back to article Microsoft vs the long arm of US law: Straight outta Dublin

The US government can get access to your data stored outside the United States. A controversial ruling by the New York District Court made it clear earlier this year just how far US warrants can extend. The judge ruled that Microsoft had to hand over customer data it was holding in its Dublin data centre. But this is not the end …

Page:

  1. Paul Crawford Silver badge

    Money talks

    Funny how PRISM did not phase the big US companies, but the prospect of losing business did cause some backbone to be shown?

    Really the lesson is don't use any company that is not 100% in our own legal territory, and (especially if you can't do so) make sure all data is encrypted with keys that only our own business has access to.

    Sure that won't stop a court order to gain access, but that raises the bar from simply fishing for stuff to 'probable cause', and you also know about it so can take proper legal steps to defend against the action.

    1. Anonymous Coward
      Anonymous Coward

      Re: Money talks

      Funny how PRISM did not phase the big US companies, but the prospect of losing business did cause some backbone to be shown?

      PRISM did phase the big US companies very much, and precisely because they realized they risked losing business. Why do you think Google and Yahoo have trumpeted that user data is now encrypted? That's also the reason Microsoft went to the trouble of putting its data out of the US…

      1. Wensleydale Cheese

        Spelling

        phase --> faze please

        faze |feɪz|

        verb [ with obj. ] informal

        disturb or disconcert (someone): she was not fazed by his show of anger.

        ORIGIN mid 19th cent. (originally US): variant of dialect feeze‘drive or frighten off’, from Old English fēsian, of unknown origin.

      2. BillG
        Devil

        Re: Money talks

        the judge granted the warrant, explaining: “If the territorial restrictions on conventional warrants applied to warrants issued [in this case], the burden on the Government would be substantial, and law enforcement efforts would be seriously impeded.”

        Translation: "It would be too hard to get this data legally so screw it, just hand it over, bitch."

    2. kmac499

      Re: Money talks

      The bottom line incentive is always guarenteed to get the attention of US Business, and the US Govt. if it believes others are eating 'their' lunch. (see numerous trade diputes over the years.)

      But this can be a good thing, with climate change rising up the political agenda again, and it's twin concern of energy security, the Rockefellers have decided to jump ship from fossil to green energy production investments.

      Call me old fashioned but I suspect that is just as much a case of let's make sure we have a business in the future as any environmental concern.

      Plus there are elections due this November in the US. I expect Microsoft and all the other cloud vendors will have a well stocked fridge of prawn cocktails on standby...

  2. Otto is a bear.

    Contempt

    What this shows is that the US legal process has complete contempt for international agreements, and process. Microsoft is right to fight this, to protect its business, but I suspect it will loose. The US has a history of trying to apply its domestic law outside its borders, to suit its own agenda.

    I have a feeling that shifting your data to non US cloud providers will be a problem as well, firstly, Microsoft and Oracle want your business in their clouds and make it difficult for others to offer a competing service, though MS are changing their approach. As for Amazon and rackspace, well...

    But what about the non-US tier 1 SIs and Telcos, want to bet that the DoJ will attack them through their US subsidiaries next. That's good news for domestic providers, but bad news for multi-nationals who have to operate across borders. I wouldn't be too worried about local security services exchanging information with the US, they will never the the NSA see things that are against their own national interest.

    1. ratfox
      Headmaster

      Re: Contempt

      but I suspect it will loose

      loose → lose

    2. John Brown (no body) Silver badge

      Re: Contempt

      "Microsoft and Oracle want your business in their clouds and make it difficult for others to offer a competing service,"

      The obvious solution is locally incorporated independant franchis companies in each national jurisdiction who then licence the branding and tools and purchase "goods" from a third party holding company, eg the Starbuck model where Starbucks UK makes little to no profit because all it's income goes on "running costs" such as the normal ones plus brand licening paid to Starbuck Netherlands and Coffee bought at high cost from Starbucks Switzerland.

  3. Christoph

    Have the US government explained how they would react if, say, Andorra decided it could enforce an order to grab data from a server in the USA?

    Hang on, make that Grand Fenwick.

