A decision appears imminent in the battle between Microsoft and the U.S. government over access to customer email held on servers in an Ireland data center that Microsoft refuses to turn over to the feds in a narcotics case. The issue is not whether a government can request data held within its borders but whether it can access data held by a company based within its borders but that stores the data in another nation.
The issue of where borders start and stop for accessing data is a troubling one in the cloud, where data can reside in multiple nations and move among them easily. But this case seems a poor one to try to set a precedent giving U.S. officials worldwide reach.
The drug trafficking case is, in the grand scheme, a minor issue that doesn't seem to rise to the level seeking a backdoor method to access an E.U. data center via a U.S.-based company.
As InfoWorld's David Linthicum argues, if the United States gets backdoor access in other nations, we can expect other countries to seek the same for data held in the United States. Brad Smith, Microsoft's general counsel, shares that fear:
The U.S. government cannot expect to have one model that it follows without anticipating that the rest of the world will follow that model. ... And this is a model that encourages governments to reach into other territories. That does not seem like a sound approach to international stability or mutual respect in the 21st century.
Another odd fact is that the U.S. government could request that data directly from Ireland using the Mutual Legal Assistance Treaty. InfoWorld's Caroline Craig reports the United States is not taking advantage of this treat because the "Justice Department considers that process too slow and wants to deal directly with the U.S.-based company." Convenience also doesn't seem a compelling enough reason to gain the unfettered right to extraterritorial reach.
From where I sit, the decision is easy: Microsoft should win, and not only to satisfy the concept of privacy. There's a big business need at stake: How many companies will refuse to move to the cloud, despite all its advantages, simply because there is no guarantee their data is safe from prying eyes of the U.S. government -- or Chinese or Russian or British or Saudi or ...
You might think that the U.S. government wouldn't abuse extraterritorial reach. But the revelations of Edward Snowden show that it in fact would do (and has done) so, as would other governments. Although I'm not looking to get into a political debate, the simple truth is I cannot convince folks in some E.U. countries to move to Office 365 because of such fears. These legal issues will and do affect adoption of new technology in global enterprises.
Microsoft is pushing for the adoption of a new LEADS Act (Law Enforcement Access to Data Stored Abroad) because it offers "essential reforms that rectify outdated privacy laws," including safeguards for U.S. data stored abroad. It's certainly obvious that there is a need for new legislation.
But it's unfortunately not obvious enough to the government that U.S. law enforcement agencies must realize there are boundaries (privacy protection for citizens) that should not be circumvented, at least not for something so common as drug trafficking.
And when there is a need to reach into and obtain data from a data center anywhere -- whether in the United States or abroad -- it's imperative that respect for legal standards be shown.
If you agree, I ask that you urge Congress to consider the LEADS legislation.