Microsoft appeal: imagine if Stadtpolizei wanted papers from Deutsche Bank in NYC

Microsoft has compared the warrant it’s challenging for email stored in its Irish data centre to the German state police demanding papers of a journalist stored in a Deutsche Bank branch in Manhattan.

The company's "shoe on the other foot" portrayal is the lead of its legal brief filed on Monday in New York with the US Second Circuit Court of Appeals.

“Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei,” Microsoft opens.

The appeal is the latest turn in Microsoft’s fight against a warrant authorised under the US Electronic Communications Privacy Act (ECPA). In 2013, federal agents investigating a drug-related crime served Microsoft a warrant to turn over the contents of emails hosted exclusively in its Irish data centre.

The act authorises federal and local police to demand email providers hand over users' email and Microsoft has complied with the order for the person's contacts list, which was hosted in the US. But it hasn't handed over the contents of the web-mail account, which are located exclusively in Ireland, where they are protected by Irish and European data privacy laws.

Microsoft lost its initial appeal in July and in September agreed to be found in contempt of court to expedite the current appeal.

Microsoft insists that US law enforcement should follow procedures under mutual legal assistance treaties the US has with Ireland and other nations.

The case has also caused some angst across the Atlantic. The Irish government last month asked the European Commission for help in dealing with the case, however EU vice president Viviene Reding said in June that Europe had raised the issue with the US on numerous occasions over concerns that Microsoft was dealing with an "extraterritorial application of foreign laws" that may violate international law.

With roles switched in Microsoft’s tale, Germany’s Foreign Minister responded to American concerns over the warrant that German police didn’t search anything because no German officer set foot in the US.

Read more: US Senator introduces bill to block FBI backdoor access

“The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter’s privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate,” Microsoft’s lawyers argue.

Microsoft’s chief legal counsel, Brad Smith, drew attention to the legal implications of online communications replacing paper letters sent in the mail.

“According to the Government, your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the Government claims it can use a different and broader legal authority to reach emails stored anywhere in the world,” wrote Smith today on Microsoft’s On the Issues blog.

Microsoft contends in its brief that “the ECPA’s text and history show Congress believed the law would only apply domestically” and that the government should appeal to Congress if it wants the act extended abroad.

Read more: UK court to review legality of fast-tracked surveillance law

If Microsoft loses the appeal, it says the US won’t be in a position to complain if foreign law enforcement order them to turn over emails hosted in the US. Apple, Verizon and the Electronic Frontiers Foundation have filed friend of the court briefs in support of Microsoft.

Federal agents served Microsoft the warrant in December 2013, requesting it turn over stored emails, emails sent, address books, contact lists, pictures and all files hosted in the account since it was established.

While the residence of the person under investigation hasn’t been made public, Microsoft outlines in its brief that to reduce latency it locates data closer to users.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Judge: Give NSA unlimited access to digital data

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Join the CSO newsletter!

Error: Please check your email address.

Tags US Electronic Communications Privacy Act (ECPA)FrankfurtMicrosoft appealgovernmentNYCStadpolizeiIrish data centreCSO AustraliaEnex TestLabgermanyDeutsche Bankemails tracking

More about AppleAtlanticCSODeutsche BankEnex TestLabEUEuropean CommissionManhattanMicrosoftNewsVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts