US warrants for digital data extending into foreign soverrign countries.

NY Judge: US Warrant Can Reach Email in Ireland

I haven’t fully formulated my opinion on this, but I’m leaning towards it being a bad idea of the Pandora’s Box variety. With no Hope knocking to get out at the end of the story.

Granted, MS does control, and probably outright owns, the servers that the email is stored on but this seems to me to be a step too far. As far as I know, a warrant couldn’t compell a Microsoft employee to open a file cabinet and express mail a folder to the states. The same principle and protections apply to digital data.

From further down in the article.

Also this, we can’t expect other countries to keep their legal fingers on their side of the border if we don’t. Well, I guess we could, we just won’t have much of an argument to make supporting it.

The authorities from China have exactly the same argument as the US. Which is why this warrant should be thrown out as the garbage it is.

I couldn’t find details on this case, but is it a subpoena against a US-based company for a person who is subject to US law who happens to have data overseas?

In this situation, I wouldn’t really disagree to the subpoena. Basically, if he accesses his emails from the US and commits some crime here, I don’t see why we can’t request the dame data as part of the investigation.

I look at it as a briefcase: If you create documents in Ireland and then bring them to the US and then commit a crime, the US legal system can and will root through those documents. So, why should email you access from the US be any different?

In a similar vein, if my company is issued a subpoena for it’s documents it stores in Mali about the operations in Mali, the company still has to turn them over.

I think the only burden for the subpoena should be that they have to prove he accessed his Irish-based email from the US.

In principle there’s no great difficulty here. The courts of lots of countries regularly make orders having effect outside the jurisdiction. For example, English courts routinely issue “Mareva injunctions” restraining the parties to litigation from reducing their assets below a certain amount (in an attempt to make any judgment unenforceable), and these are often expressed to have effect throughout the world. The key point is not that the assets are within the jurisdiction of the UK courts; it’s that the litigants are, and the UK courts can order them to do, or not to do, things in other countries. In this case the court is ordering Microsoft, a corporation in the US, to do something it has the capacity to do, which is to get some data from an Irish affiliate and disclose in US litigation. The US court can’t directly enforce the order in Ireland - it couldn’t, for example, send bailiffs to Ireland to seize the servers and download the data from them - but it can enforce against Microsoft by, e.g, penalising them for noncompliance.

It’s a separate question as to whether this amounts to a breach of constitutional protections of privacy, protections against unreasonable searches, etc, etc. Maybe it does, but I can’t see that this is connected to the question of where the data is stored.

There may be another issue, though. I’m open to correction by someone who knows what he is talking about, but I have picked up the notion that the EU has tougher data protection laws than the US does, and that entities doing business in the EU may in certain circumstances be required to keep their data on servers in the EU, so as to ensure that the privacy of the data is adequately protected. The integrity of this system is obviously threatened if the US courts exercise powers to call for data from those servers, since the US courts are obviously not bound by, and are not going to respect, EU data protection requirements. So perhaps this could lead to a spat between the EU and the US over data protection standards.

True, a US court can’t compel a Microsoft employee in Ireland to do anything, but that’s not a good analogy.

Microsoft is a US company, located in the US, and doing business in the US. The warrant appears to compel Microsoft to provide the e-mail data, regardless where the server is located, because it is data under the control of Microsoft. Control, rather than physical location, is the determining issue.

So, if it were hardcopy date, stored in a filing cabinet in Ireland, but under the complete control of Microsoft, I could see a warrant issuing in the US to Microsoft, compelling Microsoft to provide that hardcopy.

Microsoft in turn would tell an employee in Ireland to send it over, but that’s not the US court applying US law in Ireland. The order is made in the US, to a US company, doing business in the US.

The real issue here isn’t that the US court can order Microsoft to provide e-mail data under its control, regardless of the location of the server.

