back to article US Supremes take a look at Microsoft's Irish email slurp battle, and yeah, not a great start

The battle between the American government and Microsoft over emails on an Irish server has reached the US Supreme Court – and so far, the judges seem wary of Redmond's position. Essentially, back in 2014, the Feds went to a court in New York for a search warrant to demand Microsoft hand over an enterprise customer's Office …

  1. Barry Rueger Silver badge

    A Minor Quibble

    Surely, even if American courts chose not to acknowledge it, the article should have addressed the very real question of what a corporation should do if the American law conflicts with data protection law in the country hosting the server.

    1. PhilipN Silver badge

      Re: A Minor Quibble

      Long history. And complex. Used to be banks were the target :

      https://books.google.com.hk/books?id=GNmhsJ44XYEC&pg=PA101&lpg=PA101&dq=gucci+and+chemical+bank&source=bl&ots=NmGTRmoC6o&sig=NMp5X5UVuec-81XWSOEFyd6ggOs&hl=en&sa=X&ved=0ahUKEwj6q_6dhcjZAhUX57wKHX9gDDAQ6AEIXjAF#v=onepage&q=gucci%20and%20chemical%20bank&f=false

      1. BillG
        Holmes

        Re: A Minor Quibble

        It seems the argument boils down to the difference between evidence's "physical existence" verses "physical access".

    2. TheVogon Silver badge

      Re: A Minor Quibble

      "Because it's easy for Microsoft, and other web giants, to move files around the internet. One day, someone's messages and documents could be in Ireland, the next in California, or Canada."

      No it isnt. That would breach the GDPR and cross security domains.

      "And at all times, the data can be accessed by staff in the US."

      No it cant. Microsoft has seperate security regions and remote access to data requires approval of a local data custodian.

      1. Anonymous Coward
        Anonymous Coward

        Re: A Minor Quibble

        Microsoft has seperate security regions and remote access to data requires approval of a local data custodian.

        Something they only started doing after this legal fight began. At the time the government filed the warrant, there were no such limitations AFAIK.

        1. Anonymous Coward
          Anonymous Coward

          Re: A Minor Quibble

          "Something they only started doing after.."

          Max Schrems

  2. PhilipN Silver badge

    "The whole idea of territoriality is strained"

    No, it isn't, and this is a very, very dangerous idea. Elementary to most visitors to this site is the fact that the data may be digital but it is real and for, say, a document on a server in one country to be opened on a system in another country the data has to cross borders albeit electronically.

    The suggestion that the strict territoriality of data is weakened just because it can be moved around (duhh.... like things. And people ...) is disturbingly simplistic.And wrong.

    The real problem is the US courts do not respect any country's borders, except their own - when it suits them.

    1. sanmigueelbeer Silver badge

      Re: "The whole idea of territoriality is strained"

      The real problem is the US courts do not respect any country's borders, except their own - when it suits them.

      Correction: It's the US government who doesn't respect anyone's borders.

      The US government can make rules/laws allowing them to, for example, subpoena the Kremlin if they want to. Remember, there are more lawyers in the US than the whole of Europe combined.

    2. Headley_Grange Silver badge

      Re: "The whole idea of territoriality is strained"

      PhilipN - you're right, but the judge also makes the point about ease of movement and being able to hide data from governments simply by shifting it around.

      An albeit weak parallel is international tax law which was designed to recognize the cross border nature of business and that investment and revenue can take place in different jurisdictions. All good in principle, but the downside is companies and countries gaming it to their benefit. There is a risk that without well considered law companies could game their data storage in the same way. I guess that's why some countries insist on data being stored in their own country.

      I'm not daft enough to believe that the Supremes will be thinking about this when considering this case, but the fact that a company could, in theory, just shift all its data to another country to avoid an investigation is something that we all ought to be a bit worried about.

    3. A Non e-mouse Silver badge

      Re: "The whole idea of territoriality is strained"

      I think the justices' point is that you can move data very easily with the click of a mouse in seconds with no physical activity or trace. Moving a filing cabinet of documents between jurisdictions involves having to shift something physical cross through customs.

