy in the name of a quick and questionable online crime search that yields precious few convictions. And (in the nearest future) here comes the thought crime police...

          1. boltar Silver badge

            " And (in the nearest future) here comes the thought crime police..."

            In the future? They're already here. They call themselves the "liberal" left but woe betide anyone who doesn't strictly adhere to their officially sanctioned positions on various topics. And even by posting this I've probably being microaggressive to some weak minded snowflakes.

            1. Spanners Silver badge
              WTF?

              @boltar

              "liberal" left

              You seem to be misusing the word "liberal". Perhaps you are using the quotation marks to mock people in the USA who identify anything they are far to the political right of as "liberal left" - even though it is actually central (which is what liberal means).

              1. boltar Silver badge

                Re: @boltar

                "You seem to be misusing the word "liberal""

                No, I'm not. The word has a number of related meanings, clearly you're unaware of all of them bar one. I suggest you aquaint yourself with google.

                The term is actually an oxymoron in the case of the modern liberal left since they are anything but - they're autocrats dressed up as SJWs who will brook no argument or deviation from their pseudo religious stance on any trendy issue-of-the-month they consider important (and that most other people don't give a fuck about to be blunt).

            2. John H Woods Silver badge

              "And even by posting this I've probably being microaggressive to some weak minded snowflakes."

              By posting that you are mainly looking clever to stupid people and vice versa.

              1. boltar Silver badge

                "By posting that you are mainly looking clever to stupid people and vice versa."

                I hope you're not counting yourself as one of the clever people. Looking at your previous posts you're on somewhat shaky ground there my friend.

                1. allthecoolshortnamesweretaken Silver badge

                  "Looking at your previous posts you're on somewhat shaky ground there my friend."

                  You can tell by his posts that he's living in California?

            3. Alumoi
              Coat

              boltar, it seems there are a lot of snowflakes around here. Haven't they heard it's spring already?

          2. Anonymous Coward
            Anonymous Coward

            Which is why now, more than ever, we must encrypt end to end. No org/gov should have access to what I share between me and the other party, be they a corp or individual or my own archives.

            Two problems with that.

            1 - fine, but do keep in mind we DO have criminals. That doesn't mean I'm in favour of crypto backdoors, but you have to acknowledge that some are trying to hide some pretty shady activity, and at present I have personally no idea how we balance this. The UK has IMHO gone too far to one side (see 2), but I don't think that anarchy is the right answer either. I worked with counter-terrorism so I'm not entirely ignorant of the needs of the other side, but I also believe in Human Rights and proper legal process.

            2 - UK's RIPA (and IPA, son of RIPA) sets out conditions that apply to your crypto where you may have to unseal your data. On the plus side, it means there is a process, on the minus side is the fact that it reverses due process insofar that you're guilty if not collaborating. As above, not convinced this is the right way but I understand some of the problems.

            BTW, beware of experimenting with crypto: delete archives you no longer use because it is possible that you really forget a password (as it was only an experiment), and at that point you'd have a legal problem..

            1. Doctor Syntax Silver badge

              "Two problems with that." etc

              I have been in the same position as you and share your concerns.

              A few comments.

              Firstly, agreed on due process. Due process is not having some officer of the investigating body authorising warrants, nor a minister or ministerial aide of whatever. Due process is a warrant issued by a court of law. Although the nature of a warrant hearing is such that the subject of the warrant doesn't normally get to hear of it when it's applied for and granted, only when its served, once it is served the subject should have a right to a hearing to challenge it if they think there are grounds for a challenge.

              Secondly, but related to the first, the presumption of innocence is a fundamental part of law in a free society. An approach that seizes everyone's data first and decides what to do with it afterwards defies that presumption; it should not have been passed.

              Thirdly, the jurisdiction of a country's law should stop at its borders. There are treaties which allow for the US or other country to go through proper channels to ask for access in the country where data is held and to get access which is in accordance with the host country's law on presentation of a proper case. The fact that they're not doing that suggests to me either ignorance of the channels available to them, arrogance that they think they can trample over other countries' legal systems, indolence in not being prepared to put in the work to prepare a case or, and I suspect that this is the real reason, they simply don't have a basis for preparing such a case.

