Apple, Cisco and AT&T all filed amicus curiae briefs on Friday supporting Microsoft in its appeal of a decision requiring it to hand over data about an Irish customer to U.S. law enforcement officials. Verizon filed an amicus brief on Microsoft’s behalf on Tuesday. The case highlights how the advent of cloud computing has technology companies overcoming their competitive differences in order to challenge troublesome data-protection laws.
In this case, U.S. magistrate judge James Francis IV decided that pursuant to the Stored Communication Act, Microsoft must provide law enforcement officials with the contents of an Irish customer’s email, which is stored on servers located in Dublin, Ireland. Microsoft and its peers argue the warrant defies both the Stored Communications Act and numerous international law constructs, including treaties the United States has in place with other countries — Ireland among them — regarding how to handle requests for data about each others’ citizens.
Francis based his decision in part on a rather questionable determination of how data is actually seized from servers and searched:
[I]n the context of digital information, “a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer.”
Based on this line of reasoning, the tech companies argue, no customer data stored by any service provider anywhere in the world would be safe from local governments so long as the provider could access that server. If individual countries’ laws about data protection don’t apply, nor do treaties or other principles of international law, the very idea of a global computer network is an open invitation for governments to demand that companies with any presence within their countries turn over customer data regardless where those customers or their data are located .
Verizon, in its brief, makes a valid argument against what it calls the judges “novel proposition”:
“[E]ven if the emails would be “searched” only when they are read by law enforcement, the computer on which the emails are stored would be searched when someone tried to find them. In this case, that computer is in Ireland. … Additionally, those emails or the computer they are stored on, or both, would be seized when the original emails were copied. … A search and a seizure thus would necessarily take place in Ireland.”
Because the Stored Communication Act (which was passed in 1986) does not include any suggestion that it applies to the search and seizure of data stored outside the United States, they contend, Microsoft cannot be compelled to turn over the emails of an Irish customer whose emails are stored on Irish servers.
A broader issue for big business
Despite its publicity, though, this latest appeal by Microsoft is just the latest strike in a years-long quest to rework U.S. and international data-protection laws to reflect the realities of cloud computing and globalization. Even before Edward Snowden leaked information about National Security Agency spying, Microsoft and its cloud peers were lobbying Congress to amend the Stored Communications Act (and its parent bill, the Electronic Privacy Communications Act) and the PATRIOT Act in the name of business.
The public outcry stemming from the Snowden revelations has only emboldened tech companies — including Microsoft, Facebook and Google — to step up their challenges. I’ll be speaking with Microsoft Executive Vice President and General Counsel Brad Smith — one of the most vocal critics of U.S. data-protection laws — about these issues and more at our Structure conference, which takes place Wednesday and Thursday in San Francisco.
U.S. companies have long dominated the increasingly important information technology industry, but as more and more of it moves to the cloud, lax respect for international views on data privacy threaten those companies’ positions. European IT companies, especially, are using NSA spying as well as perceived Stored Communications Act abuses to push their own cloud services, and even a return to local storage of email, documents other business data often now stored in cloud services.
There is no love lost between Apple and Microsoft, Verizon and AT&T, or the Electronic Frontier Foundation (which also filed an amicus brief in the Microsoft case) and any of these companies, but they’re all able to see eye to eye on the issue of data-protection laws that are bad for individual privacy and, therefore, bad for business.