Data Privacy At The Supreme Court: Can U.S. Seize Emails Stored Abroad?

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
The U.S Supreme Court is hearing a case today that will have significant impact going forward. NPR is reporting that the Supreme Court is hearing the case, United States v. Microsoft, which involves a federal drug-trafficking investigation where law enforcement obtained a warrant for all the data associated with the suspects Microsoft account. While Microsoft turned over all the data it had that was stored in Redmond Washington, they refused to disclose the content of the emails, as they were stored in a data center in Ireland.

While I'm the last one to think government should have more power, I actually agree with the U.S on this one. Microsoft is based in America, the data is on Microsoft servers under Microsoft control. We will have to see how it plays out, thanks to MrCaffeineX for the story.

Siding with Microsoft in this case are a raft of major tech companies, including Amazon, Apple, Facebook and Google. They point out that the public did not even have access to the Internet until 1989 and the "World Wide Web" didn't exist until 1991. Nor were emails stored after they were received. So Congress could not have intended to cover data that is stored forever in a cloud.
 
Last edited:
is there some kind of treaty or agreement that ireland has to give up property to the US?

judging by google and apples accounting that answer is likely no.

TS.
 
While I'm the last one to think government should have more power, I actually agree with the U.S on this one. Microsoft is based in America, the data is on Microsoft servers under Microsoft control.

So like you are cool with the notion that if MS puts a server in Russia, they really should provide all your data to the Russian government. Got it.
 
Better let the US Government know that if they do win this it goes both ways, the Chinese Government could sue Microsoft China in the same way to gain access to US servers, then the same goes for Google and Apple and any other web based service. Microsoft, Google, Apple, GE, Intel none of these companies are American companies any more they operate all over they are not people they are sprawling entities that exist globally. The only defense against this would be to spin off each countries division into their own company then have them all exist under a parent shell corporation operated out of numbered off shore corporations.
 
It's an interesting case for sure if MS wins. One could even go as far as fragmenting each email up into multiple data chunks and storing each chunk in a different country. One chunk would be gibberish without the others. A single warrant would only get you partial data.
 
The WSJ (paywall) has an excellent opinion piece siding with the U.S. as well.

"In Morrison (2010) and RJR Nabisco, Inc. (2016), the Supreme Court developed a two-step analysis to determine if a law applies overseas.
...If not, the statute is presumed not to be extraterritorial. "
The U.S has precedent and current law on their side. And their approach is common-sense.

It'll be interesting to see how this lands.
 
I have to side with Microsoft in this. If you establish a presence and do business in a foreign country, you have to comply with their laws. You can't keep servers in Europe and decide that you will not comply with their stricter privacy rules.

Is the US government going to pay for all the fines that Microsoft may be liable for if they break EU privacy laws in their EU offices?
 
I have to side with Microsoft in this. If you establish a presence and do business in a foreign country, you have to comply with their laws. You can't keep servers in Europe and decide that you will not comply with their stricter privacy rules.

Is the US government going to pay for all the fines that Microsoft may be liable for if they break EU privacy laws in their EU offices?

But what about the fact that the data originated in the US by a US citizen?
 
So like you are cool with the notion that if MS puts a server in Russia, they really should provide all your data to the Russian government. Got it.
Apparently you are cool with the idea that a Russian Government "warrant" would allow the Russian Government to require your emails stored on US-based servers? After all, most international law is based on the concept of reciprocity. This is the foundation of most of the amicus briefs filed in this case.
 
But what about the fact that the data originated in the US by a US citizen?
They got the Data from the US Citizen, while he was in America but not from his time in Ireland, the sad thing is the US government can request that information and they would get it the existing legal treaties between the US and Ireland would grant them this with few hurdles and minor red tape, but apparently the process takes too long as the departments on both sides that deal with the paperwork is too bogged down. So the US Government is looking to find a short cut around their own laws and treaties this is another classic example of the Government reacting to a symptom and not the cause.
 
It's an interesting case for sure if MS wins. One could even go as far as fragmenting each email up into multiple data chunks and storing each chunk in a different country. One chunk would be gibberish without the others. A single warrant would only get you partial data.
Google already does this
 
  • Like
Reactions: dugn
like this
Better let the US Government know that if they do win this it goes both ways, the Chinese Government could sue Microsoft China in the same way to gain access to US servers, then the same goes for Google and Apple and any other web based service. Microsoft, Google, Apple, GE, Intel none of these companies are American companies any more they operate all over they are not people they are sprawling entities that exist globally. The only defense against this would be to spin off each countries division into their own company then have them all exist under a parent shell corporation operated out of numbered off shore corporations.

But it doesn't go both ways.