    1. frank ly

      Well, if an Andorra based company, run by Andorran resident citizens was selling data storage services and then 'exporting' data to USA based servers, the Andorran government would probably bring sanctions against those citizens if they refused to hand over the data. I doubt that the US government would have any grounds for objecting. The data would not be obtained by Andorra sending in special forces troops with USB sticks, it would be accessed via the internet, under legal compulsion.

  4. Ole Juul

    Better sooner than later

    a UK customer wants to make it harder for the US government to get access to its data, it must encrypt the data and remove every single US company from its IT cloud and data supply chains.

    That last one appeals to me.

  5. frank ly

    Will the German government be sensible?

    " ...the German government reportedly stating that it won’t use data storage from US companies unless the ruling is overturned."

    Overturned rulings can be turned back. New rulings can be made. Do the sensible thing and think about long-term possibilities.

    1. big_D Silver badge
      Big Brother

      Re: Will the German government be sensible?

      My understanding is, if Microsoft lose and Microsoft US has to hand over the data, which "belongs" to Microsoft Ireland, as it is on Irish soil in a data center owned by MS Ireland, as far as I am aware, then the executives in Ireland will be liable to prosecution under EU data protection laws.

      MS will have handed over the data to a third party outside the EU, without a valid EU warrant and wihtout getting written permission from the account holder and anybody identifiable in his correspondence. The account holder could also find himself facing prosecution in the EU for "allowing" MS to hand the data over - although that will probably be the least of his worries then...

      1. Ross K Silver badge

        Re: Will the German government be sensible?

        My understanding is, if Microsoft lose and Microsoft US has to hand over the data...then the executives in Ireland will be liable to prosecution under EU data protection laws.

        Your understanding is wrong. Data is shared and moved across borders all the time.

        What EU data protection laws do you think they could be prosecuted under?

        Anybody using a Microsoft cloud offering should look at the terms of service:

        "Microsoft will not transfer Customer Data outside the major geographic region you specify (for example, from the United States to Asia or from Europe to the United States) except:

        where you configure the account to enable this, including through use of features that may not enable regional selection or may use multiple regions, as specified in the Microsoft Azure Trust Center (which Microsoft may update from time to time but Microsoft will not add exceptions for existing features in general release); or

        where necessary to provide customer support, to troubleshoot the service or to comply with legal requirements."

        If you're a user of the service, that's what you agreed to.

        Tough titty if you didn't read the small print.

        1. big_D Silver badge

          Re: Will the German government be sensible?

          Ross,

          EU Data Protection law says that Microsoft cannot hand the data over to a third party outside of Europe without an EU warrant or written permission.

          That is the problem. Microsoft US might have to concede and hand over the data to US Authorities, but THAT act is illegal under EU law, where the data is held, so they open themselves up to prosecution in the EU.

        2. Steve Todd
          Stop

          Re: Will the German government be sensible?

          @Ross, you seem to have confused commercial law in the form of the EULA with criminal law in the form of the EU Data Protection Directive as implemented in Irish law. The EULA CANNOT remove rights and legal obligations under criminal law. You could write into the EULA that Microsoft have the right to kill you (no one reads it anyway), but criminal law renders that null and void.

          1. A Non e-mouse Silver badge

            Re: Will the German government be sensible?

            @Ross & @Steve Todd

            The EULA CANNOT remove rights and legal obligations under criminal law

            In the UK, a contract cannot override any law. But I believe in America this isn't the case. A quick google shows this page www.law.cornell.edu/wex/contract

            "[The contract] may override many of the rules otherwise established by state law."

            1. I ain't Spartacus Gold badge

              Re: Will the German government be sensible?

              Is that state rather than federal law?

              It also depends on the legal jurisdiction of the original contract. I would expect it to be under Irish law, if the contract is with MS Ireland for example. So that wouldn't apply. Also the companies in question are subject to European Data Protection regulations whatever happens, and can't get out of it. So even if they cock up and agree to a contract under a foreign legal jurisdiction, they can't get out from under their own legal obligations.

              Certainly when I worked for a US multi-national we were legally barred from exporting our German payroll data outside the EU. In fact, I think it might have even have been outside Germany.

