Corporate cloud users in Europe could be excused for spending their summers more wisely than monitoring New York court decisions. But one on-going case – pitching Microsoft head-to-head with the US government – could shape the approach to future cloud use.
The case concerns whether the US government has the right to obtain copies of data hosted outside the United States on Microsoft's cloud-based email service. Whereas previous concerns have been at the potential extra territorial scope of the USA PATRIOT Act, on this occasion the US government is seeking to obtain disclosure of information under a US statute known as the Stored Communications Act.
The US government believes that Microsoft – as a US-headquartered company – should turn over to it any data within Microsoft's possession, custody or control regardless of the location of that information. Reflecting concerns from many cloud service users based in Europe at the vulnerability of information to governmental access, Microsoft is taking the position that the US courts don't have the authority to issue a search warrant for seizure of information held outside the United States.
One concern would be that, if Microsoft ultimately loses case, a request for a criminal search warrant in the United States would enable the US government to obtain records stored by any US-headquartered cloud provider anywhere in the world, as long as those records can be accessed from the United States.
Initially, a judge in the US issued a search warrant under the SCA authorising the release to criminal investigators of information associated with a particular Microsoft web-based cloud hosted email account. The warrant required Microsoft to disclose information within its "possession, custody or control" relating to this particular e-mail account. Microsoft responded to the warrant by producing certain information held in the US – in particular, so called "non-content" information (e.g., data relating to the sender's email address, date and time of transmission). Microsoft refused to produce information relating to the contents of the emails requested because that was stored at its data centre in Ireland.
On July 31 a federal judge in New York upheld the order requiring Microsoft to comply with the warrant. The case now goes to the US court of appeals. Microsoft's legal arguments have ranged from the nitty gritty of the SCA to broad legal theories around the legitimacy of extraterritorial application of US laws.
The issue of governmental access to cloud data clearly will not go away and continues to play on the minds of potential corporate cloud users. It's interesting how vigorously Microsoft – supported by "friend of the court" briefs from other large US-based technology providers – has defended its position. Presumably conscious of the need to defend the perceived independence and integrity of the cloud market, it has been prepared to spend significant time, effort and cost to allay fears of cloud service users regarding the access rights of the US government. Microsoft has certainly not laid down easy.
To some extent, the case is limited to its facts and it's important to note that it relates to a situation in which the US law enforcement agencies have been conducting a criminal investigation and, in order to obtain a warrant in the first place, they have to prove probable cause to a magistrate. This isn't a case of the US government seeking an unfettered right to access cloud data.
Also, the particular cloud service operated by Microsoft that's at issue here is its web-based email service. These types of services aren't going to be appropriate for sensitive corporate data and, in many cases, corporate users would be very wary of using such services. In a sensitive or regulated environment, a cloud user is likely to require greater ring fencing from potential access by the cloud provider, for example by ensuring that encryption occurs before information is uploaded into the cloud.
One of the issues in this case is the extent to which Microsoft could easily access the relevant content data from its US premises. To circumvent the type of arguments being made in this case, a cloud provider could design its systems to ensure that control over data held overseas is exclusively available outside the United States – i.e. in the country where the data resides. In this particular case, if Microsoft had been unable to access the data from the US, that could have fundamentally undermined the US government's case.