Even using Google, Amazon and MSFT, China has isolated their own clouds, data and server infrastructure so they retain control (encryption keys, physical servers, etc.). Demands for U.S. data via a Chinese subsidiary aren't the same. Your example is very different from a corporation like Google or MSFT electronically 'optimizing' a user's data or splitting it into shards across extraterritorial boundaries via algorithm.
 
They got the Data from the US Citizen, while he was in America but not from his time in Ireland, the sad thing is the US government can request that information and they would get it the existing legal treaties between the US and Ireland would grant them this with few hurdles and minor red tape, but apparently the process takes too long as the departments on both sides that deal with the paperwork is too bogged down. So the US Government is looking to find a short cut around their own laws and treaties this is another classic example of the Government reacting to a symptom and not the cause.

Ah, I didn't get that from the article, I was under the impression that Ireland just happened to be where the server farm that housed his emails were located, but that he was physically in Ireland when they were sent.
 
Apparently you are cool with the idea that a Russian Government "warrant" would allow the Russian Government to require your emails stored on US-based servers? After all, most international law is based on the concept of reciprocity. This is the foundation of most of the amicus briefs filed in this case.

That is indeed the exact opposite of my opinion. We have treaties with regards to this shit. Follow them. Mine was a question to the OP with regard to them being ok with it.
 
What's interesting is if this goes thru it could mean, in the future, a company could be compelled to do something that's illegal in another country. Like if the law in Ireland is that you cannot export that data without some government signoff. You're based in America, so we don't care if our court systems orders you to commit crimes internationally. Sounds like a good way to encourage people to move their headquarters.
 
Removing the "Involving a Computer" issue, if a US citizen buys a book in NYC, ships the book to Ireland where it is stored in a locker owned and operated by a US company, would that US company have to produce the book if served a properly phrased Federal court order at their US HQ?
 
  • Like
Reactions: U-238
like this
Although I don't plan on committing any crimes in Russia any time soon.

Too late.

Sale, import and production of lace panties is prohibited. Allegedly, lace women underwear does not comply with technical requirements adopted in Russia.

Better watch out for that extradition warrant and pick up some gear from REI for Siberia.
 
Sorry, I don't agree with you. The issue is not about control - it is all about location. If there is a Bank of America branch in Ireland and the feds want to look at account data for someone can they do it because it's under Bank of America control? I don't think any Irish bank customers would agree with that. Or how about a bank lock box - it's under Bank of America control - can a federal agent just fly to Ireland and order them to open it? All existing treaties governing issues like this are about location - not who has control.
 
That is indeed the exact opposite of my opinion. We have treaties with regards to this shit. Follow them. Mine was a question to the OP with regard to them being ok with it.
Understood. I actually realized that after I posted.

Bottom line is this: if the Government prevails in this case they open the door to data demands here from all other nations. That would be bad.

If the data is in Ireland, the Justice department should make a request to the Irish government based on existing treaties or go to the Irish (or EU) courts to try an secure access to it. That's how its supposed to work. And that's how US courts maintain control of lawful warrants served in the USA.
 
1. This is why I use services such as Proton Mail
2. The government can suck mah dick as usual.
 
But it doesn't go both ways.

Even using Google, Amazon and MSFT, China has isolated their own clouds, data and server infrastructure so they retain control (encryption keys, physical servers, etc.). Demands for U.S. data via a Chinese subsidiary aren't the same. Your example is very different from a corporation like Google or MSFT electronically 'optimizing' a user's data or splitting it into shards across extraterritorial boundaries via algorithm.

Remove China and call it Russia, Saudi Arabia, Venezuela, and so on. If the US justifies that it should have access to servers abroad then other countries should be allowed the same access to that data as well. The same applies to China as well, you're just bringing up an irrelevant topic. China could simply say that a foreign person committed an electronic crime in China and so they want his emails to prove their case.
 
What's interesting is if this goes thru it could mean, in the future, a company could be compelled to do something that's illegal in another country. Like if the law in Ireland is that you cannot export that data without some government signoff. You're based in America, so we don't care if our court systems orders you to commit crimes internationally. Sounds like a good way to encourage people to move their headquarters.

That's effectively already happening with all the various laws cropping up in the EU and Canada regarding having Google searches censored internationally.
 
Oooo this could be interesting with the whole GDPR thing in europe coming in
MS would have to prove to Europe that any data being handed over doesn't contain any details of European citizens, if it does, they have to follow GDPR guidelines

Maybe this kinda thing is excluded....but I doubt it
 
USA should have asked Ireland to request the information from the MSFT Ireland division according to the laws of that country, and if legal and granted, then the Irish authorities can provide that information to the US authorities.

Edit: I've spoken with a Microsoft employee (who I don't believe is directly involved in this) and this was their opinion too.
 
