A federal petitions court on Tuesday repeated Microsoft‘s legal right to refuse a US government order to hand over data stored overseas in a case with important privacy effects.
A divided panel of judges in New York denied a petition by the US for a rehearing of a ruling previous year in a case pitting Microsoft against the government over data stored on servers in Ireland.
The case has been observed closely for its implications for privacy and surveillance in the digital age.
The December 2013 warrant directed Microsoft to turn over the contents of an email account used by an alleged drug trafficker.
Redmond, Washington-based Microsoft handed over account information it kept on US soil but stated the content of emails was off-limits because it was stored on servers in Ireland.
Microsoft chief legal official Brad Smith welcomed the ruling while noting that “we need Congress to reform the law both to keep people safe and ensure that governments everywhere respect each other’s borders.”
Many privacy and digital rights activists have supported Microsoft as a way of guarding against overreach by the US government, even though some state the implications of the case are not clear.
Reaching beyond borders
Compatible and defiant justices on the panel agreed that Congress that the 1986 Store Communications Act (SCA) that was at the heart of the case should be altered by Congress to better balance privacy, crime-fighting, and national security.
Judge Susan Carney stated Congress did not intend for the law to apply “extraterritorially,” or outside US borders, and doubtful the government’s argument claiming the data remained domestic because it could be retrieved by Microsoft.
“Mundane as it may seem, even data subject to lightning recall has been stored somewhere, and the acknowledged record here showed that the ‘somewhere’ in this case is a data centre firmly located on Irish soil,” Susan Carney wrote in a concurring opinion.
Judge Dennis Jacob stated in a disagreement that the US was basically not reaching beyond its borders when the information it sought was in the easy grasp of a Microsoft computer station in Redmond.
If the recipient of a legal warrant “can access a thing here, then it can be delivered here” and it should not matter where the “ones and zeroes” are located in cyber space, Jacobs reasoned.
“Restricting the data in Ireland is not marginally more useful than thinking of Santa Claus as a resident of the North Pole,” Jacobs wrote.
“Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the snows of yesteryear?”
Judge Jose Cabranes wrote in disagreement that the negative consequences of the panel’s decision could ruin law enforcement efforts and hamper efforts to protect the US and its allies.
“The panel majority’s opinion has created a roadmap for even an unworldly person to use email to aid criminal activity while avoiding detection by law enforcement,” Cabranes wrote.
While Microsoft has received backing from most technology allies and digital rights groups, some activists state the case is far from clear-cut.
Jennifer Granick of the Stanford Center for Internet and Society has claimed that a Microsoft win could mean these cases are decided in countries with less privacy protections, and drive more companies to “localise” data in places where authorities can’t access it.
But Greg Nojeim of the Center for Democracy and Technology stated a ruling for the government “could have resulted in chaos and a privacy disaster.”
Nojeim stated that tech firms under such a ruling “would have been subject to contradictory obligations to an even greater extent than is the case today, and users’ communications privacy could become, over time, subject to the whims of not just the US government, but also other countries seeking their data.”