              Finally, the need for encryption is a necessity for transacting business over the internet. If a government doesn't want to allow it then it should say plainly that it also doesn't allow business to be transacted over the internet and see where that gets it. Otherwise those who advocate banning encryption should be prepared to put all their online banking and other e-commerce credentials etc in the public domain for a year before taking the matter further. It makes no sense to deny the public such facilities when the only effect it has on law breakers is to provide them with another law to break.

              1. Anonymous Coward
                Anonymous Coward

                I have been in the same position as you and share your concerns.

                A few comments.

                A reasoned response, thank you. One final (longish) comment, though:

                Thirdly, the jurisdiction of a country's law should stop at its borders. There are treaties which allow for the US or other country to go through proper channels to ask for access in the country where data is held and to get access which is in accordance with the host country's law on presentation of a proper case.

                This doesn't quite hold true in matters of data residence vs ownership, and I know this because it happens to be my work. I've seen it a few times in the UK that a UK company goes and stores its data in Swiss data centres under the assumption that the data thus falls under Swiss law.

                That assumption is 100% wrong, even from a Swiss legal perspective that data remains under UK law (feel free to ask them yourself, their English is some distance better than my French or German :) ). If it is a subsidiary, matters get a bit more murky (a franchise model is far easier to defend due to full ownership separation), but just hosting your data in Switzerland will not move it out of your business jurisdiction.

                "Going Swiss" is actually a common ploy of US "privacy" companies, setting up a Swiss subsidiary to pretend they can protect your data. Just checking company ownership and/or directors and where they live is usually enough to expose privacy risks (the linked central register will branch out to cantonal resources where required).

                Using jurisdiction to legally protect information is eminently possible, but take it from me that it takes rather substantial expertise and experience to get it right.

      3. LDS Silver badge

        Still, I prefer my data to be accessible only by a government I have some form of control upon, and which I can sue in a court locally, than one oversea I have no control, doesn't recognize my rights because I'm a 'damned foreigner', and where costs to sue it are prohibitive.

        1. Louis Schreurs BEng

          'damned foreigner'

          nononononononononononononononononoooooooooooooo

          Fuckin' Alien

    2. Anonymous Coward
      Anonymous Coward

      Microsoft's system already requires local custodians to approve data retrievals from each region. i.e. someone from the US can't retrieve data from the EU without someone in the EU authorising it. And customers can bring their own keys - to be stored in HSMs that can block access from outside their region.

      I bet Googles system doesn't work like that....

      1. Anonymous Coward
        Anonymous Coward

        Microsoft's system already requires local custodians to approve data retrievals from each region. i.e. someone from the US can't retrieve data from the EU without someone in the EU authorising it.

        I wouldn't wave too much of a flag for Microsoft if I were you. When you start evaluating how they comply with EU law you quickly find that all is not as shiny as they make out to be. A bit like Windows 10, actually.

    3. Yet Another Anonymous coward Silver badge

      >Europe really must insist on data sovereignty, proper arms-length operation of European DCs.

      Which wouldn't work in this case.

      The data was for a US customer, Google merely moved it to an overseas data center for operational reasons. The microsoft case was for Irish customer's data hed in Ireland.

      If the EU law applied to American data temporarily held in Europe then would Google be able to copy it back to its US user or would the Eu prevent this? Would the Eu have the right to spy on the American data because it happened to be taking advantage of winter in Finland to reduce the AC bill?

      1. John G Imrie Silver badge

        If the EU law applied to American data temporarily held in Europe

        But EU Law holds for American goods and American citizens temporarily in Europe

    4. Anonymous Coward
      Anonymous Coward

      Right, because the UK with Theresa May at the helm is a safe haven for privacy.

      1. William 3 Bronze badge

        So which UK political bodies do you think WILL respect your privacy?

        It's all very saying "those pesky tories" but not being able to offer any alternative.

        1. Roj Blake Silver badge

          The Lolberal Democrats and the Greens are quite strong on privacy.