If the Russian government had a warrant for all data pertaining to me, then yes. Although I don't plan on committing any crimes in Russia any time soon.

This is the part that could be very interesting. Deciding where control of the communication system rests and using that as justification to avoid filing for the appropriate warrants in territories outside of the United States could have long lasting implications with the advent of the cloud.

I am with you, that as it stands right now, it should be required to obtain warrants in the other countries, but what this really shows is how far behind our technological pace our regulatory and legal mechanisms are.
 
Better let the US Government know that if they do win this it goes both ways, the Chinese Government could sue Microsoft China in the same way to gain access to US servers, then the same goes for Google and Apple and any other web based service. Microsoft, Google, Apple, GE, Intel none of these companies are American companies any more they operate all over they are not people they are sprawling entities that exist globally. The only defense against this would be to spin off each countries division into their own company then have them all exist under a parent shell corporation operated out of numbered off shore corporations.

They are not gaining access to the "servers", they are gaining access to data as per a warrant. Microsoft declined to give up data that happened to be physically stored in another country.

We are at a point where its fairly stupid to try and use purely physical location of digital data as rules/guidelines in cases like these. Otherwise any law would generally come down to the the most lowest common denominator.

Right now it seams noble but this could be a kiddie porn case. Are you really going to say "sorry he can email pics of you kid because a US company has their servers in North Korea"

I do agree this is not a simple issue at all, you are right there are foreign divisions, companies could just leave etc Lots of loop holes. Though at the end of the day if the warrant is against a US citizen (or these days anyone living in the US) and the service/company is based in the US they should have to comply with data requests even if that data in physically in a different country. Assuming data is mostly access from within the country as well.
 
I am curious, can the US government force under warrant an American company (or citizen) to commit a crime in another country?

This question is not about if this is a good or a bad thing. Just can the government do it?
 
Removing the "Involving a Computer" issue, if a US citizen buys a book in NYC, ships the book to Ireland where it is stored in a locker owned and operated by a US company, would that US company have to produce the book if served a properly phrased Federal court order at their US HQ?
No first lets replace book with hand written letter as communications are protected under a whole slew of privacy laws that simple objects such as books are not and lets call your company Storage Co and say called Storage Co Ireland... they would still need to follow the process laid out by the Mutual Legal Assistance Treaty, and follow the Stored Communication Act. Microsoft USA has been issued a warrant but Microsoft Ireland has not and the Irish government is saying that for Microsoft Ireland to comply with Irish laws the data must be obtained through the MLAT.

To quote from the article: "Microsoft argues that an international treaty between the United States and Ireland should prevail and is the only correct way to obtain the emails. Ireland agrees."

If the US government wins the case and forces Microsoft to retrieve the data, they are in essence ordering them to break the laws in another country that they do business in and Ireland would prosecute them for it. To further your analogy the letter was not mailed there the person in question physically traveled there and left that letter in said Storage Co Ireland Locker.
 
is there some kind of treaty or agreement that ireland has to give up property to the US?

judging by google and apples accounting that answer is likely no.

TS.

Are you saying that an American in the US sends email to another American in the US, and because MS contracts with an Irish Company to host email data that this data becomes property of Ireland so MS doesn't have to give it up if ordered by the court to do so?
 
is there some kind of treaty or agreement that ireland has to give up property to the US?

judging by google and apples accounting that answer is likely no.

TS.
Yes there is the US and Ireland both signed the Mutual Legal Assistance Treaty, if they simply follow the rules for this the data will be provided with the full cooperation of the Irish Government, the US doesn't want to follow this treaty because they say it takes too long.
 
Are you saying that an American in the US sends email to another American in the US, and because MS contracts with an Irish Company to host email data that this data becomes property of Ireland so MS doesn't have to give it up if ordered by the court to do so?
The Emails that are stored in Ireland are there because he spent somewhere around a year in Ireland so while he was there using the service in Ireland the data was being stored on the Irish servers.
 
So like you are cool with the notion that if MS puts a server in Russia, they really should provide all your data to the Russian government. Got it.

You're posing a question that has no relevance at all to the situation.

If a Russian ISP contracts with Amazon Web Services for data hosting, and a Russian Citizen is being investigated for a crime, and his email is on Amazon's Storage Systems, a Russian Court Order for the suspect's email should be legal and honored. This is the flip side of the situation, not what you are proposing as relevant to the case.
 
