A far-reaching legal battle between Microsoft and the US government has been rumbling on for many months. It burst into the headlines again on 15 December 2014 when Microsoft unveiled a list of companies, organisations, trade associations and computer scientists supporting its efforts to combat the decision by a US judge compelling it to hand over customer emails stored on a server in Dublin.
The case has serious implications for cloud computing because the ruling by US Magistrate Judge James Francis in New York in April 2014 held that customers of US internet service providers in other countries would not be protected by the laws of their own jurisdictions against investigation by US law enforcement agencies.
As Microsoft general counsel and executive vice president, legal and corporate affairs, Brad Smith puts it: “This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.” He argues that if a government “wants to obtain email that is stored in another country, it needs to do so in a manner that respects existing domestic and international laws. In contrast, the US government’s unilateral use of a search warrant to reach email in another country puts both fundamental privacy rights and cordial international relations at risk”.
In response to Judge Francis’ ruling, Microsoft issued a legal brief to the US Second Circuit Court of Appeals on 8 December 2014, which sought to make the company’s case by asking what would happen if a foreign law enforcement agency demanded a foreign company with an office in the US handed over the personal communications of a US citizen.
Microsoft claimed the US government was putting fundamental privacy rights Americans have valued since the founding of the postal service at risk. Unlike letters in the mail, the government was arguing emails stored “in the cloud cease to belong exclusively to you. Instead, according to the government, your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims it can use a different and broader legal authority to reach emails stored anywhere in the world”.
And it accused the Department of Justice of challenging people’s ability around the world “to rely on the privacy protections of their own governments and laws”.
Microsoft’s mention of the cloud is important because it highlights one of the most intriguing aspects of the case. On that subject, Nigel Hawthorn, European representative at US-based cloud security and enablement services provider, Skyhigh Networks doesn’t pull his punches, suggesting the case “will shape the future of cloud computing”.
He believes governments need to realise their limitations when it comes to trying to impose their laws on the global entity that is the internet “as taking a legal sledgehammer to cloud computing could break it for good”.
The irony is that the US government doesn’t appear to appreciate that the big losers if it gets its way in this case will be US-based companies offering cloud computing services to customers in other markets, such as Europe. A decision which reinforces the primacy of US law enforcement over the independence of foreign jurisdictions will merely serve to deter customers from signing up to US-owned services.
The only people who will benefit in this scenario will be European-based cloud computing providers who will be able to argue they can better protect their customers’ privacy from unwarranted intrusion by US agencies.
But how will it affect the cloud computing strategies of international organisations with a presence in Europe and the US? Now there’s a question.