              A law that even European level management were quite pissed off with, and seriously discussed breaking.

              1. big_D Silver badge

                Re: Will the German government be sensible?

                @I ain't Spartacus

                Yep, financial (tax relevant) data cannot be exported anywhere outside of Germany without a special dispensation from the German Finanzamt.

            2. big_D Silver badge

              Re: Will the German government be sensible?

              @A Non e-mouse

              yes, but we are talking Irish law here, and EU law. Both trump US law in Ireland!

              1. Yet Another Anonymous coward Silver badge

                Re: Will the German government be sensible?

                > Both trump US law in Ireland!

                I think you will find that the only thing likely to trump US law in Ireland is US money

        3. Yet Another Anonymous coward Silver badge

          Re: Will the German government be sensible?

          >or to comply with legal requirements."

          But you generally assume the legal requirements to be those of the country you are doing business in - especially when you specify that the data is to remain in the Eu.

          If I'm allowed to choose which countries laws I apply to all my contracts then life is going to get very easy. Product safety tests in Liberia are a lot easier to pass then TuV's

          1. Anonymous Coward
            Anonymous Coward

            `then' -> `than'

            For ``a lot easier to pass than TuV's'', since we seem to be on a roll in this thread. :-)

        4. John Brown (no body) Silver badge

          Re: Will the German government be sensible?

          "Tough titty if you didn't read the small print."

          Contract small print may not be legally binding unless or until it's tested in court and this sort of thing, which may involve companies, bodies or government agencies with money and lawyers may be one of the things that causes those T&Cs to be judicially tested.

  6. Ross K Silver badge
    Black Helicopters

    Typewriters?

    There is an alternative: the Russian and German governments have recently invested in typewriters following the Snowden revelations, but I’m not sure if that's really going to catch on.

    The only thing I'd say to using typewriters is "good luck with that"....

    Project GUNMAN - the Russians were bugging typewriters in the 70s and 80s, so they are more than likely aware of the disadvantages of going old-school.

  7. Test Man

    Data is held by Microsoft Ireland. It's a separate company in the same way that any other company is separate, albeit ultimately owned by Microsoft Corporation. Judge cannot force Microsoft Corporation to make Microsoft Ireland give them the data in the exact same way you can't force one company to make another company in a completely different jurisdiction to give them data. The judge cannot make Microsoft Ireland do anything. The judge is an idiot.

    1. frank ly

      The judge isn't trying to make Microsoft Ireland do anything. He's trying to make the executives of Microsoft Corporation (USA) do something.

      1. Test Man

        Microsoft Corporation can't do anything though, because Microsoft Ireland are bound by Irish (and EU) laws. The judge is therefore a total idiot in not understanding that.

        1. P. Lee

          >The judge is therefore a total idiot in not understanding that.

          The judge isn't an idiot, he's betting that the Irish will not kick up a stink and that the US will rule the world.

          1. Test Man

            The Irish aren't going to kick up a stink because it doesn't involve them. Understandably, Microsoft (Corporation) are livid at the complete nonsense and are doing nothing. The judge isn't getting anywhere with judgement that is unenforceable.

            1. ratfox

              @Test Man: Welcome to planet Earth

              If Microsoft US ultimately loses its appeal, and faces the prospect of heavy fines for not somehow turning over the data, they will order Microsoft Ireland to turn it over. Microsoft Ireland might well be technically an independent company, but it still has to do whatever Microsoft US tells it to do.

              1. Yet Another Anonymous coward Silver badge

                Re: @Test Man: Welcome to planet Earth

                >If Microsoft US ultimately loses its appeal

                Then Microsoft / Oracle / HP / Amazon etc will effectively be banned from any cloud business in Europe that involves medical, financial, HR or other sensitvie data.

                That means a lot of congressmen are going to go without their campaign funds come election time.

    2. Anonymous Coward
      Anonymous Coward

      "Data is held by Microsoft Ireland. It's a separate company "

      Yeah, right. I take it you're a tax lawyer?

      1. Grikath

        @ Robert Long 1

        Nope. Company law.... A company is a *distinct* natural entity, just like a real person, that happens to be able to be "owned" by other natural persons or entities.