          1. Dazed and Confused Silver badge

            Re: The Lolberal Democrats and the Greens are quite strong on privacy.

            History shows us that opposition parties are, but the day they get a riff of power they want all the power they can get.

            1. Anonymous Coward
              Anonymous Coward

              Re: The Lolberal Democrats and the Greens are quite strong on privacy.

              "History shows us that opposition parties are, but the day they get a riff of power they want all the power they can get."

              The Libs had some degree of success in reining in the worst excesses of the Tories on civil liberties during the coalition government.

              1. Mr Commenty McComentface

                Re: The Lolberal Democrats and the Greens are quite strong on privacy.

                "The Libs had some degree of success in reining in the worst excesses of the Tories on civil liberties during the coalition government."

                Then they crashed into the ground in a huge ball of flames. What does that tell you about them?

                As for the Greens, yes, maybe strong on privacy, for now, but as another poster has mentioned, when you are in opposition to those in charge, you are strong on everything they aren't, right slap bang up until you're nose is in the trough (and your two front trotters). You want an example, look at Trump (through sun glasses). Sadly though, the Greens are staggeringly mental and unrealistic on pretty much everything else. They haven't a clue.

                1. sabroni Silver badge

                  Re: Then they crashed into the ground in a huge ball of flames. What does that tell you about them?

                  It doesn't tell you anything about the Liberals. It tells you a lot about the electorate.

                  1. Doctor Syntax Silver badge

                    Re: Then they crashed into the ground in a huge ball of flames. What does that tell you about them?

                    "It doesn't tell you anything about the Liberals. It tells you a lot about the electorate."

                    Yes. A large part of their vote was simply a protest vote. The thought that the party they'd voted for might actually do something responsible in helping form a government in the aftermath of the 2010 election was anathema to them. Voting against something might appear attractive but in reality it only makes sense to vote for something.

                2. TheAnt

                  Re: The Lolberal Democrats and the Greens are quite strong on privacy.

                  > As for the Greens, yes, maybe strong on privacy, for now, but

                  So were the Tories when they were in opposition.

                  If the Greens got into power how long would it be before the names of everyone who drives a diesel were posted out publicly in a name and shame exercise? Oh and everyone with a car with a more than 1.6L engine. Then anyone who ....

          2. James 51 Silver badge
            Happy

            lolberal brought a wry smile to my face. I may have to borrow that.

          3. soulrideruk Bronze badge

            The lib dems also vowed to make marijuana legal should they ever ascend to parliament. Only they dropped it like a hot potato when the chance to govern alongside the tories came up...

            1. kiwimuso

              @ soulrideruk

              "The lib dems also vowed to make marijuana legal should they ever ascend to parliament. Only they dropped it like a hot potato when the chance to govern alongside the tories came up..."

              Oh dear, you seem to have no concept of how a coalition works, do you.

              You state your position in advance of the election but when it comes down to creating a coalition, it's down to negotiating a deal with the other party. Some of your policies you drop as not being as important as others. Ditto for the other party. I am sure the Tories also had to compromise a bit - maybe not a lot, but you never know. If they are desperate for power then they may be willing to concede all sorts of 'principles'!

              If the Lib-dems had acquired enough votes to govern alone, they may well have instituted a 'legalise marijuana' policy. We will never know, so it's rather useless speculating on it.

      2. g e

        Theresa May?

        Well she's given us the opportunity to sack her so let's not shillyshally around.

        Voting someone else in you maybe don't like for four (five?) years is still better and she'll not be back for a second bite of that cherry afterwards.

    5. Anonymous Coward
      Anonymous Coward

      The US cannot be trusted with data.

      In principle, few governments can. Signs that you can't trust your government are:

      - inability to affect a law becoming effective (as in all non-direct democracies, despite pretences to the contrary)

      - lack of transparency in how law enforcement operates and corrects errors in their approach (the only place where "what do you have to hide" is a justified question with respect to privacy)

      - overly enthusiastic use of National Security as an excuse to forego the above transparency

      - deficient application of Human Rights, such as retaining DNA after unlawful or erroneous arrests, and (worse) using the presence of such data as "evidence" that the person in question does not have a clean record

      - lack of accountability. For example, nobody went to jail or got as much as a fine when GCHQ was found to break the law, they just caused the laws to be corrected retrospectively. In that context I think we may as well scrap any idea that data is safe in the US, because it simply is not.

