The Department of Justice (DOJ) and Microsoft's legal battle over data stored on foreign servers has escalated slightly this week, with the former bringing the issue to the US Supreme Court.
As a reminder, in 2013 a New York district judge ordered Microsoft to provide the personal details of a customer undergoing an investigation. Because the data was stored in Ireland, the Redmond giant refused to comply, citing via Deputy General Counsel David Howard that "the U.S. government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas." The case was eventually resolved in Microsoft's favour last year, but the Department of Justice wasn't too pleased, and has recently taken a step to challenge the ruling.
The step taken is in regards to the Stored Communications Act (SCA), part of Title II of the Electronic Communications Privacy Act (ECPA) from 1986. This was the piece of legislation that Microsoft successfully argued cannot be applied outside of the United States.
In a post from the firm's On the Issues blog, Brad Smith, Microsoft's President and Chief Legal Officer, states:
It seems backward to keep arguing in court when there is positive momentum in Congress toward better law for everyone. The DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans.
The new law Smith references is last year's International Communications Privacy Act (ICPA), brought forth by Sens. Orrin Hatch and Christopher Coons, as well as Reps. Tom Marino and Suzan DelBene, which seeks to reform the 31 year-old ECPA. From the looks of it, the ICPA seems to be quite similar in nature to the Law Enforcement Access to Data Stored Abroad Act (LEADS), which was proposed in 2015 by Reps. Marino and DelBene.
Besides the time wasted in legal battles, Brad Smith also raises the issue of conflicts of law, namely with the European Union's General Data Protection Regulation, which is set to become applicable from May 25, 2018. In the context of this Union-wide Regulation, it is "illegal for a company to bring customer data from Europe into the U.S. in response to a unilateral U.S. search warrant." The executive also went on state that Microsoft has, in the past, declined to comply with legal orders which are similar in nature to the DOJ's, only it involved a case in Brazil, which was in direct violation of US law. As such "we have been fined, and one of our local employees was criminally charged."
Of the way in which the DOJ is approaching the issue, Smith also said:
The litigation path DOJ is now trying to extend in parallel to legislative progress seeks to require the Supreme Court to decide how a law written three decades ago applies to today’s global internet. The previous decision was soundly in our favor, and we’re confident our arguments will be persuasive with the Supreme Court. However, we’d prefer to keep working alongside the DOJ and before Congress on enacting new law, as Judge Lynch suggested, that works for everyone rather than arguing about an outdated law. We think the legislative path is better for the country too.
The last issues touched upon were the inter-connectivity of smart devices and appliances and the people's rights to be "governed by the laws" in their country. Regarding smart devices, Brad Smith argues that data stored on them, in the case of foreign customers, can presently be accessed by the US government "only when working with the consent of their [the customers'] home government." A reversal of such provisions would be detrimental to a variety of sectors in the US economy, the executive also states.
It is unclear at the moment what the next action of the Supreme Court will be, so only time will tell.
Thanks to Jim K in the forums for the tip!
Update: Regarding the actions of the DOJ, the National Association of Manufacturers (NAM) - the largest such association in the United States - has stated, via Senior VP and General Counsel Linda Kelly, that:
We are disappointed that the U.S. Department of Justice has decided to appeal the Second Circuit's decision in Microsoft v. US. We think the court correctly decided that U.S. law does not permit an extension of warrants outside the United States. Ultimately, Congress can and should act to modernize the governing statutes in this area, which are decades-old. Law enforcement should be able to access digital information in a timely manner and protect individual liberty at the same time. This is achievable through adopting a modern, 21st-century framework like the proposed bipartisan International Communications Privacy Act.
There is as of yet no response from the Supreme Court regarding this request to reconsider the decision.