Microsoft ruling limits government access to data stored overseas
Tech advocates hailed the decision in a case over access to emails stored on data servers in Ireland as a boon for privacy rights in the Digital Age.
In a decision that curbs the government's ability to seize data overseas, a US appellate court ruled Thursday that federal investigators cannot force Microsoft to turn over emails stored in an Irish data center.
Civil liberty advocates and tech companies praised the ruling in the case that many viewed as a litmus test for digital privacy as American consumer and corporate information is increasingly housed in servers around the globe.
"It definitely sets an important precedent," said Tor Ekeland, a New York City attorney who specializes in computer law. "It's a victory for privacy rights across the board and, in my mind, it's proof that the ubiquity of computers is changing what the Fourth Amendment means."
The case that dates back to 2013 when Microsoft refused to give the Department of Justice the emails of a suspected drug trafficker whose nationality has not been identified. The tech giant refuted the search warrant but a federal magistrate judge ruled in May 2014 it must give investigators the suspect's emails.
But the Second Circuit Court of Appeals in New York ruled Thursday to overturn that decision. It concluded that under the Stored Communications Act, the government can’t use a US search warrant to obtain a customer’s email stored on servers outside the country.
Microsoft argued that if the US government could force the company to hand over the emails, that would open the door to foreign governments expecting that US tech companies should similarly hand over private data on individuals regardless of where the information is stored.
"This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments," said Brad Smith, Microsoft's president, in a statement. "It makes clear that the US Congress did not give the US government the authority to use search warrants unilaterally to reach beyond US borders."
The Microsoft case had also become central to a growing and often contentious debate over digital privacy between Silicon Valley and Washington. Earlier this year Apple fought an FBI request to help crack encryption on an iPhone used by the gunman in the San Bernardino, Calif., terrorist attack.
The Irish government, 23 media and tech companies, 28 advocacy groups, and 35 top computer scientists filed legal briefs supporting Microsoft in its case against the government. Similarly, tech companies and computer advocates and experts rallied around Apple in its legal battle with the Justice Department.
“The court recognized the vital privacy protections under the [Stored Communications Act], and correctly ruled that the government can’t use a US search warrant to force internet service providers to reach email stored outside the US,” the tech advocacy group the Electronic Frontier Foundation said in a statement.
The decision is a setback to the Department of Justice especially as it faces a growing number of investigation that involve data that is stored in servers located abroad. “We are disappointed with the court’s decision and are considering our options," said the department's spokesman Peter Carr.
The US government’s argument claimed that it was lawfully trying to access information stored by an American company outside the US and quick enough to “act on evolving criminal or national security threats.”
But the court's ruling didn't necessarily make a strong case for user privacy in this particular instance. It instead pointed out that laws that limit government access to data didn't take into consideration the borderless nature of the Digital Age.
In the court's ruling, Judge Susan Carney pointed out that the 1986 Stored Communications Act was intended to "protect user privacy in the context of new technology" and that, at the time, lawmakers didn't envision the advent of cloud computing in which data is stored in global network of servers.
Judge Gerard Lynch agreed, calling the laws “badly outdated,” and urged Congress to act quickly to update them.
“As the concurring opinion points out, our online privacy laws are not the bulwarks of privacy that Congress thought they were when it enacted them in 1986,” said Alex Abdo of the American Civil Liberties Union. “Now is the time for Congress to finally pass reform protecting our privacy in the Digital Age.”