      What is happening to Google is something we recognised more than a decade ago, we call it "legal leverage". It is the idea that if you own something or stand higher in hierarchy you can be leveraged to do something that is otherwise impossible to enact - in this case, as Google owns the company and sits above its subsidiaries it is deemed to have access to the information. The fact that this creates a crime in the jurisdiction where the data is located is calmly ignored, US law as well as politics has never bothered to acknowledge the presence of anything outside its borders other than when there's a profit in it.

      The fun part is that this too will play in the re-evaluation of the Privacy Shield agreement in September. As far as I can tell it is becoming more and more costly for the US to keep that in play.

    6. Ian Michael Gumby Silver badge
      Boffin

      @Doctor Syntax ..

      The judge did the right thing.

      The devil is in the details.

      There is no sovereignty issue here. I know that sounds wrong, but you have to understand that its a US court demanding data on a US citizen which can be accessed in the US yet Google is storing it outside the US for whatever reason.

      Were the US court asking for data on a NON US Citizen who never spent time in the US and the data was stored in the country of origin... you may have a case about data sovereignty.

      1. Doctor Syntax Silver badge

        Re: @Doctor Syntax ..

        The concern here is that this is salami tactics. TPTB found in the MS case that things weren't as easy as they thought. They've now gone for a somewhat muddier set of circumstances (rather like the iPhone case earlier). If they win on this they get a precedent which they'll then try to enlarge next time round.

        There are treaties in place to go to the country where the data is held and make their case there; that route is being ignored and one has to ask why. Do they think they don't have a case that would stand up in a court that values privacy?

        US business desperately wants the Privacy Figleaf and when that gets to court, as it will, I'm sure the ECJ will be looking at decisions like this and it will not be to US business' advantage when it does so.

      2. Uffish
        Big Brother

        Re: "a non-US Citizen who never spent time in the US"

        @ Mr Gumby

        You seem to be saying that non-US citizens unconnected with the US should not be spied on by the courts but US citizens living in the US are fair game. That's not the American way you know.

  2. jdoe.700101

    Terms of service

    Given that Googles terms of service refer to "products and services (“Services”). The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States", with the laws of California, USA applying, I'm having trouble understanding how Google has a leg to stand on here.

    Maybe it's time for Google to start using their global offices for more than shuffling income offshore.

    1. Doctor Syntax Silver badge

      Re: Terms of service

      Given that Googles terms of service refer to "products and services (“Services”). The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States", with the laws of California, USA applying, I'm having trouble understanding how Google has a leg to stand on here.

      I think this is a very dubious legal argument. T&Cs, EULAs or whatever cannot overrule statute law. If Google were to provide me with an email service here, outside the US, then I doubt T&Cs would be able to overrule the provisions of local statute law and that includes the local Data Protection law. And if that's the case then in a year or so's time they'll need to be able to comply with the GDPR or face very substantial fines.

      But you are right, of course, in that Google will have to look at their international structure to enable them to comply.

      1. Anonymous Coward
        Anonymous Coward

        Re: Terms of service

        The governing law statement is a tried and trusted legal clause. One that every one of the three qualified lawyers that reviewed our Google contract at work thinks is valid, and one which both of the Google lawyers felt comfortable with.

        GDPR will affect lots of things, but I struggle to see the relevance here.

      2. Andy france

        Re: Terms of service

        This is a similar precedent to US banks back in the late 90's being compelled by the courts to reveal account details of customers in their subsidiaries Swiss banking branches for tax purposes despite that doing so was breaking Swiss federal law. To comply with local laws the Swiss subsidiaries pulled access from their parent firm (not to do so would land them in jail) however the US courts still found the US parent firm to be guilty of contempt of court for not providing the the information and fined them daily.

