Security Experts:

Supreme Court Will Hear U.S. Vs Microsoft Privacy Case

World Will Watch the U.S. Government Vs Microsoft Played Out in the Supreme Court

The continuing battle between the U.S. government and Microsoft over access to private emails stored in Ireland is going to the Supreme Court. The case was accepted by the Supreme Court on Monday.

It began in 2013 when the government served a search warrant on Microsoft, seeking emails it believed would help in the prosecution of a drugs-trafficking case. Microsoft handed over relevant information stored in America, but declined to deliver emails stored in Ireland. It argued overreach, claiming that a search warrant could only apply within U.S. borders.

The government went to court to force Microsoft to comply. At first its warrant was upheld, but Microsoft appealed and the U.S. Court of Appeals for the 2nd Circuit subsequently overturned the ruling.

The basic arguments are relatively simple. The government contends that an inability to access evidence pertaining to U.S. means that "hundreds if not thousands of investigations of crimes -- ranging from terrorism, to child pornography, to fraud -- are being or will be hampered by the government's inability to obtain electronic evidence." It holds that the warrant is valid because the actual search would be conducted in the U.S.

Microsoft contends that the relevant law, the Stored Communications Act of 1986, was written in an age that had no concept of private emails being stored in different locations across the globe. But it also claims there are wider issues to consider. "If U.S. law enforcement can obtain the emails of foreigners stored outside the United States," wrote  Microsoft's president and chief legal officer Brad Smith in a blog post yesterday, "what's to stop the government of another country from getting your emails even though they are located in the United States?"

The current laws were written for the era of the floppy disk, he added, "not the world of the cloud. We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017."

Writing in the Volokh Conspiracy blog yesterday, George Washington University law professor Orin Kerr points out that it is unusual for the Supreme Court to hear a case without lower court split. "It's typical for the justices to wait for lower courts to divide on an issue before they will step in," he wrote. "Relying on splits uses lower-court disagreement as a signal for the kind of difficult and important issues that the justices need to resolve." It is, he suggests, "a recognition among the justices of the tremendous importance of digital evidence collection. Whatever the right answers are, the justices need to provide them."

While the drama is being played out on the U.S. legal stage, it is being watched closely around the world -- and no more so than in Europe. Europe has a different attitude towards privacy than the U.S., typified first in the European Data Privacy Directive, and now in the European General Data Protection Regulation (GDPR). Both require that European personal data should not be exported to a location with lower privacy protections than in Europe. The U.S. is considered one such location.

To get round this potential impasse, Europe and the U.S. developed a Safe Harbor arrangement to allow American companies to export European data to servers in America; but this was thrown out by the European Court of Justice (the EU's equivalent to the Supreme Court) in September 2015. The primary reason was unfettered access to personal data by the U.S. government. 

Since then the two governments have developed Privacy Shield as a stronger replacement for Safe Harbor -- but Privacy Shield has not yet been tested in the courts. Europe's reaction to the US government's potential ability to unilaterally extract European data from within Europe will test Privacy Shield to the limits.

"In a keenly watched case," summarizes Robert Cattanach, a partner at the international law firm Dorsey & Whitney, "the US Supreme Court has agreed to review a decision by the Second Circuit Court of Appeals that Microsoft did not have to turn over user data stored overseas in response to a search warrant issued under the Stored Communication Act. The case pits the interests of law enforcement access to information against concerns over government overreach, and could have ramifications globally as other nations likely will adapt their policies regarding access to information stored in other countries based on what the US Supreme Court decides. Privacy advocates have decried the prospect of borderless search authority by governments across the world, while law enforcement have painted the specter of criminal activities being shielded by convenient placement of data. All of this is being played out as the European Union continues its review of the Privacy Shield measure that allows the transfer of personal data of EU residents to the US under the presumption that it can be adequately protected."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.