      1. Sir Runcible Spoon Silver badge

        Re: "The whole idea of territoriality is strained"

        They're missing the point by a country mile.

        If the US courts decide that they *can* demand US companies hand over data that is stored on servers in other legal jurisdictions then those US companies are going to start losing customers very quickly.

        There are a number of government agencies in various countries who are using Office365 (regardless of whether that is a good idea or not) and this law, if enacted, would give the US carte-blanche to take all that data *legally*.

        Can't see other counties playing along with that, especially once GDPR is in force.

        1. A.F-G

          Re: "The whole idea of territoriality is strained"

          Right on target: this is exactly the point that will kill not only microsoft, but all American cloud providers... so out MS, Amazon, Google,... and all services dependant on them (like Dropbox...).

          What's more, this does apply not only to EU government, but also to all para-public services: universities, healthcare, public transports... and we're not even thinking about defence contractors.

          If this opinion is hold, there would be a nice side effect: on this side of the Atlantic, we would have to develop our own 'in-house' OS, to replace Windows and its cloud components...

          1. Roland6 Silver badge

            Re: "The whole idea of territoriality is strained"

            > there would be a nice side effect: on this side of the Atlantic, we would have to develop our own 'in-house' OS, to replace Windows and its cloud components...

            We would also have to have a non-US located and/or owned alternative to GitHub et al...

  3. Anonymous Coward
    Anonymous Coward

    Curious question, Why were the emails in Ireland in the first place given that the person is in New York and were these not backed up in a data centre state side anyway? Is this just a set up for a government power grab? In the current climate I don't even think I need tin foil for thinking this.

    1. Snorlax Silver badge

      @AC

      @AC:"Why were the emails in Ireland in the first place given that the person is in New York and were these not backed up in a data centre state side anyway?"

      The guy involved was living in Ireland at the time time the account was created...

  4. ExampleOne

    "And the internet service providers can put it anywhere they want and move it around at will.

    Isn't that a fast track to a GDPR breach? At the very least it is completely in breach of EU rules on territoriality.

    1. NightFox

      Doesn't that depend on the type of data? In this case it's an email, so GDPR would only come into play if that email included protected data.

      1. Anonymous Coward
        Anonymous Coward

        Nearly all e-mails contain 'protected data' (not sure what exactly that term means, but I'll guess at Personally Identifiable Information). If an e-mail has an e-mail address then it is PII and subject to GDPR.

        1. dizwell

          An email address is *not* PII.

          If the email address is "bethandtonysterling@gmail.com", does it identify Beth Sterling or Tony Sterling? Or Both? And is it the Tony Sterling living in Manitoba, or the one living in Fife?

          PII can get interesting: "The pregnant lady in Arbuckmansworth" is PII if it happens that there is only one person pregant in the town at the time it's written. But an email address in isolation is almost never going to be PII.

          1. Anonymous Coward
            Anonymous Coward

            "An email address is *not* PII."

            yes it is for the purposes of GDPR. That doesn't mean that 100% of e-mail addresses are PII on their own - a better example is info@microsoft.com. However if you are storing e-mail addresses with no pre-qualification (such as only storing generic business addresses) then it is PII and falls under GDPR.

            The fact that an IP address is considered PII should help make that point.

            1. Anonymous Coward
              Anonymous Coward

              Not entirely. Talking about PII for GDPR is incorrect. An email address is personal information, not personal identifiable information. You are correct that GDPR still applies to it though.

              1. Doctor Syntax Silver badge

                "An email address is personal information, not personal identifiable information."

                Given that the address being targeted is believed by the USG to belong to a specific individual in whom they're interested in either it's a personally identified individual or they've got the wrong address.

  5. arthoss

    wow. if US government wins it might be the death knell of cross-nation cloud and the beginning of even stronger encryption protocols for communication between services.

    1. Anonymous Coward
      Anonymous Coward

      I'm quietly hoping for this, just to see the carnage to our cloud migration project.