        Local law always has precedence over laws and terms of service in other countries.

        1. Charles 9 Silver badge

          Re: Terms of service

          "To comply with local laws the Swiss subsidiaries pulled access from their parent firm (not to do so would land them in jail) however the US courts still found the US parent firm to be guilty of contempt of court for not providing the the information and fined them daily."

          So what happens when a multinational company (local to MORE THAN ONE country) gets caught between conflicting sovereign laws such that, no matter what, the company WILL be in violation of AT LEAST ONE, with severe consequences either way?

          1. Korev Silver badge

            Re: Terms of service

            These days the Swiss banks will often refuse to open accounts for Americans or even shut accounts down because of this. This is a big problem for Americans living in Switzerland who just need an account to live.

            1. Charles 9 Silver badge

              Re: Terms of service

              "These days the Swiss banks will often refuse to open accounts for Americans or even shut accounts down because of this."

              And if the person happens to be a Swiss/American dual citizen by birth?

              1. Anonymous Coward
                Anonymous Coward

                Re: Terms of service

                And if the person happens to be a Swiss/American dual citizen by birth?

                They will be treated as American in this context, for the simple reason that a US nationality makes you beholden to US laws and tax, irrespective of where you are on the planet (it's the key reason why so many US citizens were handing back their passports that various embassies had a month-long queue of appointments, and why they have now jacked up the price to do so - a kind of internationalised hostage taking).

                The result is that the management of an ordinary salary account of a US citizen causes so much overhead in paperwork and risk that the bank is unlikely to see a profit from it. As banks are not charities and have no legal obligation to provide service, they take the simplest option and boot the customer instead. US passport holders are persona non grata in quite a few places - banks are not the only entities that don't want to shoulder the burden associated with dealing with US customers.

                I heard rumours that an EU country is toying with the same idea, I think it was Holland. I'm not sure they can, but given the already available evidence of what it did to US passport holders I think it would be a terminally stupid thing to do.

          2. Rich 11 Silver badge

            Re: Terms of service

            So what happens when a multinational company (local to MORE THAN ONE country) gets caught between conflicting sovereign laws such that, no matter what, the company WILL be in violation of AT LEAST ONE, with severe consequences either way?

            The lawyers get rich. Again.

          3. Doctor Syntax Silver badge

            Re: Terms of service

            "So what happens when a multinational company (local to MORE THAN ONE country) gets caught between conflicting sovereign laws such that, no matter what, the company WILL be in violation of AT LEAST ONE, with severe consequences either way?"

            I'm reminded, as so often, of a quote from Yes Minister. When asked whose side he'd be on when the chips were down Bernard replied "It's my job to make sure the chips stay up.".

            In this case it's up to the company to structure its arrangements to avoid the situation you describe. Microsoft's data trustee arrangement is one such. I've suggested a franchise arrangement as another. In either case the power to comply would lie wholly with the local company.

            In fact the very word "trustee" should alert you to a very significant issue here. Companies that hold data on others do so on a basis of trust. Over the years this has been a very important factor in facilitating trade. I don't think governments have quite grasped this trust issue in relation to data. The US govt doesn't seem to have; our own UK govt doesn't seem to have. When they do they'll realise the economic consequences of playing fast and loose with it and at that point we should start to see changes.

            1. Anonymous Coward
              Anonymous Coward

              Re: Terms of service

              Microsoft's data trustee arrangement is one such

              It's kinda funny this, because what you're looking at is a good future way to force tax revenue out of US companies. As they can't operate here without an EU partner they will have to pay an EU Partner, who in turn DOES pay tax.

              Neat.

          4. Uffish

            Re: "gets caught between conflicting"

            What happens is rather painful and very messy, what else would you expect?

      3. JimC Silver badge

        Re: Terms of service

        > ... I doubt T&Cs would be able to overrule the provisions of local statute law and that

        > includes the local Data Protection law...

        If Google's multi national games put them in a place where two countries laws apply and contradict each other, I'm not sure that politicians in either country will be that bothered unless they've been very well 'lobbied'..

