US judge orders Microsoft to hand over email data held in Dublin

A US Judge has ordered Microsoft to give the District Court access to the contents of one of its customer’s emails stored on a server located in Dublin

A US Judge has ordered Microsoft to give the District Court access to the contents of one of its customer’s emails stored on a server located in Dublin. Microsoft challenged the decision but the judge disagreed and rejected its challenge.

US Magistrate Judge James Francis in New York said internet service providers, such as Microsoft, will have to hand over information and emails stored in datacentres outside the US if they are issued with a valid search warrant from US law enforcement agencies.

The search warrant was issued in December 2013 but Microsoft challenged it. “The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas,” said the company. 

But the Azure cloud provider’s move to quash the search warrant has been denied by the judge.  

Last week, on the TechNet blog, Microsoft’s corporate vice-president & deputy general counsel, David Howard said: “We filed a formal legal challenge to the US search warrant seeking customer email content that is located exclusively outside the United States. Today we received an initial decision that maintains the status quo.”

It’s generally accepted that a US search warrant in the physical world can only be used to obtain materials that are within the territory of the US, Howard explained. “We think the same rules should apply in the online world, but the government disagrees.”

The search warrant covered search and seizure of contents of all emails stored in one user account, including copies of emails sent from the account as well as other information in the email account such as address books, contact lists, pictures, and files.

Microsoft's €480m European datacentre in Dublin, catering to its Azure cloud users, opened in 2009.

Judge Francis quoted the American Stored Communications Act (SCA) and explained that the law authorises the government to seek information – including content of an email – by way of subpoena, court order, or warrant.

“Microsoft’s argument is simple, perhaps deceptively so,” Judge Francis said in an official document.

“Government’s view is that the SCA does not implicate principles of extraterritoriality. It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information,” he said.

“Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft's motion to quash in part the warrant at issue is denied,” the judge concluded.

This conclusion will be seen as a significant blow to users of cloud computing services, such as Microsoft Azure, AWS or Google’s enterprise cloud services.

We’re not trying to frustrate any government investigations

David Howard, Microsoft

To allay users’ fears around data privacy and security on cloud services in the wake of the Prism scandal, Microsoft said it is taking steps to ensure governments use “legal process rather than technological brute force to access customer data”.

It also took cloud data security steps, such as expanding encryption across its services, reinforcing legal protections for customers’ data, and enhancing the transparency of its software code, making it easier for customers to understand its data rules.

“We respect the critical role law enforcement plays in protecting all of us. We’re not trying to frustrate any government investigations,” Howard said. “But we’ll continue to pursue this issue because we believe we’re right on the law and because our customers have told us they value our privacy commitments.”

The blow to data privacy on cloud products comes just two weeks after Microsoft confirmed its enterprise cloud services – including Microsoft Azure, Office 365, Dynamics CRM and Windows Intune services – were approved by the standards of EU privacy laws.

The approval means that enterprise customers using Windows Azure or Office 365 can move data freely through Microsoft’s cloud from Europe to the rest of the world without worrying about compliance.

“Customers will entrust their information to the cloud only if they have confidence that it will remain secure there. The approval by the European data protection authorities is another important step in ensuring customers trust Microsoft’s cloud services,” Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft said at that time.

Read more on Managing servers and operating systems