      "You know you're now knowingly breaching the DPA/GDPR if you continue with that?" due diligence and all. Popcorn please.

      1. SImon Hobson Silver badge
        Mushroom

        I'm quietly hoping for this, just to see the carnage to our cloud migration project

        I was made redundant last year, but they were already in the process of shoving all customer email accounts off our own server ("look, that's where your emails are located") off onto 365. I repeatedly raised the issue, and was told by our MD that "there's no problem, we've been assured by MS that it's OK". And I never got an answer as to whether they'd mentioned the potential issues to any of the customers.

        AIUI (and I stand to be corrected), it's not possible to access MS services without using DNS and authentication services which are under the control of the US - access is via a convoluted chain of DNS pointers. AIUI an outage we experienced a year or two back was due to an auth server in the USA being down - and if the particular chain of DNS records led you to that one then you couldn't authenticate. So you might have an account with MS in Ireland and data stored in Ireland and not accessible to the US parent. So what if he US parent, because it's been told to by a court, directs the DNS such that you use a US based authentication server - which they can then fiddle with to give them access to your account ?

        I never got an answer to that one either. Just an attitude of "MS says there's no problem, therefore there's no problem". Icon says what some of the customers might do when the worms start crawling out of the tin !

    2. Ben Tasker Silver badge

      > the beginning of even stronger encryption protocols for communication between services.

      More importantly, it may also increase the amount of encryption *at rest*.

      That's what matters in this case. MS could be using future-generation crypto to deliver it to your browser and it'd make no difference because they can still access it on disk to transfer to the US (to comply with a ruling).

      What'll be needed if the Supreme's decide that getting extra-territorial is A-OK is to implement a system where only the user is able to decrypt the data, so that MS cannot provide it even when ordered to. It's been done before (Lavabit used this method, for example), though not (AFAIK) at the scale that MS operate at.

      It's also a logical next-step in the crypto arms race, as it's almost exactly what's already happened with smart-phones.

      I've been toying with the idea of setting something similar up myself for a while (more for the fun of building it), maybe I should try and get around to it sooner rather than later.

  6. LDS Silver badge

    The solution is simple.

    US should do like any other authoritarian regime did: make sure data of its citizens are only stored on servers on US soil. I really don't care what US does to its citizens - they voted their government.

    What I can't accept is US believes it can access any data stored on systems owned, or under control of any US entity - because that "under control" may be very extensive.-, even if they are foreign citizens living in a foreign country and thereby not subjected to US jurisdiction at all. In the CLOUD Act too, foreign citizens data are at risk - because the business companies should file a motion to deny those data within two weeks, and a US court has to accept it. That's unacceptable - and would of course violate several EU laws about data protection, and citizen rights.

    Moreover, if US thinks a new treaty is necessary for the rapid exchange of those information when needed to counter international crime, it has to enter talks first, reach an agreement with all the interested parties, and then write down its own law abiding to the treaty. It can't write laws at its own advantage and then try to force others to accept them.

    And it's worrying that even in a liberal newspaper like the New York Times is misrepresenting the issue (as if US couldn't access Irish-stored data, when simply using the standard procedure would have yield them) - so this is really a wide and big US cultural issue, and fear of the world.

    1. Paul Crawford Silver badge

      Re: The solution is simple.

      "US believes it can access any data stored on systems owned, or under control of any US entity"

      So basically that means Windows 10 then as the EULA and design permits data access?

      Will be interesting if this comes to pass and the whole of Europe it basically told that using Windows on any internet-connected machine for any personal data is now a breach of privacy laws.

      1. LDS Silver badge

        "So basically that means Windows 10"

        That's a thought I had too. Software is "licensed", not "sold", and with Windows 10 Microsoft has the baked in ability to transfer any tile to its US servers. What does "controlled" means in the CLOUD act? Are license clauses enough to protect the customer?

        Of course, this may not be limited to Windows but expand to iOS, Android and other US-controlled operating systems and applications. And what about rented/leased systems? What about the data of employees of a foreign subsidiary of a US company?