        In this case the judge expects an american owner to force an irish "citizen" to break local and EU law, thereby breaking US and EU law, and quite a few international laws, customs and treaties.

        The Judge requires Microsoft US to become an international criminal simply because (s)he knows (s)he hasn't got a paper gnat's chance in hell of getting done what (s)he wants through international legal channels.

        So yeah.. Microsoft is in the right there, as the whole concept is ridiculous.

        1. Anonymous Coward
          Anonymous Coward

          Re: @ Robert Long 1

          "Nope. Company law.... A company is a *distinct* natural entity, just like a real person, that happens to be able to be "owned" by other natural persons or entities."

          A company is not a natural entity, it's just a bunch of people trying to avoid things - risk, responsibility, and so on. Microsoft Ireland is part of Microsoft created only and solely for the avoidance of tax. What the law says about it is of no bearing on reality and those that swallow the line that law makes truth deserve the shafting they get every day from the corporations that pay big bucks to have that law written for them (very specifically, in this case, since it was US rail-baron money that got us the original "corporations are entities" crap).

          1. Yet Another Anonymous coward Silver badge

            Re: @ Robert Long 1

            Microsoft Ireland is created solely for to allow them to run cloud services for Eu customers. Obeying local laws like data protection.

            How would US consumers feel if US Toyota had refused to pay up for their American car troubles by claiming that they were a Japanese company and US rules and courts didn't apply to them?

          2. SImon Hobson Bronze badge

            Re: @ Robert Long 1

            > A company is not a natural entity, it's just a bunch of people trying to avoid things - risk, responsibility, and so on.

            That latter bit may well be true, but in law, a company is a "legal entity" in it's own right - in a lot of legal areas you can interchange "company" and "person". In this case, previous comments are correct - the legal entity which is holding the data is Microsoft Ireland - a separate entity to Microsoft US. Yes there is a relationship where (I assume) Microsoft (US) owns 100% of the shares in Microsoft (Ireland) - but they ARE separate legal entities.

            Irrespective of what any US court thinks - it would be a criminal act for Microsoft (Ireland) to hand over (or allow to be taken remotely) any of the data. Given the profile, I cannot see the Irish regulators turning a blind eye - and if they did, the EU regulators would then start sticking their nose in.

            Unless MS win their appeal, it's tough either way - they either get stuffed in the US, or they stuffed in the EU !

            What would make things even more interesting would be if someone (especially the person who's data is being sought) with data held my Microsoft (Ireland) applied to a court for a specific injunction preventing the export of data. You now have two courts ordering complete opposites.

        2. Boork!

          Re: @ Robert Long 1

          That would make the U.S. judge behind this demand guilty of conspiring to break EU law. This requires an immediate arrest warrant!

          Whatever about data-sharing treaties, there are several solid extradition treaties between the U.S. and EU countries. And Mountjoy prison, near the scene the crime in Dublin, Ireland, is one of the grottiest, foulest, nineteenth century prisons still in existence. He can busy himself picking woodlice from his lumpy porridge.

  8. Desk Jockey

    European data protection

    I would have appreciated an explanation of how Euripean data protection laws have failed in this case?

    If the data is held/owned by a European citizen in a European country then one would assume that the US government forcing disclosure through its US arm would put that company in breach of the European law. I would guess because this qualifies as the company giving data to a third party without the user's consent (the US Govt counts as a 3rd party because it is not a legitimate authority for forcing data disclosure in a European jurisdiction hence it needs to ask a legitimate authority to do so on its behalf). You would have thought Mircrosoft would argue that a US court cannot force it to break the law in another country.

    However if a US citizen's data is stored in a European jurisdiction, is their data afforded the same level of protection under European law? Of course the US Govt would be able to make a request to that European Govt for disclosure and as it was on a US citizen I would guess it would be amenable to that request, but does the US Govt still have to make that request or is it assumed that the data (by virtue of belonging to a US citizen) comes under US jurisdiction?

    No matter to me, I still wouldn't store any sensitive stuff on US servers, but I curious to know where the law stands on this. We all alreadt know the US courts have a very loose definition of jurisdiction when it suits them, it is the European side that counts.