Ah, I didn't get that from the article, I was under the impression that Ireland just happened to be where the server farm that housed his emails were located, but that he was physically in Ireland when they were sent.
"FIVE YEARS AGO, US law enforcement served Microsoft a search warrant for emails as part of a US drug trafficking investigation. In response, Microsoft handed over data stored on American servers, like the person’s address book. But it didn’t give the government the actual content of the individual’s emails, because they were stored at a Microsoft data center in Dublin, Ireland, where the subject said he lived when he signed up for his Outlook account. In a case that begins Tuesday, the Supreme Court will decide whether those borders matter when it comes to data."
Full Article if you want more information: https://www.wired.com/story/us-vs-microsoft-supreme-court-case-data/
 
I have to side with Microsoft in this. If you establish a presence and do business in a foreign country, you have to comply with their laws. You can't keep servers in Europe and decide that you will not comply with their stricter privacy rules.

Is the US government going to pay for all the fines that Microsoft may be liable for if they break EU privacy laws in their EU offices?

I think it's incumbent on any business to consider all the ramifications of hosting data on foreign soil. Presumable MS did this to save money or to broker a deal, I'll put a data center in Ireland and hire Irish labor and you'll do something for MS in exchange. Regardless, hosting the personal data of US citizens on foreign soil comes with the risk that the US courts may demand that data and if so, they'll have to give it up. If doing so creates a problem with the other government then MS should have thought it through better before entering into the agreement.

In this case, the man it seems was living in Ireland and that's why his data was stored there. If the man is a US citizen, well, Americans life and work all over the world, and we are subject to US law even we were are abroad in many instances.

I was pretty sure about this one, now I am more interested in just seeing how it plays out. In a way, it's just history in the making and setting precedent for how the world is going to handle the future which of course is already here.
 
They are not gaining access to the "servers", they are gaining access to data as per a warrant. Microsoft declined to give up data that happened to be physically stored in another country.

We are at a point where its fairly stupid to try and use purely physical location of digital data as rules/guidelines in cases like these. Otherwise any law would generally come down to the the most lowest common denominator.

Right now it seams noble but this could be a kiddie porn case. Are you really going to say "sorry he can email pics of you kid because a US company has their servers in North Korea"

I do agree this is not a simple issue at all, you are right there are foreign divisions, companies could just leave etc Lots of loop holes. Though at the end of the day if the warrant is against a US citizen (or these days anyone living in the US) and the service/company is based in the US they should have to comply with data requests even if that data in physically in a different country. Assuming data is mostly access from within the country as well.
They are not gaining access to data they are gaining access to communications, communications are protected by a number of international privacy laws and it gets really complex which is why the US and Ireland have both signed the Mutual Legal Assistance Treaty. The sad thing is the US Justice department has been beating on Microsoft on this for 5 years now, the MLAT would have taken a few months as the backlog is apparently priority based so things move up or down in the queue based on priority and Drug & Human trafficking probably puts it higher on that list.
 
The Emails that are stored in Ireland are there because he spent somewhere around a year in Ireland so while he was there using the service in Ireland the data was being stored on the Irish servers.

Yes, I am just catching up to that now myself. Thanx.
 
What? The US Justice Dept is being lazy and trying to find a shortcut? Tell me it isn't so!
 
I think it's incumbent on any business to consider all the ramifications of hosting data on foreign soil. Presumable MS did this to save money or to broker a deal, I'll put a data center in Ireland and hire Irish labor and you'll do something for MS in exchange. Regardless, hosting the personal data of US citizens on foreign soil comes with the risk that the US courts may demand that data and if so, they'll have to give it up. If doing so creates a problem with the other government then MS should have thought it through better before entering into the agreement.

In this case, the man it seems was living in Ireland and that's why his data was stored there. If the man is a US citizen, well, Americans life and work all over the world, and we are subject to US law even we were are abroad in many instances.

I was pretty sure about this one, now I am more interested in just seeing how it plays out. In a way, it's just history in the making and setting precedent for how the world is going to handle the future which of course is already here.

If you are in say Amsterdam and you buy a shit load of drugs and do them all while streaming it to your friends back in the US live would you be arrested upon returning to the states for buying and using drugs? A foreign country is under no obligation to follow US laws and the US has no legal grounds to prosecute you for crimes committed in foreign countries, that is why legal extraditions are such a pain in the ass.
 
If you are in say Amsterdam and you buy a shit load of drugs and do them all while streaming it to your friends back in the US live would you be arrested upon returning to the states for buying and using drugs? A foreign country is under no obligation to follow US laws and the US has no legal grounds to prosecute you for crimes committed in foreign countries, that is why legal extraditions are such a pain in the ass.


I can tell you that US Soldiers will face criminal charges for engaging with prostitutes outside of the US even if prostitution is legal in the country they did it in. You should underline the last three words of my post that you quoted ".... in many instances."

This link isn't the best information on the subject, but it's the best I have time to find at this moment, doors closing, have to go home now.

https://travel.stackexchange.com/qu...tizen-must-obey-while-traveling-even-if-those
 
Last edited:
Back
Top