        The Supreme Court is risking to open a dangerous can of worms. If I were them, I'd rule that existing international treaties already exist to access those data, and law enforcement agents has to follow them, and if new ones are needed to cope with the new technological landscape, it's up to the government and Congress to make them. I would add that knowingly shifting data to avoid a criminal investigation is already a crime under existing laws - I guess US has laws about knowingly helping to commit a crime, IIRC someone at Deustche Bank was indicted for helping tax avoidance schemes, allthough, as usual in the US, it was "settled" and no one went to jail...

        But that's US, and I'm afraid US judges are terrorized by all those foreign countries inhabited by untrustworthy savages....

        1. Sir Runcible Spoon Silver badge

          Re: "So basically that means Windows 10"

          "knowingly shifting data to avoid a criminal investigation is already a crime under existing laws -"

          So is destroying data that you are legally meant to keep, but that doesn't stop some US authorities doing that very thing and getting away with it. It's all a crock of shit, you can't believe a word these people say.

          1. julian_n

            Re: "So basically that means Windows 10"

            Oh come on now - we all know that Hillary Clinton is greater than the law.

        2. John Brown (no body) Silver badge

          Re: "So basically that means Windows 10"

          "But that's US, and I'm afraid US judges are terrorized by all those foreign countries inhabited by untrustworthy savages...."

          Which is a little odd since most of them trace their ancestry back to the Rest of the World only 2-4 generations back (some more, some less, obviously). Likewise, the large numbers of USAians who identify as American-something based on where their great grandparents came from, and yet there seems to be a growing super-patriotism and an anti-rest-of-the-world sense coming from there. From this side of the pond, the general US attitude seems to be that the rest of the world is either Communist, Socialist, Fascist, Liberal or terrorist breeding grounds (all BAD THINGS(tm) and all need to be either attacked or are fair game for commercial fleecing backed by the might of the USA and the almighty dollar.

      2. Mage Silver badge

        Re: using Windows on any internet-connected

        Using Chrome, Office365, Google Docs, ChromeOS, LinkedIn, Google services / facebook script on your site, Android, Windows, most cloud services, Internet Toys, Streaming services, IoT etc might already be illegal in EU for the user depending on content, and/or the Provider.

        Don't hold your breath for any EU regulator proactive action, especially in Ireland. It will need companies or individuals to bring court cases/.

        1. Doctor Syntax Silver badge

          Re: using Windows on any internet-connected

          "Don't hold your breath for any EU regulator proactive action"

          The nature of regulation varies.

          Fire regulations say what must be provided in terms of protection in buildings with public access and there are provisions for going into premises for inspections to ensure the provisions are in place. That's two different aspects. DPA, GDPR and all the rest have only ever dealt with the first aspect: saying what must be done. They don't have provisions for inspection by the relevant authority. The only thing that the regulators legally can do, AFAICS, is wait for complaints. Would that it were different.

    2. The_Idiot

      Re: The solution is simple.

      @LDS

      "US should do like any other authoritarian regime did: make sure data of its citizens are only stored on servers on US soil."

      But, with respect, the situation is often not that simple.

      For example, the Irish case involved email. So let's say I live in Germany (I don't :-P), and you live in the US, and we have email between us. Are we not then _both_ parties to the data? So should it be stored on US soil, because you're from the US, or European soil, because I'm from Germany? The same logic can be applied to sales records - if you are the US vendor, and I am the German purchaser. The data may well contain 'personal information' on both of us. Where to store it? Well, I'd bet whichever choice you make would potentially be wrong from one of our perspectives. And duplicating it, storing it in _both_ countries, just makes matters worse - at least, so I'd suggest. Of course, I'm an Idiot... (blush).

      1. LDS Silver badge

        "So let's say I live in Germany (I don't :-P), and you live in the US,"

        We have different issues here. One is data knowingly shared with a US entity, which may also be mandate by law to store them, as sales invoices.

