Blog Post

Apple, Cisco, AT&T join Microsoft in fight against global search warrant

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Apple(s aapl), Cisco(s csco) and AT&T(s t) all filed amicus curiae briefs on Friday supporting Microsoft(s msft) in its appeal of a decision requiring it to hand over data about an Irish customer to U.S. law enforcement officials. Verizon(s vz) filed an amicus brief on Microsoft’s behalf on Tuesday. The case highlights how the advent of cloud computing has technology companies overcoming their competitive differences in order to challenge troublesome data-protection laws.

In this case, U.S. magistrate judge James Francis IV decided that pursuant to the Stored Communication Act, Microsoft must provide law enforcement officials with the contents of an Irish customer’s email, which is stored on servers located in Dublin, Ireland. Microsoft and its peers argue the warrant defies both the Stored Communications Act and numerous international law constructs, including treaties the United States has in place with other countries — Ireland among them — regarding how to handle requests for data about each others’ citizens.

Francis based his decision in part on a rather questionable determination of how data is actually seized from servers and searched:

[I]n the context of digital information, “a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer.”

Based on this line of reasoning, the tech companies argue, no customer data stored by any service provider anywhere in the world would be safe from local governments so long as the provider could access that server. If individual countries’ laws about data protection don’t apply, nor do treaties or other principles of international law, the very idea of a global computer network is an open invitation for governments to demand that companies with any presence within their countries turn over customer data regardless where those customers or their data are located .

Verizon, in its brief, makes a valid argument against what it calls the judges “novel proposition”:

“[E]ven if the emails would be “searched” only when they are read by law enforcement, the computer on which the emails are stored would be searched when someone tried  to find them. In this case, that computer is in Ireland. … Additionally, those emails or the computer they are stored on, or both, would be seized when the original emails were copied. … A search and a seizure thus would necessarily take place in Ireland.”

Because the Stored Communication Act (which was passed in 1986) does not include any suggestion that it applies to the search and seizure of data stored outside the United States, they contend, Microsoft cannot be compelled to turn over the emails of an Irish customer whose emails are stored on Irish servers.

A broader issue for big business

Despite its publicity, though, this latest appeal by Microsoft is just the latest strike in a years-long quest to rework U.S. and international data-protection laws to reflect the realities of cloud computing and globalization. Even before Edward Snowden leaked information about National Security Agency spying, Microsoft and its cloud peers were lobbying Congress to amend the Stored Communications Act (and its parent bill, the Electronic Privacy Communications Act) and the PATRIOT Act in the name of business.

The public outcry stemming from the Snowden revelations has only emboldened tech companies — including Microsoft, Facebook(s fb) and Google(s goog) — to step up their challenges. I’ll be speaking with Microsoft Executive Vice President and General Counsel Brad Smith — one of the most vocal critics of U.S. data-protection laws — about these issues and more at our Structure conference, which takes place Wednesday and Thursday in San Francisco.

Brad Smith. Source: Microsoft
Brad Smith. Source: Microsoft

U.S. companies have long dominated the increasingly important information technology industry, but as more and more of it moves to the cloud, lax respect for international views on data privacy threaten those companies’ positions. European IT companies, especially, are using NSA spying as well as perceived Stored Communications Act abuses to push their own cloud services, and even a return to local storage of email, documents other business data often now stored in cloud services.

There is no love lost between Apple and Microsoft, Verizon and AT&T, or the Electronic Frontier Foundation (which also filed an amicus brief in the Microsoft case) and any of these companies, but they’re all able to see eye to eye on the issue of data-protection laws that are bad for individual privacy and, therefore, bad for business.

6 Responses to “Apple, Cisco, AT&T join Microsoft in fight against global search warrant”

  1. It isn’t as if any rational person still believes the USA is a free country. 

    Think about it.  No-warrant wire taps, indefinite detention of citizens without charges, approval of rendition of prisoners and torture, stop and frisk without probable cause, search and seizure without a warrant, no-knock entry, confiscation and destruction of cameras that might have been used to film police acting illegally, police brutality, police shootings that go without  investigation, managed news, and the civil-rights destroying “Patriot” Act.

    Acts of police behaving illegally, with shootings, Tasers, and unwarranted violence now appear almost daily.  Rarely are these offenses punished.  Most often “an investigation” is claimed, but soon forgotten.


In addition, the USA, with 5% of the world population, has 25% of all of the prisoners in the world.  That means the USA has the most people in prison of any nation in history.  Even by percentage of residents incarcerated, not just sheer numbers, USA is # 1

    Does any of that sound like a free country?

    As Dwight D. Eisenhower said about communism, “It’s like slicing sausage.  First they out off a small slice.  That isn’t worth fighting over.  Then they take another small slice that isn’t worth fighting over.  Then another and another.  Finally, all you have left is the string and that isn’t worth fighting over, either.

  2. Madre su Sel

    It seems there’s more than one way to fend off the government invasion of privacy.

    1) Similar to the warrant canary, the Googles, Microsofts, Verizons of the world could leave a note on something you see prominently at login “No government agency, court, or law enforcement entity as requested access to your data as of [date].”

    2) Spread the data across multiple geo-political regions. Like a RAID 5 array, but at the higher level of data itself… not necessarily blocks on disk. You want the data in Ireland? Sure. But without the data in Iceland, Qatar, and Brazil, you won’t be able to do anything meaningful with it.

    3) Watch out because the government could request to seize backups, and then would have everything, including out of scope data from their request.

  3. Derrick,

    > In this case, U.S. magistrate judge James Francis IV decided that
    > pursuant to the Stored Communication Act, Microsoft must provide
    > law enforcement officials with the contents of an Irish customer’s
    > email, which is stored on servers located in Dublin, Ireland.

    Is the judge in the case able to make a request to Microsoft because Microsoft is a U.S. based company? What if the mail server of interest was owned by a company based in a different country (i.e., Ireland) with servers operating in U.S. territory (i.e., Texas)? Would it matter if said servers in i.e. Texas were owned by the Irish company? What if the Irish company did not own these servers but instead leased them from a data center provider who ultimately owns / operates the servers, and what if the data center provider is a U.S. based company? Would the judge cite the same Stored Communication Act to force an Irish company to provide U.S. law enforcement officials with the contents of the server operating on U.S. soil? Such as scenario would be different compared to Lavabit (whereby Lavabit was a U.S. based company running servers on U.S. soil). Alas the cloud opens up more legal permutations. Sigh.

    • Derrick Harris

      A court needs some jurisdiction over a company in order to demand it hand over data. It seems (although, admittedly I need to brush up on the law) that servers based in the U.S. would be reachable pretty easy by demanding the data center owner provide access.