Microsoft is fighting a case in federal appeals court that may decide the future of U.S. cloud computing.
Not long ago, if the U.S. Department of Justice wanted information you’d stored electronically, all its agents needed to do was get a court order and seize your computer. Law enforcement doesn’t have it so easy anymore. In the cloud era, if the FBI or investigators from any other government want to get at your e-mail, Skype calls, or transaction records, the requests—or demands—have to go through corporate legal departments, wherever they may be. Archiving companies’ and individuals’ data is big business for the likes of Microsoft, Google, Apple, and Amazon.com, which have invested billions to create immense clouds of servers to keep your information organized, secure, and confidential.
Overseas judgments could chill business. On Oct. 6, for example, the European Court of Justice (ECJ) invalidated a data-transfer agreement between the European Union and the U.S. Many big tech companies had taken extra steps to comply with the eventuality, but thousands of businesses were still left confused about the legality of moving information electronically from one continent to the other.
The complexity of that case, however, pales against the potential of other legal disputes. Microsoft and its fellow tech superpowers have installed their storage capacity around the world, further complicating the question of national jurisdiction. The record of a Skype call between a user in the U.S. and another in Germany, stored on a server in South Africa, might be the object of a request from the government of Singapore. Whose laws prevail? “These are the most far-fetched law school hypotheticals you could ever come up with,” says Nuala O’Connor, head of the Center for Democracy and Technology in Washington. “Except they are coming true.” Existing statutes don’t help. The U.S. law that usually applies to such situations was enacted in 1986, three years before the invention of the World Wide Web.
Since December 2013, Microsoft has been engaged in a pivotal battle with the U.S. government over e-mail stored on one of its company servers in Ireland. The government’s attorneys say the U.S. simply wants evidence linked to a narcotics case. Microsoft says if it loses the case, the consequences will resound well beyond the fate of an alleged drug dealer. “At the core of this case is the protection of personal communications and the reach of U.S. law,” says Craig Newman, head of privacy and data security at Patterson Belknap Webb & Tyler. He and others warn that a decision against Microsoft could affect civil liberties as well as the profits of the U.S. cloud-computing industry, forecast to reach $98.6 billion in revenue this year, according to market-research firm Gartner. “The implications of what we do here are obviously broad,” said U.S. Circuit Judge Gerard Lynch, one of the three justices presiding over the latest appeal, which opened in New York in early September.
The legal showdown is the first of its kind about corporate privacy since Edward Snowden’s 2013 revelations about U.S. government spying. It hasn’t gone well for Microsoft: The company already lost two lower-court decisions when judges agreed with the government that the feds had the rights to data stored by a U.S. corporation. If the losing streak continues, cloud-computing companies such as Microsoft will have a harder time selling their services to foreign customers—particularly governments—because they won’t be able to promise to keep data from the prying eyes of U.S. intelligence. According to a June report by the Information Technology and Innovation Foundation, the U.S. technology industry will lose more than $35 billion in sales by next year from customers who no longer trust it to keep their data private and safe.
“Some public-sector companies say, ‘I cannot put my data in the data center of an American company unless you win this case,’ ” says Brad Smith, president and chief legal officer of Microsoft. He says the company will appeal to the Supreme Court if it loses again. It’s not as if Microsoft refuses all cooperation with law enforcement, he notes. In January 2015, within 45 minutes of a request from the FBI on behalf of French investigators—the proper legal procedure, according to Smith—Microsoft turned over the U.S.-stored e-mail accounts of two suspects in the attack on the satirical magazine Charlie Hebdo. But the Ireland case is different, and its potential implications have Microsoft rivals Amazon, Apple, and Cisco providing public and courtroom support. The broader privacy repercussions have also brought organizations such as the American Civil Liberties Union to Microsoft’s side.
The company’s wrapping itself in the Fourth Amendment—freedom from unreasonable search and seizure. Smith, a 22-year Microsoft veteran, recalls that, in 2002, the National Security Agency asked Microsoft to participate in a secret, voluntary program giving the agency access to e-mails and other electronic communication. That program became public with the Snowden leaks, which included a 2009 NSA document noting that one company, identified as Company F, declined to participate. Smith says Company F was Microsoft and adds that after the NSA’s approach, he and then-Chief Executive Officer Steve Ballmer discussed John Adams and Abraham Lincoln and making a decision that stood “the test of time.” They then told the NSA no.
If Microsoft ultimately loses the case, says Lee Tien, senior staff attorney at the Electronic Frontier Foundation, the U.S. would be able to compel companies to hand over data held overseas, regardless of local law. Moreover, “this principle, if you applied it consistently, would mean our laws would provide no protection against a request from, say, a German or Italian government” for information held by a non-U.S. provider on American soil, even if that data was generated by U.S. citizens or companies.
To the three-judge appeals panel in New York, Microsoft pressed its own version of the national and corporate security argument. A ruling in the government’s favor, said the company’s lawyer, Joshua Rosenkranz, would result in a “global free-for-all,” with other countries demanding that local companies turn over information stored in the U.S. “We would go crazy if China did it to us,” he said at the hearing. “This is a matter of national sovereignty.”
Assistant U.S. Attorney Justin Anderson said the government isn’t trying to apply American law overseas. What was important, he told the judges, was where the information in the contested e-mails was exchanged—in this case, he contends, in the U.S.—not the location of the server where the data is stored. “The government is indifferent to where Microsoft might have to go to obtain these materials,” he said, echoing the July 2014 ruling against the company by U.S. District Judge Loretta Preska.
The law the judges will apply—the pre-Internet Electronic Communications Privacy Act of 1986—is severely antiquated. Smith says the issue needs to be handled by new legislation, a point reiterated by a Microsoft spokesperson after the Oct. 6 invalidation of the data-transfer pact: “The ECJ’s decision highlights the need for governments on both sides of the Atlantic to work together to reform digital privacy laws.” Smith has specifically mentioned the Law Enforcement Access to Data Stored Abroad Act, which would prohibit law enforcement from using warrants to access overseas information unless the customer is a U.S. citizen. Says Representative Suzan DelBene of Washington state, a Democratic co-sponsor of the bill who is an ex-Microsoft executive and whose husband is the corporation’s head of strategy: “We need to address it so all our technology companies know the legal framework and so individuals know how their data will be treated.” But its passage isn’t imminent. In court, Judge Lynch expressed annoyance: “It would be helpful if Congress would engage in that kind of nuanced regulation, and we’ll all be holding our breath until they do.”
A decision in the Ireland case isn’t expected until November. But Microsoft is already dealing with battles on the same issue. Earlier this year, police arrived at the São Paulo apartment of the company’s top executive in Brazil. They burst through the gates and demanded he present himself before a court. Why? Microsoft had refused to turn over Skype data stored in the U.S. that involved a Brazilian customer. Refusing to turn over the data violates Brazilian law; turning it over violates U.S. wiretapping law. For now, the executive—whom the company won’t name for security reasons—remains free as the case moves through Brazil’s courts. Says Tom Alberg, a co-founder of Madrona Venture Group, an early Amazon investor: “Every country is adopting its own rules, and it’s leading to some really weird results.”
—With Bob Van Voris