News - Microsoft rejects warrant to turn over emails stored overseas

[HEXUS]

Redmond is taking a stand in US courts as it appeals ruling.

Read more.

[crossy]

Wow, that's a turn up for the books - big business being apparently concerned for customers privacy...
... or is it the thought of those customers walking away or, worse still, filing some kind of countersuit in an unfriendly non-US court!

My view on this is a simple one ... Microsoft could (and perhaps "should") freeze that remotely-stored data and in return the US prosecutors should present an appeal to an Eire court. After all - and I realise that this is probably naive of me - if the US case is a genuine one then there should be no objections from their Irish counterparts.

And yes, I realise that the downside of my view is if some unscrupulous company stores their data in somewhere where a US application for access is going to be bogged down, or outright rejected out of anti-US "spite", e.g. Iran, Venezuela, Russia or China.

Good to see that other companies are coming in to support Microsoft, although I would have perhaps expected Google to be keen to support their rival. Unless they've totally gone over to the dark side of course.

[Tpyo]

re: Crossy

Pretty sure it is the latter - after all the data-security issues raised by the whole NSA surveillance thing and more 'revelations' about how much access the US law enforcement has to any data stored/passing through the US, many international companies are wary of using a US data services. What this court order would do is set a precedent such that the US law enforcement could demand any data held anywhere in the world if it is held by a US company, even if this would be (as in this case) a breach of local data protection rules.

As such, if they were forced to hand it over, companies world-wide would know they cannot use any data storage services provided by US companies for any commercially sensitive information, as no matter the local protections they currently can offer based on where it is stored, the US law intends to ride roughshod over these local rules and force the US company to hand it over. Microsoft (with google/amazon/etc.) being concerned about losing a huge chunk of the potential cloud computing market (not to mention email services etc.) are therefore having to challenge this in court or just walk away from a huge potential market.

Re: Your solution - I agree - this is something that was raised originally. There is an existing mechanism for the US court to request the data via the Irish courts. For some reason, the US court thinks it has the right to ignore that and demand the data directly. I'm pretty sure they'd have a lot to say about it if the Irish court did the same (via the EU wing of a company) and demanded data from American companies/individuals held on servers in America by the US wing of the company without any reference to US courts or data protection laws.

[crossy]

As such, if they were forced to hand it over, companies world-wide would know they cannot use any data storage services provided by US companies for any commercially sensitive information, as no matter the local protections they currently can offer based on where it is stored, the US law intends to ride roughshod over these local rules and force the US company to hand it over. Microsoft (with google/amazon/etc.) being concerned about losing a huge chunk of the potential cloud computing market (not to mention email services etc.) are therefore having to challenge this in court or just walk away from a huge potential market.

Good point - the cloud storage angle is a good one since everyone seems to suggest that this is a good future money-spinner. If I was "corporate America" then I'd be leaning on my tame senators hard to get that "US everywhere" idea dropped like a lead brick wrapped in concrete.

Re: Your solution - I agree - this is something that was raised originally. There is an existing mechanism for the US court to request the data via the Irish courts. For some reason, the US court thinks it has the right to ignore that and demand the data directly. I'm pretty sure they'd have a lot to say about it if the Irish court did the same (via the EU wing of a company) and demanded data from American companies/individuals held on servers in America by the US wing of the company without any reference to US courts or data protection laws.

Again a good point, especially that latter part. And building on that, I've got to wonder if it'd be possible for a company to end up in a Catch-22 situation. For example, if you'd got Google with servers in Germany and Homeland Security demands - and gets - personal data on some German national that perhaps they think a terrorist. Trouble is that said suspected terrorist could surely then file a legitimate complaint (i.e. a winnable one!) under German data protection law. So effectively Google would get US sanctions if they refuse, but German sanctions if they comply.

Maybe that US court needs to get a David Bowie/Pat Metheny track played to them by the Irish ambassador. That track obviously being "This is not America"

[Tpyo]

I've got to wonder if it'd be possible for a company to end up in a Catch-22 situation. For example, if you'd got Google with servers in Germany and Homeland Security demands - and gets - personal data on some German national that perhaps they think a terrorist. Trouble is that said suspected terrorist could surely then file a legitimate complaint (i.e. a winnable one!) under German data protection law. So effectively Google would get US sanctions if they refuse, but German sanctions if they comply.

[/URL]"

Exactly, that is pretty much what could happen here - taking the data would be in breach of EU/Irish law if it didn't go via the Irish courts!

[aidanjt]

Exactly, that is pretty much what could happen here - taking the data would be in breach of EU/Irish law if it didn't go via the Irish courts!