        Another is personal or business data not shared with anyone, but stored on systems owned or controlled by a US entity outside US.

        If you send me an email and that's stored in the mailbox of a US citizen on US soil, a valid warrant to access that mailbox will access the emails, and it couldn't be different. I can't see how it could be different from a paper mail or a telephone call.

        Just, if a US law enforcement agency believes you, in Germany, could be an accomplice, and more evidences could be in your mailbox, it should not be able to access your mailbox but following existing treaty and procedures to ask Germany to help in the case, regardless of who owns or control the system.

        If I buy something directly from a US based entity on US soil - say an AR-15 from NRA'r'US - that record will be accessible by a US investigation wit a valid warrant to inspect company records. Just, if they need more data about me because I bought an assault rifle (I know, they are usually OK with that, just an example), they shouldn't be able to ask any data stored on any system a US company may have access to wherever it is. Follow the rule, and ask Interpol or local low enforcement agencies and courts. And don't try to abduct me illegally as CIA did in Milan.

        If I buy from Amazon EU based in Luxembourg - I do expect my data aren't available directly to any US agency at all - OK, I know NSA could access them illegally, but that's another matter, they want to be able to access data legally so they can be used in courts without the hassle of going through foreign paperwork and have to talk to those people with all those strange languages.

        If I have a safe box in a bank in Germany, even if it is controlled by a US company in some way, I can't see how a US policeman could enter and ask to inspects its contents with only a US warrant. Or if I live in a German rented apartment controlled by a US company, could they enter it with a US warrant?

        The actual legislation may be inadequate to cope with data shifted continuously across datacenters - surely new treaties and legislation is needed, but it would be much better it US didn't try to act like the 800 pound gorilla, and look for an agreement that lets domestic investigation proceed, without putting in jeopardy the sovereignty and rights of foreign countries and citizens.

        Making enemies if far easier than making allies.

      2. Mark 85 Silver badge

        Re: The solution is simple.

        Let's ignore email for a moment and consider an exchange of information via snail mail. If one destroys the mails, can they be held accountable? With deleiting email, obviously one can. With snail-mail, you have the mails I sent and I have the mails you sent. With email, it seems like every Tom, Dick, and Harry along the path has a copy.

        As an aside, I wonder what would happen if say a Russian company had a data center in the US and their government would want some data from it....things are going to get messier real fast.

  7. sabroni Silver badge

    Sweet

    So the US is basically saying they're happy for any nation's law to apply to data centres in the US.

    It's goose sauce motherfucker.

  8. Anonymous Coward
    Anonymous Coward

    The US is a megalomaniac nuthouse

    Of course they think they own the world, and can impose their lunacy on the rest of us.

    It is however your choice to put your data on the Cloud - other people's computers you have no control over.

    1. Ben Tasker Silver badge

      Re: The US is a megalomaniac nuthouse

      Whilst it was still their choice, many businesses (in particular) will have done so because of the promises about data not being transferred to another territory (as you need to make sure your provider isn't going to breach data protection laws 'on your behalf').

      If this goes through, it's an absolute game-changer for the industry, as it potentially closes the European market off to US companies. At least as far as B2B sales go. Any company that decides to use them would be putting themselves at risk, so any custom they might see would likely be based on ignorance of the law.

      It's going to be a bugger for anyone currently using them though, as they're almost certainly going to have to plan a migration if the decision goes the wrong way.

    2. Doctor Syntax Silver badge

      Re: The US is a megalomaniac nuthouse

      "other people's computers you have no control over" and over which over governments do.

  9. Charles 9 Silver badge

    If it comes to the point two sovereign powers' laws are irrevocably at arms, the end result is going to be balkanization. Either all US companies will be forced to completely divest all European holdings, or Europe will cut off all American Internet connections to Europe and vice versa.

  10. Doctor Syntax Silver badge

    "You might gain customers if you can assure them, no matter what happens, the [US] government won't be able to get access to their emails,"

    And that might be in the contract with the customer.