    1. Steve Davies 3 Silver badge

      Re: European data protection

      to quote Capt Mannering,

      'silly boy'

      Don't you realize that the US Gov't will get your data if it is held anywhere outside NOK, PRC or Russia (and possibly even in the last two) if it decides that you are a threat to them. I will not matter what local laws are broken in their war against terrorism. Remember 'Extraordinary Rendition'. Despite being illegal that didn't stop it happening now did it?

    2. Yet Another Anonymous coward Silver badge

      Re: European data protection

      The US government can make a request to the Eu company holding the data and try and get an Eu warrant. Them being a US citizen doesn't trump local law any more than being a Russian citizen gives Putin the right to send someone to visit you with a polonium tipped brolly.

  9. Richard Jones 1
    FAIL

    Who Still Has Data In MS Ireland?

    I am surprised that anyone still has real, as opposed to dummy/false data still held by MS Ireland. While e-mails and similar communications might pass via a US parented company, storing data which I take to mean business or personal information in a facility not owned and controlled by the data owner was always going to end badly. Just look at the 'celebrities' who apparently/allegedly stored personal stuff on the web.

  10. Paul Smith

    Do a little research

    This is not about one individual keeping details of their drug deals on a server in Dublin, this is about MS trying to sell Office365 to every company in Europe. It looks like having every European quote, tender, offer, invoice and patent application sitting almost in within its reach has prooved too much temptation for the greed of US lawmakers and corporations.

    The States has never had a tradition of respecting anyone or anything else, but when the judges are now saying that international treaties are not worth the paper they are written on, you have to ask cui bono? Who is this benefiting?

    1. Anonymous Coward
      Anonymous Coward

      Re: Do a little research

      My employer is well aware of this. We're always looking to keep our data on our servers in our machine rooms.

      I like it, too, because it helps keep me in a job :-)

  11. David Austin

    Non US Cloud partners

    OK, then, Hive Mind:

    If you wanna chose the option of not dealing with a cloud company with a US office or HQ... what are the options?

    A quick bit of Google-fu didn't bring much up, so let's throw some names around - I'd expect them to be screaming "No US Presence whatsoever!" at the rafters, but there didn't seem to be much.

    A possible future review/comparison article, El Reg?

    1. Anonymous Coward
      Anonymous Coward

      Re: Non US Cloud partners

      The simple answer is to provide your own cloud, hosted on your own servers in your own server room.

    2. Anonymous Coward
      Anonymous Coward

      Re: Non US Cloud partners

      Are you assuming that 'cloud' is a requirement rather than a short-term gimmick?

      Host your own data, host your own code, provide your own data protection, and secure your own backups. Et voila - "No US Presence" and you aren't at risk of breaking any EU laws.

  12. Anonymous Coward
    Anonymous Coward

    "This could mean fines for Microsoft."

    A better punishment would be to impose an order ending sales (or give-aways) of Windows 8 until they comply. They could start selling Windows 7 Retail (FPP) again under the order, but zero Windows 8 at all.

    This would be the equivalent of performing public service, such as cleaning up sick in a homeless shelter.

    1. Terry Cloth
      FAIL

      Fines for Microsoft---they're shaking in their boots

      According to the first report I could come up with (USA Today), MS had some $78G in cash 18 months ago. They could pay a $250k/day fine for over 800 years (or probably forever, since that stash would yield $2.1k/day at 0.1% annual interest).

      Of course, the judge could go with contempt of court and jail time for executives....

  13. Anonymous Coward
    Anonymous Coward

    Failed Business/IT model

    Given all this and the other cases we know about, the obvious way to route around it is to give "the cloud" a miss. We all know it's mere marketing-speak for rented services anyway, and nothing that cannot be pulled in-house. Unfortunately, it's not until a non-US company gets bitten on the bum and it's a demonstrable risk that the average corporate suit will take any heed to this.

    Meanwhile, I pity the many universities where students are forced to use US managed services like outlook. This ruling stifles any research where sources need protection, and I'm sure other use cases with similar jeopardy will occur.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like