And Irish law doesn't allow for divulging broad personal correspondence just for a fishing expedition/piling more hay onto the data mining hay stack. That's why the US prosecutor didn't bother petitioning the Irish courts.

[addz17]

I hate America....

[cjs150]

Another example of why the USA is from a legal perspective a rogue state. I do not know if it is a function of university training or complete parochialism but for whatever reason in general neither US courts nor US congress/senate seem to understand that USA law does not apply around the world and local countries have the right to make and enforce their own laws

[tomthum]

At the end of the day Microsoft will bend to the will of U.S.A??????????
its time people got there act together and banned Microsoft and apple products, and of course Google spy ware, all the large corps spy on us.
time we made a stand my opinion

[shaithis]

I'm fairly sure that even the top brass at Microsoft don't really want to have their digital footprints being tracked to the n'th degree.....

Maybe the move to data centres in these contentious countries could happen en masse. Could end up being a great boost to Ireland's economy!

[Saracen]

Another example of why the USA is from a legal perspective a rogue state. I do not know if it is a function of university training or complete parochialism but for whatever reason in general neither US courts nor US congress/senate seem to understand that USA law does not apply around the world and local countries have the right to make and enforce their own laws

No, it doesn't, but it does apply to US companies.

This highlights one of the conflicts in the internet world. States have borders but much of the net doesn't.

As far as I'm concerned, the BIG issue in this is a red flag for consumers .... be careful who you trust with your data, and FIND OUT who can (legally) access it. Because it might well be a lot more than you thought .... or intended. Or are comfortable with.

I've been banging on on here about data security for ages, often to be met with "tinfoil hat brigade" type responses. But the simple FACT remains that any data you let out of your control is, ultimately, out of your control. The ONLY way to be sure it's not going to end up in the hands of someone you don't want it to, whether that be an international crime gang or a foreign government is to not give it out in the first place.

Suppose, for example, you hand shopping transaction data over to a UK company like XYZ Supermarket. Did you check their privacy policy? Notice the bit where it says it may be processed by "partners", with the restriction that it'll only be used for the purposes it was given? Well, XYZ Supermarket, and their partners, may use it for that purpose, which includes marketing. But the market research company happens to be a US firm, and that privacy policy said "might be transferred out of the EU/EEA", so it's on Irish servers, run by a US company, and at the very least, is at risk of being subject to a US search warrant or court order.

If you don't want to risk the US, or any other government, being able to get holds of your data, don't put it on someone else's servers. Period.

[ZaO]

I feel the same as Saracen. Whatever data you send/recieve accross the net - assume that literally anyone could potentially see it. I think it's the only way to do things. There's no way you can properly keep track of your data. It's impossible. Same goes for what's stored locally on your computer, unless it's never ever connected to the net.

Sad thing is. I think a lot of kids today don't even care about this stuff. They were born into this mess, and don't know any different. Maybe the future is having all information in the open. A hive mind. It might not be a bad thing in the end. This could just be the awkward transition to that world. I dunno...

Edit: Seconds after posting this, I just got an email from Microsoft saying:

"We've detected something unusual about a recent sign-in for the Microsoft account *******@outlook.com. For example, you might be signing in from a new location, device or app.
To help keep you safe, we've blocked access to your inbox, contacts list and calendar for that sign-in. Please review your recent activity and we'll help you take corrective action. To regain access, you'll need to confirm that the recent activity was yours."

They're brute forcing our accounts guys!

[crossy]

They're brute forcing our accounts guys!

Nah, just yours!

Joking aside, surely the amount of intrusive (i.e. dragnet fishing) that's going on these days should surely encourage some bright sparks to come up with a better way. That Horizon programme this week mentioned something about switching on encryption by default in mail clients - now that sounds like something I'd like to do for personal emails, (i.e. not bothered about the NSA/CIA/MI5/Google/etc reading whatever Sainsbury's wants to send me).

[tomthum]

THAT WILL BE A FIRST
Tom G

[aidanjt]

Joking aside, surely the amount of intrusive (i.e. dragnet fishing) that's going on these days should surely encourage some bright sparks to come up with a better way.

We already had a better way, presumption of innocence, due process, etc. Unfortunately we let ourselves get distracted by 9/11, and opportunistic politicians exploited our vulnerability and fears to slip draconian policies in while we were dazed. Now we have to clean that mess up.

[ZaO]

We already had a better way, presumption of innocence, due process, etc. Unfortunately we let ourselves get distracted by 9/11, and opportunistic politicians exploited our vulnerability and fears to slip draconian policies in while we were dazed. Now we have to clean that mess up.

Exactly!