    Although statute law might override contract terms I don't see how that can happen if the statute law applies in a different jurisdiction to that in which the contract was agreed.

  11. julian_n

    I can see Swisscom, amongst others, rubbing their hands with glee on this:

    https://www.theregister.co.uk/2013/11/04/switzerland_to_set_up_swiss_cloud_free_of_nsa_snooping/

  12. anothercynic Silver badge

    Lovely...

    And The Notorious RBG delivers yet more common sense. *applauds*

  13. Doctor Syntax Silver badge

    There seems to be an unspoken assumption here that someone in Redmond or Washington has effective direct access to the whole if the entire Irish data centre as if it were remotely mounted as an I: drive.

    I'd certainly expect that an email server is only accessible by the standard email protocols or by someone with the appropriate admin credentials. I'd also expect those admin credentials to be very strictly limited by need so that even the commercial management of Microsoft in Ireland wouldn't have them let alone someone in a different jurisdiction.

    In other words I'd expect the only way the USG's demand could be given practical effect would be by someone physically in Ireland to carry out an act whose legality would depend on Irish law.

    1. LDS Silver badge

      I'm quite sure someone from Redmond could RDP/SSH into an Irish machine and do from there everything an Irish technician would do...

      1. Doctor Syntax Silver badge

        "'m quite sure someone from Redmond could RDP/SSH into an Irish machine and do from there everything an Irish technician would do."

        If the machines are so badly protected from outside access then there's a problem. I've worked on sites where security of personal data was taken seriously. It was segregated on its own LAN. It was only accessible via the production systems that actually needed it (and operated by people with security clearances) or from the computer room. That approach to data security was the essence of their business. I'd expect any large business dealing with personal information to do likewise if it wants to be trusted.

    2. Claptrap314 Silver badge

      You mention "someone" and then debunk "everyone". When I worked at G, (as an SRE), I had the ability to root almost any prod box. (I assume there were a few I did not.) I expect that M$ is the same way, or at least was when this started.

      1. Doctor Syntax Silver badge

        "When I worked at G, (as an SRE), I had the ability to root almost any prod box."

        Are you bragging or apologising for your employer's lax approach to data security?

      2. Ben Tasker Silver badge

        > You mention "someone" and then debunk "everyone". When I worked at G, (as an SRE), I had the ability to root almost any prod box. (I assume there were a few I did not.) I expect that M$ is the same way, or at least was when this started.

        When (not if) a breach happens, that kind of setup will likely be included in the report by the authorities and considered insufficient effort in protecting the data. Anyone who has that level of access, needs to have sufficient justification of why they need that access on an ongoing basis (and there _are_ roles which require it).

        As a matter of best practice, when assessing who needs what access, you should always make sure the decision (and supporting arguments) are properly documented so that you can show the justification if needed. Far better than trying to remember why you decided that Level 1 support needed global root access after an event.

        1. Claptrap314 Silver badge

          G has been slower than most might expect to beef up internal security. The company famously trusts its workers--to the point that, for instance, the quarterly lock on stock sales that is required only of directors and above at most companies applies to all. This came crashing down with the Chinese hack, but it has taken a long time for changes to be identified, agreed, prioritized, and then implemented. But perhaps I need to clarify. It was NOT a free-for-all.

          Yes, as an SRE (one of about 1500), I had root more-or-less anywhere. But to actually use that, I had to "break glass". We had special access keys to do so, and a log of my activity went directly to my manager & to security. In my year and half, I never even considered doing so, except for the regular testing that I could.

          Furthermore, with the advent of GCP, there was a lot of effort going into figuring out what kind of security changes were needed in order to support that market. It would probably be very interesting to sit in on meetings to try to figure out a way to give someone a pager without them having break glass. My comment was about the reality about how one major play was actually doing things at the time that M$ started. I was not implying anything about whether or not such a policy was proper.