The issue, as framed by those opposing the issuance of the warrant, is the degree of privacy afforded to electronic data. They make this clear in the statements quoted in the article:

So, they want strong privacy protections for e-mail. So strong, apparently, that a court cannot order its release.

But what makes e-data so significant that a court should not be able to order its production? Data is data; it shouldn’t be the case that a court can order the production of a hard copy, but if I scan it in, store the pdf on a server in Ireland, then shred the hard copy, the data is now immune from the court’s process.

The basic protection is set out in the 4th Amendment:

[QUOTe=US Constitution]
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
[/QUOTE]

This doesn’t create an absolute right against search and seizure, but rather a requirement that a search can only be done under lawful authority, upon cause being shown to a judge, who issues a warrant.

That basic principle should apply regardless of the form of the data.

But, it appears that the Microsoft supporters want immunity from the power of search set out in the 4th Amendment:

That sounds to me like they want data in the Cloud to be immune from any search requirement at all, which is a considerable stretch.

But what if an Irish court decides that turning it over would be in breach of Irish/EU data protection laws, and tells the Microsoft employee,and all Irish Microsoft employes, and indeed Microsoft itself, that if it’s turned over, they’ll be in contempt of court and they’ll be fined and/or jailed ?

Then the court will revoke the warrant. But we are talking about data that is in Ireland by mere happenstance. The defendant in this case is a US national within the borders of the US. An Irish court isn’t going to raise his rights.

Plus, the linked article states that there is nothing in Irish law which prevents Microsoft from complying with the order.

It could, certainly. There is nothing in Irish law which says that only Irish citizens or Irish residents have rights. An individual with an interest in the data being sought in this case would certainly have standing to bring court proceedings in Ireland looking for an order restraining the Irish affiliate of Microsoft from disclosing the data in breach of the privacy rights guaranteed by Irish law (or whatever). Whether he’d have a strong case for getting the order would depend on the facts and the circumstances and the arguments, but the fact that the plaintiff was neither a citizen nor a resident wouldn’t be a relevant consideration at all, as far as I can see.

If the Irish court made such an order, then presumably Microsoft US would go back to the US court and say “we can’t do what you have ordered us to do; it would breach Irish law; please vary or revoke your order”.

The point is that virtually no criminal defendant is going to have the resources or inclination to petition Irish courts to release the data. Besides, we’re not talking about “an Irish affiliate”. We are talking about Microsoft itself. The relevant servers happen to be in Dublin but Ireland has no other connection to the data.

I presume you mean “. . . not to release the data.”

Many criminal defendants won’t have the resources to petition the US courts either. Besides, the proceedings in Ireland could conceivably cost less than analogous proceedings in the US. Regardless of whether rights are enforceable in Ireland or in the US, I agree that financial and other barriers to the enforcement of the rights are a problem. But those barriers don’t alter the fact that the rights do exist.

Microsoft Ireland Operations Ltd is an Irish-incorporated company which is indeed an affiliate of Microsoft Corporation, a company incorporated in the US State of Washington. I don’t actually know that MIOL owns the servers in Ireland; Microsoft has several Irish affiliates, so they could be owned by one of the others. The chances that they are directly owned by Microsoft Corporation, though, are pretty small.

The point is, the Irish courts have jurisdiction here because (a) the data is stored on servers located in Ireland, and (b) the data is stored on servers owned and controlled by an Irish-incorporated, Irish-resident corporation. The fact that the shareholders of that corporation are in the US and are subject to the jurisdication of the US courts doesn’t exclude the jurisdiction of the Irish courts.

IANAL, but AFAIK the protection is along the lines of “from unauthorized eyes”; it’s supposed to protect people from having their information sold to third parties, and to require companies to erase unused data after a while, protect their servers from electronic attacks, etc. It’s not “you can’t give the data to anybody” or “you have to store it in a server that’s physically here” but “you can only give access to authorized parties and must do your best to protect it from unauthorized access”.

Think of it as HIPAA for general data.