Felix Pergande - Fotolia

Tech industry welcomes Microsoft victory in data access case

Tech firms, civil liberties groups and trade bodies welcome what could be a landmark ruling by a US court in protecting the privacy of cloud services

The technology industry has welcomed Microsoft’s victory in its challenge to the US government’s demand to hand over emails stored in Ireland.

The long-awaited decision by the Second US Circuit Court of Appeals is seen as a landmark ruling for protecting the privacy of cloud services and has also been welcomed by civil liberties groups.

US authorities issued a warrant in December 2013 to access emails the US government believed to be linked to narcotics trafficking that were stored in Microsoft’s servers in Dublin, Ireland.

In July 2014, US federal judge Loretta Preska ruled Microsoft had to comply with the data access request, as a US company in control of the data.

But Microsoft appealed against the ruling, arguing that the emails belonged to its customers and that the servers were outside US jurisdiction.

Microsoft is among several big US technology firms that have called for surveillance reforms because of concerns that public loss of trust in technology will hurt their businesses.

“The government’s position in this case further erodes that trust and will ultimately erode the leadership of US technologies in the global market,” Microsoft said in a court filing.

In a unanimous ruling two and a half years after the government warrant was issued, the Court of Appeals has held that a US warrant does not reach data stored outside of the United States.

Welcoming the decision, Microsoft thanked the companies and organisations that had backed its appeal.

Read more about US technology trust concerns

The ruling “makes clear that the US government can no longer seek to use its search warrants on a unilateral basis to reach into other countries and obtain the emails that belong to people of other nationalities,” Brad Smith, president and chief legal officer at Microsoft told the BBC.

“It tells people they can indeed trust technology as they move their information to the cloud,” he said.

Amicus briefs in support of Microsoft were the Open Rights Group, the Center for Democracy & Technology, BSA | The Software Alliance, the US Chamber of Commerce, the US National Association of Manufacturers, and ACT | The App Association.

Myles Jackman, legal director of the UK-based Open Rights Group, said the ruling means US law enforcement agencies must respect European citizens’ digital privacy rights and the protection of their personal data.

“States should not arbitrarily reach across borders just because they feel they can bully companies into doing so,” he said.

“We urge the UK government to take note as the Investigatory Powers Bill will also attempt to create powers compelling overseas companies to do the UK’s bidding.

“We need to establish a firm principle that companies abide by domestic law where they operate, rather than being answerable to every government across the globe that makes demands of them. The established route for requests for data by law enforcement agencies should be through treaties.”

Court rules ‘in favour of privacy’

The Center for Democracy & Technology (CDT) said the ruling tracks closely with the arguments laid out in its amicus brief in support of Microsoft.

“This ruling is a major affirmation that the rights we enjoy in the physical world continue to apply in the digital world,” said Greg Nojeim, CDT director of the Freedom, Security and Technology Project.

“By declaring that a US warrant cannot reach communications content stored abroad, the court ruled strongly in favour of privacy and national rule of law.”

The Appeals Court said the US Congress did not intend the Stored Communications Act warrant provisions to apply extraterritorially and that the focus of those provisions is protection of a user’s privacy interest.

“This was the core of CDT’s amicus filing. Had the Department of Justice prevailed in this case, other countries would follow the US lead and start claiming access to data stored here in the US based on their own laws. It would have been like the Wild West and disaster for privacy,” said Nojeim.

“The decision underlines the need for reform to address legitimate law enforcement demands for data stored abroad. It should spur US congress to act by finally updating the Electronic Communications Privacy Act [ECPA] of 1986 and advancing legislation that would reform the mutual legal assistance treaty [MLAT] process,” he said.

MLATs are agreements designed for law enforcement agencies to receive and provide assistance to their counterparts in other countries, and the US has MLATs with more than 50 countries, including Ireland.

Nojeim said the CDT expects the US government to appeal the decision and that the civil liberties group will continue to advocate for ECPA and MLAT reforms to address the challenge of cross-border data demands.

The US Department of Justice said it was disappointed by the decision and is considering what course of action to follow. If it appeals, the case could then move to the US Supreme Court.

BSA calls for data access framework

BSA | The Software Alliance has hailed the ruling, saying the Appeals Court has sent an important message to technology users that privacy protections and the rule of law apply online just as they do in the physical world.

“The headlines will say that Microsoft won the case; this is also a clear vindication of privacy in the digital age,” said Victoria Espinel, BSA president and CEO.

“BSA members believe in working with law enforcement to stop bad actors, but it has to be done in line with the rule of law. That’s why governments need to create a framework for lawful access to data. Congress has started this process by working on legislation to modernise US laws on government access to data,” she said.

BSA’s amicus brief said that users of data services entrust their sensitive information to third-party providers and that confidence in cloud technology depends on protecting their expectation of privacy. 

BSA also pointed to the need to take foreign sovereign interests into account before seizing information located abroad.

Espinel said the breadth of support for Microsoft’s position in the case was impressive, and included not only other technology groups but the civil society, manufacturers and the Chamber of Commerce.

“This case has repercussions for consumer trust across the economy and around the world. This decision is a win for technology users at the individual and industrial level,” she said.

Improving MLAT process for common global framework

Welcoming the Appeals Court ruling, the Information Technology and Innovation Foundation (ITIF), a tech policy think tank, said it had argued around two years ago that the question was not whether the US government can gain lawful access to this data, but rather the process it should use to do so.

“Instead of using a search warrant, the US government agency in question could have sought access to this account information using its MLAT with Ireland,” said Daniel Castro, ITIF vice-president.

“While this ruling helps clarify an important question about the privacy of data stored in the cloud, more reforms are still needed to prevent negative consequences from this decision,” he said.

According to the ITIF, the risk now is that foreign governments may try to force companies to store data inside their borders to make it impossible for US officials to execute a search warrant, which would raise costs for consumers and limit innovation.

To address this concern, the ITIF said US Congress and the administration should accelerate efforts to improve the MLAT process and create a common global framework for lawful government access to data stored in the cloud.

“Improving the MLAT process would allow the US to develop rules that would meet the needs of law enforcement agencies operating in a digital world and keep the US tech sector competitive globally,” said Castro.

“By working to create a global intergovernmental data access pact, the US can reassure people at home and abroad that it respects privacy and civil liberties, while also allowing the US tech sector to thrive and not diminishing legitimate law enforcement capabilities,” he said.

Read more on Privacy and data protection