Microsoft Corp. won’t be forced to turn over e-mails stored in Ireland to the U.S. government for a drug investigation, an appeals court said in a decision that could affect data security throughout the U.S. technology industry.
The ruling on Thursday overturned a 2014 decision ordering Microsoft to hand over messages of a suspected drug trafficker. The company argued that would create a “global free-for-all” with foreign countries forcing companies to turn over evidence stored in the U.S. The government said a ruling in favor of Microsoft would create a legal loophole to be exploited by fraudsters, hackers and drug traffickers.
The law doesn’t “authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers,” U.S. Circuit Judge Susan Carney wrote for the majority of the New York appeals court.
The government is considering its options, Peter Carr, a spokesman for the U.S. Department of Justice, said in a statement: “Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime.”
Microsoft said the ruling is a win for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.
“As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country,” Microsoft said.
The company hopes the ruling prompts the Justice Department to prioritize new legislation, now that it can no longer rely on this statute to gain overseas data, Microsoft president and chief legal officer Brad Smith said in an interview. Microsoft supports a bill called the International Communications Privacy Act that would make people subject to the data privacy rules of the country where they reside or have citizenship, Smith said.
“The government is going to have to decide where it wants to go with this case — we can all spend two years in court arguing about a statute that was passed in 1986 or we can focus our energy on a hammering out a law for the future,” Smith said. “Our view is we should focus on the future rather than argue about the past.”
Members of Congress backing the bill urged its swift passage.
“Today’s ruling clearly calls for Congress to act,” Representative Tom Marino, a Republican from Pennsylvania, said in a statement.
“U.S. companies and consumers need clarity on when and how they are obligated to turn over electronic communications to U.S. law enforcement,” said Representative Suzan DelBene, a Democrat from Washington. DelBene is a former Microsoft vice president and her husband Kurt is an executive vice president of corporate strategy and planning at the company.
The name and home country of the customer involved in the case haven’t been made public.
1986: A Cloud Storage Odyssey
While this case was somewhat overshadowed in recent months by the battle between Apple Inc. and the U.S. government over access to a terrorist’s iPhone, it has been closely watched by the technology industry with more than two dozen companies, including Apple, Amazon.com Inc. and Cisco Systems Inc., backing Microsoft in court.
Cisco said the ruling is important for companies charged with protecting confidential data held outside the U.S.
“It reinforces appropriate safeguards on the U.S. government, and focuses law enforcement on the appropriate use of accepted international agreements,” the company said.
The dispute centered on the Electronic Communications Privacy Act of 1986, a law passed before the widespread use of e-mail, instant messages and Internet-based social networks. Its aim was to protect user privacy and the law didn’t envision the application of warrant provisions overseas, the appeals court said.
As more technology companies sell customers the ability to process and store their data using Internet-based cloud services, information is increasingly being housed in massive data centers around the world, a situation that the relevant U.S. law didn’t anticipate when it was written three years before the invention of the World Wide Web.
“It is even more important for Congress and the Executive Branch to come together to modernize the law,” Microsoft said. “We hope that today’s decision will bring an impetus to faster government action.”
The ruling was another setback for the government in disputes over privacy of data. In February, a federal magistrate in Brooklyn, New York, said the government lacked authority to force Apple to help it crack an iPhone that belonged to a drug dealer. The U.S later dropped its appeal of the ruling after it obtained a passcode to the phone.
The Justice Department and Apple also squared off over access to the iPhone used by a shooter who with his wife carried out a December attack in San Bernardino, California. Through independent means, the U.S subsequently gained access to the data in that device as well, ending the legal fight.
Microsoft, and its partners and rivals, had argued that giving the U.S. government access to data stored overseas could create a chilling effect on the rapidly growing cloud technology sector and push international clients, particularly in government and highly regulated industries, to avoid U.S. cloud providers.
The process of requesting evidence through foreign governments can be time-consuming. American law permits them to get the data directly from U.S.-based companies that choose to store it offshore, prosecutors said.
The case is In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 14-02985, U.S. Court of Appeals for the Second Circuit (Manhattan).
By Bob Van Voris and Dina Bass, with assistance from Ian King