Felix Pergande - Fotolia

Microsoft’s cloud privacy battle may go to US Supreme Court

The US Department of Justice is considering going to the Supreme Court after an appeals court refused to revisit its July 2016 landmark ruling blocking government access to Microsoft servers in Ireland

Microsoft’s challenge to the US government’s demand to hand over emails stored in Ireland may go to the Supreme Court after a split vote by a federal appeals court.

The battle over data seizure overseas began in December 2013, when US authorities issued a warrant to access emails believed to be linked to narcotics trafficking that were stored in Microsoft’s servers in Dublin, Ireland.

Microsoft was reluctant to allow US government access to its servers in Ireland, and when US federal judge Loretta Preska ruled in July 2014 that Microsoft had to comply with the data access request as a US company in control of the data, the company appealed against the ruling, arguing that the emails belonged to its customers and that the servers were outside US jurisdiction.

Microsoft is among several big US technology firms that have called for surveillance reforms because of concerns that public loss of trust in technology will hurt their businesses.

“The government’s position in this case further erodes that trust, and will ultimately erode the leadership of US technologies in the global market,” Microsoft said in a court filing.

Amicus briefs in support of Microsoft were filed by the Open Rights Group, the Center for Democracy & Technology, BSA, the Software Alliance, the US Chamber of Commerce, the US National Association of Manufacturers, and ACT, the App Association.

In July 2016, the Court of Appeals’ three-member panel of judges unanimously held that a US warrant did not reach data stored outside of the US.

The decision was welcomed by Microsoft and other tech firms as a landmark ruling for protecting the privacy of cloud services. It was also welcomed by civil liberties groups and trade bodies, but in October 2016 the US Department of Justice asked the Court of Appeals to reconsider its decision. 

Read more about US technology trust concerns

  • Yahoo joins technology firms in their demand to the right to disclose the number of user data requests received from US national security agencies.
  • Microsoft takes its strongest stance to date against the US government’s far reaching snooping laws.
  • Microsoft announces it is to take measures to increase the security of customer data to protect against government snooping.
  • Top technology firms join forces to call for urgent reforms of all internet surveillance programmes.

Three months later, the equally divided court upheld its previous ruling that allowed Microsoft to ignore the warrant to access emails stored on its servers in Ireland.

But the fact that it was a 4-4 vote has sparked speculation that it may open the door for the Department of Justice to go to the Supreme Court.

The dissenting judges said the July 2016 ruling could hamstring law enforcement, and called on the US Supreme Court or Congress to reverse it, according to Reuters.

“The [three-member] panel majority’s decision does not serve any serious, legitimate, or substantial privacy interest,” circuit judge Jose Cabranes wrote in dissent.

The dissenting judges believe that it should not matter where the emails are stored because Microsoft is a US company, and said the panel did not properly address the challenges that electronic data storage poses for law enforcement.

“It has substantially burdened the government’s legitimate law enforcement efforts; created a roadmap for the facilitation of criminal activity; and impeded programs to protect the national security of the United States and its allies,” said Cabranes.

Reviewing the decision

“We are reviewing the decision and its multiple dissenting opinions and considering our options,” said Peter Carr, a US Department of Justice spokesman.

Responding to the July 2016 ruling, the Center for Democracy & Technology (CDT) said that by declaring that a US warrant cannot reach communications content stored abroad, the appeals court had ruled strongly in favour of privacy and national rule of law.

“Had the Department of Justice prevailed in this case, other countries would follow the US lead and start claiming access to data stored here in the US based on their own laws. It would have been like the Wild West and disaster for privacy,” said Greg Nojeim, CDT director of the Freedom, Security and Technology Project.

However, he said the decision underlines the need for reform to address legitimate law enforcement demands for data stored abroad. “It should spur US congress to act by finally updating the Electronic Communications Privacy Act [ECPA] of 1986 and advancing legislation that would reform the mutual legal assistance treaty [MLAT] process,” he said.

MLATs are agreements designed for law enforcement agencies to receive and provide assistance to their counterparts in other countries, and the US has MLATs with more than 50 countries, including Ireland.

In July 2016, Nojeim said the CDT expected the US government to appeal the decision and that the civil liberties group would continue to advocate for ECPA and MLAT reforms to address the challenge of cross-border data demands.

Read more on Privacy and data protection