  3. hitmouse

    This is consistent with the US's policy of "if we can rendition a person from foreign territory, then they're subject to our laws".

    1. Haku

      Often I've seen Americans refer to their country as 'number 1', although the meaning of that slogan has different connotations outside its borders.

      1. Stevie Silver badge

        #1

        No, the connotation is the same. You just didn't follow the reasoning through far enough.

        "We are number one. All others are number two, or lower." The Sphinx

      2. William 3 Bronze badge

        "Often I've seen Americans refer to their country as 'number 1',"

        Often you say? Absolute bullshit you have

        You're just lying to bolster your shitty argument.

        1. Haku

          @William 3, missed opportunity there, you could've told me to shut up about my 'alt fact'.

        2. Truckle The Uncivil

          @William 3

          The telephone country code for the US is "1".

      3. Uberseehandel

        Number 1's?

        Generally speaking Americans and their nation are usually referred to as Number 2's.

        1. Wolfclaw Silver badge

          or to be more accurate the U.S Of Ass !

  4. Phil Kingston Silver badge

    Interesting that MS way of storing data makes them less susceptible to US legal overreach crap. I'd bet G will be changing their algorithm to a similar arrangement.

    1. localzuk

      With MS, you are using a service of their local subsidiary, and the data is in the local data-centers (well, depending on the service). With Google, you are using their global data-centers, regardless of your location, and you're bound by Californian law doing so.

      For example, my Office 365 tenancy is hosted on UK servers in Cardiff and London. The service is provided by Microsoft Ireland (I believe). So, the USA isn't involved beyond developing the technology and issuing it to its subsidiaries.

      The only time any data ends up in US hands is if I allow their US support team into the account IIRC.

      1. Anonymous Coward
        Anonymous Coward

        For example, my Office 365 tenancy is hosted on UK servers in Cardiff and London. The service is provided by Microsoft Ireland (I believe). So, the USA isn't involved beyond developing the technology and issuing it to its subsidiaries.

        The problem is that the legal counterargument has as yet not been fully tried in court. From a US legal perspective, the fact they you have subsidiaries means they're yours to command, ergo you have the ability to get that data when so summoned.

        Until this has been properly rebuffed in court to establish a solid precedent this is still a wide open risk.

  5. T. F. M. Reader Silver badge

    Microsoft and Google

    I have read the judge's decision and while I feel that some details are not spelled out in it I am guessing that the point is that there are substantial differences between the Microsoft and Google cases.

    Apparently (it is quoted in the decision) when one signs up with Microsoft one states one's location and all the data are "segmented into regions", i.e., stored in the data centers in the same region as the customer. This was the central issue when the US demanded data that was never stored in the US by design.

    It is not clear to me what the "responsive data" were in the Google case, but I am guessing that the customers were American (or at least located in the US) and the fact that the data were stored elsewhere was merely incidental and not a consequence of intentional segmentation.

    It is also not entirely clear to me what information was in fact covered by the warrant. The order mentions "subscriber information" (this, apparently, includes various metadata, search history, location - I can see how this might be treated differently from, say, email contents). Arguably, Google possess this information in their main business location in CA, even if the record is in fact stored in another country (again, for purely technical reasons).

    IANAL, and as I said, not all the details are clear. However, I certainly can see the judge may have a point.

  6. Anonymous Coward
    Anonymous Coward

    The USA is very insular

    Except for:

    - Data

    - Wars

    - Renditions

    - Black ops

    1. Esme

      Re: The USA is very insular

      Yep. Pretty much like the Roman empire. "We're civilisation and the rest are howling barbarians. Hello, Mr King, nice little country you have here, it'd be a shame if something nasty were to befall it, eh? Why, thank you for funding our defence of your borders! Mr/Miss/Ms Pharaoh - terribly sorry, but your grain supplies are vital to our country and your country is so badly run that I'm afraid we are going to have to step in and take you over as you haven;t been toeing our line. No, no, your children will still be Pharaoh - well, the oens we like will be, anyway. Slave! Throw another few malcontents to the wild anmals in the arena, will you? The plebs are getting restless! "

  7. Instinct46

    Easy to avoid

    "if Google was able to pull up the data on its own machines in the US, then it should fall under a US court's jurisdiction"... so if google never pull the data from a computer in the US for the US government, then the data never falls under the US jurisdiction, chicken or the egg?

