Microsoft Argues Landmark Cloud Privacy Case Before Supreme Court
What started out as a routine investigation by the U.S. Drug Enforcement Agency (DEA) back in 2013 and turned into a protracted and precedent-setting battle between Microsoft and the federal government is now under consideration by the nation’s highest court.
At stake is the privacy of information stored in offshore data centers. In rejecting a federal warrant demanding that Microsoft turn over emails stored in a data center in Ireland more than four years ago, Microsoft president and chief legal officer Brad Smith at the time promised to take this case to the Supreme Court if necessary to challenge the dated Stored Communications Act of 1986. The company had its day before the Supreme Court on Tuesday when its lawyers presented oral arguments, squaring off against the Department of Justice.
In refusing to comply with the DEA’s warrant, Microsoft has maintained that doing so would require it to pull the emails from the Ireland data center, a move that would violate international law. The Feds should use a Mutual Legal Assistance Treaty (MLAT), Microsoft has argued.
“While we don’t believe that U.S. law grants the Government the right to reach across borders to obtain private information, we do believe that the U.S. should work with the Irish government to obtain the data they want,” Smith explained in a company blog this week. “Unilateral actions like this will undermine privacy protections of customers everywhere, and are a recipe for international tensions, conflict and chaos.”
A District Court had ruled against Microsoft’s claim back in 2014, but then an appeals court decided in its favor in 2016. The DoJ subsequently re-opened the case, culminating in this week’s Supreme Court showdown. In the oral arguments, Joshua Rosenkranz, Microsoft’s attorney, underscored that “this is actually an extraterritorial act that is unauthorized by the U.S. Government,” according to the Supreme Court’s preliminary transcript of the testimony.
“No one disputes that countries across the world believe that they have the sovereignty and the sovereign right to pass their own laws governing the access to emails stored on their soil,” Rosenkranz argued. “And here we are reaching into their lands and imposing our U.S. position on who gets access to e-mails on their soil.”
The Justices had many questions regarding Microsoft’s position, though they admitted to having limited understanding of the technical issues.
“It seems odd to me that if — you could voluntarily disclose, but they couldn’t ask for a subpoena. That doesn’t quite mesh, does it?” asked Justice Anthony Kennedy.
“If we voluntarily disclosed, it would be a violation of our obligations to our customer,” Rosenkranz responded. “It would also, by the way, in this context, be a violation of European law.”
“We think the Court should leave things as they are with the instrument that Congress authorized, operating on a person, and requiring that person to produce information regardless of whether it’s stored overseas,” argued Michael Dreeben, the Deputy Solicitor General with the DoJ.
Outside the court, Microsoft’s Smith told NPR that he was more encouraged than he was before making its case.
“This case is fundamentally about a law that was passed across the street in Congress in 1986; it is a law that was never intended to reach around the world or into our data center in Ireland,” Smith said. “As I think the oral argument made abundantly clear, there are a variety of factors, important nuances that need to be considered to ensure law enforcement can do its job and people’s privacy rights can be protected.”
Regardless of what the Supreme Court decides, Smith has argued that Congress must modernize the laws, a process now underway thanks to bipartisan legislation proposed Feb. 6 by Senators Orrin Hatch (R-Utah), Chris Coons (D-Del.), Lindsey Graham (R-S.C.), and Sheldon Whitehouse (D-R.I.). In the House of Representatives, Doug Collins (R-Ga.) introduced matching legislation. The Clarifying Lawful Overseas Use of Data (CLOUD) Act will address issues like the case Microsoft is now arguing, according to the bill’s sponsors.
“We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud-computing providers to comply with countries’ differing privacy regimes,” Hatch said in a statement. The CLOUD Act creates such a framework and will also help set a precedent for our allies as they deal with this problem too.”
The legislation calls for bilateral agreements between nations, extraterritoriality of U.S. warrants, transparency and reciprocity. Apple, Facebook, Google, Microsoft and Verizon’s Oath unit signed a letter jointly supporting the legislation. “If enacted, the CLOUD Act would create a concrete path for the U.S. government to enter into modern bilateral agreements with other nations that better protect customers,” the letter stated.
Microsoft’s partners – or any technology solution, cloud or managed service providers – of course have a large stake in the outcome of the Supreme Court case, and passage of the CLOUD Act. Frank Valdivieso, CEO of Microsoft Silver partner Gryphon Consulting, a Largo, Maryland-based cloud and managed services provider, supports the CLOUD Act.
“The CLOUD Act is long overdue,” Valdivieso said. “We simply need privacy rules that reflect today’s technology, not the technology of 1986, when our main digital privacy laws were enacted.”
Not everyone is on board with the CLOUD Act. The Electronic Frontier Foundation, an advocacy for privacy protection, argued the CLOUD Act would be a step back.
“The CLOUD Act raises dire implications for the international community, especially as the Council of Europe is beginning a process to review the MLAT system that has been supported for the last two decades by the Budapest Convention,” wrote the EFF’s Camille Fischer. “Although Senator Hatch has in the past introduced legislation that would support the MLAT system, this new legislation fails to include any provisions that would increase resources for the U.S. Department of Justice to tackle its backlog of MLAT requests, or otherwise improve the MLAT system.”
In their letter, however, the five vendors argued that the legislation would require baseline privacy, ensuring that customers and data holders are protected by their respective laws in a meaningful way.
“The legislation would further allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts,” the letter reads.