Where's the data?

The U.S. government wants access to an alleged drug dealer's emails, but Microsoft says, sorry, they're in Ireland and out of bounds.

It's a time-honored tradition: U.S. businesses find ways to skirt inconvenient or expensive laws by moving operations to other countries. Thus we have had U.S. corporations operating overseas to exploit child labor, run sweatshops or avoid taxes and rigorous health and safety inspections. Now the U.S. government says something similar is happening in regards to email.

At issue is the question of whether companies or individuals can keep the U.S. government from accessing their email by arguing that it resides on a server in a country that is hostile to such searches. The most recent development came last week (March 9) in a case that involves Microsoft, a U.S. citizen accused of narcotics trafficking and an MSN email server sitting in Dublin, Ireland. The case's supporting players read like the game "which of these are different from the others?": On Microsoft's side is Verizon, AT&T, Apple, Cisco -- and the Electronic Freedom Foundation.

From their point of view, they are challenging the federal government's ability to access email records if those documents are stored outside of the U.S. From the government's perspective, the question is whether a company can skirt legal inquiries by simply choosing to house records in a friendlier country. Think of Ireland in this case as the email equivalent of what the tax-avoiding Swiss bank account used to be.

The problem, of course, is that in 2015, the U.S. is trying to apply years-old, non-digital rules to digital situations. The reality is that companies like Microsoft, Amazon and Google can have servers of all kinds sitting in server farms in dozens of locations, some of them overseas.

Microsoft argues that it had a specific reason for placing the emails in question on a server in Ireland: proximity to the user. Or at least proximity to where it thinks the user is located. You see, MSN users can tell Microsoft they're in Ireland, and the company has absolutely no mechanism for verifying that -- not even checking IP address location.

"Email accounts are assigned to the Dublin datacenter, according to Microsoft, based on the user's own uncorroborated identification of his or her country of residence at the time the account is created. The stated aim of this policy is to reduce the geographic distance between a user and the datacenter that services the account," the government said in its federal appeals court filing last week. "Microsoft makes no effort, however, to verify the user's country of residence at the time of registration or at any time thereafter. Under this system, a U.S. citizen living in New York City could have his account hosted at the Dublin datacenter so long as he claimed to be a resident of Ireland."

What started this case was a 2013 federal search warrant aimed at Microsoft and one of its MSN email customers. The U.S. Justice Department insisted that Microsoft turn over any messages from that customer "pertaining to narcotics, narcotics trafficking, importation of narcotics into the United States, money laundering or the movement or distribution of narcotics proceeds."

The case hits on several interesting issues. If a server is situated in Ireland -- or India or Japan -- should it be subject to the rules of those countries? Before you answer, what if the U.S. email provider that owns that server routinely accessed -- for legitimate IT purposes -- all of those messages from desks in the U.S.? As the bits zap across the globe electronically in a few nanoseconds, who is to say where they physically reside? Could a company routinely shift data from machines in a dozen countries and have that data governed only by where it resides at that moment? What if copies reside in all of those servers? Is this a global email version of musical chairs?

The feds last week said that it's not a matter of where the data sits, but who is playing the music. "Courts are empowered to exert authority on people and entities over whom they have jurisdiction, even if that authority has consequences overseas," the feds wrote. "The test for the production of documents is control, not location."

Another issue: Who really owns that subpoenaed data? Microsoft, which apparently never read its own MSN terms and conditions, said its customers own the data and that it's not up to Microsoft to rat on its consumers.

And Microsoft has countered with its own colorful example: "Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei. The U.S. Secretary of State fumes: 'We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws.' Germany's Foreign Minister responds: 'We did not conduct an extraterritorial search -- in fact we didn't search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter's privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate.'"

Microsoft then made its point: "The letters the reporter placed in a safe deposit box in Manhattan are her private correspondence, not the bank's business records. The seizure of that private correspondence pursuant to a warrant is a law enforcement seizure by a foreign government, executed in the United States, even if it is affected by a private party whom the government has conscripted to act on its behalf."

Jennifer Daskal, a former counsel at the U.S. Department of Justice and lawyer for Human Rights Watch who is now a law professor at the American University in Washington, D.C., has been writing extensively about this case.

"We now live in a world in which most of us trust just about all of our private communications and other documents to third parties for transit or storage. The implication that all such data could be obtained by administrative subpoena as the government suggests -- is troubling, to say the least," Daskal wrote. "More importantly, the government fails to acknowledge that even if there is not a direct conflict of laws, its approach violates the long-standing presumption against unilateral law enforcement actions in another state's territory. Of particular concern, it opens the door for other nations compelling ISPs to turn over data located in the United States, including that of U.S. citizens, possibly for nefarious purposes, and without regard to the dictates of the (Stored Communications Act). As the government notes, the UK has already passed such legislation and others will undoubtedly follow suit."

Daskal's point is on target. Consider diplomatic immunity. The only reason we give a get-out-of-jail-free card to diplomats is so that other governments will reciprocate. Otherwise, having diplomats in certain not-so-friendly countries would be impossible.

Let's bring this all back to email and any other form of digital data that IT has to handle. Although it's certainly the easiest path for the government to just slap a legal demand on a U.S. company, the big concern must be global precedent. Everyone in this case is choosing the most palatable characters for their arguments. Justice chose to take an effort involving an accused drug dealer as its test case. Microsoft couched its counterargument in terms of a U.S. journalist.

Do people with a Gmail account even know what country their data is housed in? Should they care? That thinking favors the government's argument, that Google email is seen by customers as being from Google, a U.S. company, just as MSN is seen as Microsoft.

Courts -- and legislators and the White House -- need to take these issues very seriously. The global backlash could have a wildly unforeseen impact.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appledata securityat&tsecurityElectronic Freedom FoundationMicrosoftdata protection

More about AppleCiscoDepartment of JusticeDeutsche BankFreedomGoogleHuman Rights WatchManhattanMicrosoftMSNVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place