Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Microsoft Victory in Overseas Data Privacy Case Stands

San Francisco – A federal appeals court on Tuesday reaffirmed Microsoft’s legal right to refuse a US government order to hand over data stored overseas in a case with important privacy implications.

San Francisco – A federal appeals court on Tuesday reaffirmed Microsoft’s legal right to refuse a US government order to hand over data stored overseas in a case with important privacy implications.

A divided panel of judges in New York denied a petition by the US for a rehearing of a ruling last year in a case pitting Microsoft against the government over data stored in servers in Ireland.

The case has been watched closely for its implications for privacy and surveillance in the digital age.

The December 2013 warrant directed Microsoft to turn over the contents of an email account used by a suspected drug trafficker.

Redmond, Washington-based Microsoft handed over account information it kept on US soil, but said the content of emails was off-limits because it was stored on servers in Ireland.

Microsoft chief legal officer Brad Smith welcomed the ruling while noting that “we need Congress to modernize the law both to keep people safe and ensure that governments everywhere respect each other’s borders.”

Many privacy and digital rights activists have supported Microsoft as a way of guarding against overreach by the US government, although some say the implications of the case are not clear.

Reaching beyond borders

Advertisement. Scroll to continue reading.

Concurring and dissenting justices on the panel agreed that Congress that the 1986 Store Communications Act (SCA) that was at the heart of the case should be modified by Congress to better balance privacy, crime-fighting, and national security.

Judge Susan Carney said Congress did not intend for the law to apply “extraterritorially,” or outside US borders, and disputed the government’s argument claiming the data remained domestic because it could be accessed by Microsoft.

“Mundane as it may seem, even data subject to lightning recall has been stored somewhere, and the undisputed record here showed that the ‘somewhere’ in this case is a datacenter firmly located on Irish soil,” she wrote in a concurring opinion.

Judge Dennis Jacob said in a dissent that the US was essentially not reaching beyond its borders when the information it sought was in easy grasp of a Microsoft computer terminal in Redmond.

If the recipient of a legal warrant “can access a thing here, then it can be delivered here” and it should not matter where the “ones and zeroes” are located in cyber space, Jacobs reasoned.

“Localizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a denizen of the North Pole,” Jacobs wrote.

“Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the snows of yesteryear?”

Judge Jose Cabranes wrote in dissent that the negative consequences of the panel’s decision could thwart law enforcement efforts and impede efforts to protect the US and its allies.

“The panel majority’s opinion has created a roadmap for even an unsophisticated person to use email to facilitate criminal activity while avoiding detection by law enforcement,” Cabranes wrote.

While Microsoft has received backing from most technology allies and digital rights groups, some activists say the case is far from clear-cut.

Jennifer Granick of the Stanford Center for Internet and Society has argued that a Microsoft win could mean these cases are decided in countries with fewer privacy protections, and drive more companies to “localize” data in places where authorities can’t access it.

But Greg Nojeim of the Center for Democracy and Technology said a ruling for the government “could have resulted in chaos and a privacy disaster.”

Nojeim said that tech firms under such a ruling “would have been subject to conflicting obligations to an even greater extent than is the case today, and users’ communications privacy could become, over time, subject to the whims of not just the US government, but also other countries seeking their data.”

Related Reading: Microsoft, U.S. Clash in Court on Overseas Email Warrant

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.