    1. JCitizen
      Megaphone

      Re: Easy to avoid

      Just don't use Google or operating systems like Windows 10 if you value your privacy. Sure they could still find out anything they want about a private person, but they would have to do good old gumshoe work to get it. Why make it so easy for any government to violate one's privacy? Google just loves getting into everyone's shorts, they are the world's worse company at that. MS is knocking at the door next.

  8. Fruit and Nutcase Silver badge
    Joke

    Whatever/may be/hopefully

    Today's headline

    "Nuh-uh, Google, you WILL hand over emails stored on foreign servers, says US judge"

    Tomorrow???

    <FAKE news>

    Nuh-uh, Google/Big American Corp, you WILL hand over tax due on profits kept offshore, says IRS

    </FAKE news>

    ps: can we have a Trump jnr FAKE news T-shirt icon please

  9. tom dial Silver badge

    Google can appeal the order, probably, and if the appeals court overturns it, they would not have to provide the overseas data (yet). The losing party might appeal to the Supreme Court, which would be more likely to accept if there were a split between circuits. There may be more to come on this, and the earlier Microsoft case.

    My sense is that a prudent prosecutor would do as well as possible with what she can get, and work to search foreign data repositories using the mutual legal assistance treaties that exist, and that the government would work to rationalize those treaties if necessary to allow expeditions foreign evidence seizure in cases where crimes are properly prosecuted in the US, and US evidence seizure for other countries for their prosecutions. It makes little sense to shield evidence based on accidental data storage location for the convenience of a data service, or even intentional storage location for compliance with general data protection laws, even if the search and seizure requirements differ in detail.

    1. Doctor Syntax Silver badge

      "My sense is that a prudent prosecutor would do as well as possible with what she can get, and work to search foreign data repositories using the mutual legal assistance treaties that exist"

      Got it in one.

      Why aren't they doing this? Don't they have a case and are just fishing? Are they too lazy? Are they trying to build precedents to circumvent the inconvenience of doing the work in future?

  10. DougS Silver badge

    There's a simple fix to this

    Create a bunch of legally separate corporations headquartered in any countries in which you store data outside the US. The government will have a much more difficult time forcing Google to hand over data which it doesn't own, housed on servers which it doesn't own.

    OK, if Google owns those subsidiaries outright that might not stop the court, so Google shouldn't stop there. Keep those companies at more of an arm's length - sell shares in the subsidiaries so they truly exist as independent entities, and have a contract with Google to own/operate servers using Google's software and providing services exclusively to Google. If they tried to poke through that they'll get all the managed service providers and their customers filing amicus briefs supporting Google and be fighting a much larger battle!

    1. HotGossip

      Re: There's a simple fix to this

      Microsoft have done something similar for O365 and Azure. Google didn’t think they needed too for their enterprise offerings ... if this judgement holds then this clearly was a mistake ...

    2. JimmyPage Silver badge
      Stop

      Re: There's a simple fix to this

      There is.

      Encrypt everything before it leaves your control.

      Job done.

  11. John G Imrie Silver badge

    Us Judge declairs entire Internet is subject to Islamic Law

    If it can be seen in the US it's under US law.

    So conversely if it can be seen in Saudi Arabia its under Saudi law.

    1. Anonymous Coward
      Anonymous Coward

      Re: Us Judge declairs entire Internet is subject to Islamic Law

      And any servers in the Islamic world would and are subject to those laws. There's nothing wrong with your statement. Furthermore, if you post something deemed illegal in those countries, I'd advise against taking a visit to the Middle East.

  12. Pollik

    You can access them from the UK, too. Therefore they are protected by data protection legislation and the US will have to reissue the warrant in the UK.

    Moral: Judges are not qualified to make decisions that are technically suspect.

