A decision has come down in what may be the first legal challenge to a US search warrant for data stored overseas. In July 2016, Microsoft Corp. won an appeal against the US Department of Justice surrounding law enforcement access to email stored in the cloud on a server in Dublin, Ireland. The three justices in 2nd US Circuit Court of Appeals in Manhattan unanimously overturned the lower-court decision. Now, many journalists, cloud computing companies, and those in law enforcement are watching closely to see if changes to the Electronic Privacy Communication Act are next.
Microsoft Held in Contempt
Microsoft received a search warrant for an email allegedly connected to a narcotics investigation. The company challenged the warrant, arguing that US laws do not apply overseas, and if the law is interpreted this way, Americans’ emails stored in the US may be obtained in legal proceedings by other nations. While the origin of the email was never made clear, the company usually stores data in geographic proximity to its source. In 2014 a district judge required Microsoft to turn over the email and held the company in contempt. The tech giant appealed the case in federal court.
Electronic Privacy Communications Act of 1986
Tech companies, journalism trade organizations, advocacy groups, and the Irish government filed nearly 100 amicus briefs in the appeals case supporting Microsoft. These groups maintain that the legal basis for the Department of Justice’s claim is outdated. The Electronic Privacy Communications Act was enacted in 1986 to prohibit illegal wiretaps and other electronic eavesdropping. EPCA also allows the recording of dialed and received telephone numbers. Microsoft, and its supporters, maintain that EPCA was enacted in a time where there was no cloud. One of the Justices in the appeal referred to EPCA as “badly outdated” and pressed Congress to modernize the Act. The court stated:
“Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st-century demands for access and speed and their related, evolving expectations of privacy.”
All three judges overturned the lower-court decision.
What Happens Next?
Microsoft President and Chief Legal Officer Brad Smith said of the ruling:
“…It ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”
The US Department of Justice has not said they are done with the legal fight. Cloud computing technology has outpaced many legal regulations on electronic privacy. Data stored in the cloud, like the Microsoft email in question, is not saved on a local user’s computer or even a typical Internet Service Provider (ISP) server. Cloud clients’ data may be stored inside the US or in the EU or any other place the vendor does business. Treaties, described by some in law enforcement as awkward to navigate, exist between the United States and European Union countries outlining how cross-border information is shared in criminal cases. Cloud privacy advocates, like those supporting Microsoft’s legal argument, say US legislation needs a reboot.
A federal appeals court in Manhattan, supported Microsoft Corp.’s appeal to ignore a warrant the U.S. Department of Justice for an email stored in the cloud in Ireland. In what may be the first challenge to data stored oversees, many who rely on cloud computing (tech companies, journalists, and privacy advocacy groups) are calling for an update to the Electronic Privacy and Communications Act of 1986. The court agreed with Microsoft that data stored overseas does not fall under US law.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Architecture (Domain 1)
- Legal Issues: Contracts and Electronic Discovery (Domain 3)