  14. BobChip
    Unhappy

    This is NOT "A minor quibble"

    There are fundamental issues of data security and privacy here. If the Court finds against Microsoft - and it looks very likely that they will - the US government will feel free to trawl through any data they like, provided that :-

    a) It is "owned" by Microsoft, for which read produced or transmitted using any MS licensed product, or has passed through MS's hands from other sources, and / or,

    b) Is held on any cloud service operated by any US provider, and / or,

    c) Is "secured" by any cryptographic method provided by a US company.

    I admit I'm not a fan of Microsoft, but no company should be held to ransom in this way. How on earth can they be expected to sell SAAS and claim to provide customer privacy and security under these circumstances? I think I'd be selling my MS shares pretty smartly.

  15. adam payne Silver badge

    The Supremes' early opinions on the matter were released to the public on Tuesday. The transcripts revealed two of the nine justices were particularly scathing of Redmond's claim that the US government cannot lawfully demand access to data stored outside America's borders. The others showed varying levels of concern.

    When will the US government respect other countries borders?

    You can pass all the laws and judgements you want but none if those mean anything outside the US anyway.

  16. Claptrap314 Silver badge

    URGENT: US companies are subject to US law!

    I don't know if I should just give up the drum, but it is fundamental. A company does not get to ignore the laws of its home nation by becoming an "international". People here rightly jeered the double-Dutch and whatever Irish deal was being used to avoid taxes. Why are data production laws any different?

    Certainly, if a company does business in country X, this depends on staying on the right side of the laws of country X. And if it is not possible to comply with the laws of country X and country Y both, then a business decision will have to be made.

    If you don't like our laws, don't do business with our businesses. Please. I would LOVE to see the Balkanization of these multinationals, even though it would cost me money. These companies are entirely too powerful, and there are very, very few ways to address the issue.

  17. mark l 2 Silver badge

    Team America : World Police

    1. sabroni Silver badge

      Fuck yeah!

  18. JeffyPoooh Silver badge
    Pint

    Amicus brief

    Justice Alito said, "...move [the data] around at will."

    Worse than merely "move". They could quite easily smear the data files across storage servers in a dozen countries, hashing it up so that nothing would make sense without reassembling (say) 80% to 90% of the data (to allow for failures). It could very easily become effectively impossible to subpoena data, if the companies chose to play games like that.

    Sorry to be the bearer of bad news, but the rules do need to change to be directed at a point of control.

    I expect downvotes because some people won't like this.

    But it's still obviously true.

    Sorry.

    1. Adam 52 Silver badge

      Re: Amicus brief

      ...But they don't at the moment, and it wouldn't be easy to make a reliable service that does because of all the potential partitions in a multi jurisdiction approach.

      With Google I get to pick EU or US. With AWS I pick regions. Neither allows to movement of data that the Supremes seem to think is possible. Microsoft needs better advocates (or the ever political justices chose not to listen).

      1. Charles 9 Silver badge

        Re: Amicus brief

        Unless they're talking INTERNAL clouds like what you'd likely see in a major multinational software company like Microsoft.

  19. alexmcm

    Just one thought I had. It was America that originated the internet infrastructure, and so they still have a 'we own this' attitude. In a sense they're saying, if you don't like it, go build your own internet... dare you.

    1. Claptrap314 Silver badge

      More like, "if you don't want your stuff subject to our jurisdiction, don't hand it to a company that is in our jurisdiction."

      1. Charles 9 Silver badge

        Which makes for Interesting Times when you discover they're the ONLY company you have available to work with due to one obligation or another.

  20. mhenriday
    FAIL

    US Supremes take a look at Microsoft's Irish email slurp battle,

    and yeah, not a great start

    Unless you're rooting for the American government

    And if you are not, let us remind you that we have drones - and a demonstrated willingness to use them....

    Henri

  21. Frank Oz

    So, the upshot is that the Cloud has gone from being a solution in search of a problem to a problem in search of a solution.

  22. Schultz Silver badge

    'congress should have a look at the issue'

    I guess there is one way the judges can ensure that congress will get its act together: completely block access of US law enforcement to any data stores outside the US. Congressmen would be working in it Tomorrow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020