  13. Sleep deprived
    Facepalm

    "if Google was able to pull up the data on its own machines in the US"

    Last time I checked, I could read my Gmail messages from any country, regardless of where they were stored (only my mom would hesitate to write, assuming her reply would not reach me abroad ;)

  14. VanguardG

    Terrorists - using old tech? Not likely

    I haven't followed this case - but presumably, it has to with terrorism. Do the dingbats in law enforcement think terrorists who've made their attacks, and presumably are now deceased, are going to email their friends and leave a trail to the rest of the cell? These are the same people who think the terrorists are going to have their real cell phones on their persons during an attack, probably.

    Terrorists are sitting around laughing at this. A: If they're going to email each other, it will be to email addresses in some email system well outside the reach of the nation they're targeting...if they're attacking the US, somewhere in Eastern Europe...there're lots of free-mail providers. It won't be to GMail. They might USE one, but not to communicate with other killers-in-waiting, it'd be for registering at the local pizza joint and other routine use. People aren't restricted to just having ONE phone or ONE email. While they're spending time on this, the real evidence trail is getting colder and colder.

  15. Anonymous Coward
    Anonymous Coward

    But Google messages are stored everywhere...

    Google's tech, if I understand it correctly, replicates multiple copies of the same data in its data centres across the world, so to say it's outside the US is a bit of a stretch. I believe they also "shard" their data so it is split into multiple pieces at the storage level across data centres... Their approach is what is causing problems here. I don't believe the judge has a problem with understanding the technology at all: it's not the same as the Microsoft approach, either, in many different ways.

  16. gnasher729 Silver badge

    "some are trying to hide some pretty shady activity, and at present I have personally no idea how we balance this"

    You could listen to the guys at the NSA. As is there job, they don't care one bit about your privacy, but they care a lot about national security. And the NSA has said again and again that weakened cryptography might help the police sometimes, but because the bad guys can exploit weakened security, it overall is damaging to a nation's security. That's their judgement, and that's even without discussing privacy.

    They say that if you balance crime solving against security, weak security loses. We can obviously say that if you balance crime solving against security _and_ privacy, then weak security totally loses.

    1. Doctor Syntax Silver badge

      "As is there job, they don't care one bit about your privacy, but they care a lot about national security."

      Ultimately national security is not helped by weakening your country's economy. When your country's businesses are at risk from weak security and are no longer thought trustworthy by the rest of the world you have seriously damaged your economy.

      1. dm_dv
        Angel

        @Doctor Syntax

        "Ultimately national security is not helped by weakening your country's economy. When your country's businesses are at risk from weak security and are no longer thought trustworthy by the rest of the world you have seriously damaged your economy."

        Trust but Verification, those are two words a lot of programmers live by...

        The real question is about trust, I personally don't trust Google because Google is the commercial NSA of the future. What you read about in those leaks, time and time again, is that they have been hugely busy leveraging Open Source software "Bugs" when those systems all seem to come with the disclaimer, that they are not at fault - if your Machine blows up or melts down.

        There are Multiple styles of C programming it would seem, some that use SAFE function calls and minimal privilege and others that use UNSAFE function calls but work out to be more secure.

        Ironically the "Bugs" in the X11 Windows manager are getting to be pretty prevalent, so much so I found an exploit only yesterday for brute forcing someone else's X11 display manager and that was aimed at Linux & BSD.

        When they talk about Hoarding cyber-weapons, they are of course referring to the kind of Cyber weapons available to any 15 year old kid sitting in there bedroom waiting to Pwn Microsoft Windows with a copy of Metasploit and Kali Linux!

        An to be clear, things like msf-Venom - aimed at attacking Android handsets is exactly the kind of cyber weapons proliferation they're talking about.

      2. allthecoolshortnamesweretaken Silver badge

        "Ultimately national security is not helped by weakening your country's economy."

        And then some.

        Exhibit A: The Soyuz Sovetskikh Sotsialisticheskikh Respublik. For the younger readers: they used to be big, once upon a time.

  17. Mikel

    Obviously...

    The lesson here is don't leave evidence of crime in an email.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019