US Effort to Grab Data from Microsoft in Ireland Should Frighten All Firms Using the Cloud Overseas

A legal battle pitting Microsoft against the Justice Department raises fundamental questions that all CIOs should pay close attention to.

Jeff Gould is president of SafeGov.org and CEO and director of research at Peerstone Research.

Does your company have staff or facilities overseas? Do you use cloud services from Amazon, Google, Microsoft, Salesforce, DropBox and other leading providers? Then, in all likelihood some of your data is stored overseas, because in order to reduce network latency most of the big cloud providers now operate data centers in Europe and Asia in addition to the U.S.

In the wake of the Snowden revelations, many analysts predicted overseas customers would become hesitant to use cloud providers subject to U.S. jurisdiction. But these predictions have not come true.

According to recent financial results, the largest cloud providers – Amazon, Microsoft and Salesforce in particular – are seeing surging growth in their cloud revenues. Amazon’s AWS alone will reap more than $8 billion this year, and is now growing at an 81 percent annual clip. Much of this growth is coming from abroad.

It appears then that Snowden’s impact on U.S. cloud providers may not be as big as feared – at least not yet. But many CIOs may not realize that other actions by the U.S. government could pose a perhaps equally grave, though subtler, threat to cloud computing. The laws that set the rules for government access to electronic data were largely written in the 1980s. Their application to data stored by enterprise customers on cloud servers is unclear. The rights of customers to contest the government’s actions or even be informed of them are uncertain.

But now, a legal battle pitting Microsoft against the Justice Department raises fundamental questions that all CIOs should pay close attention to.

For U.S. federal prosecutors now consider that virtually all data stored overseas may be theirs for the taking with a simple warrant. The cloud provider need not even be American. So long as it is subject to U.S. jurisdiction, the prosecutors believe they can compel the provider to rifle through its overseas sites and hand over any data.

The providers may not even be allowed to tell you they are going behind your back to disclose your information. Foreign laws that forbid such disclosure don’t matter. Nor do overseas employees’ or customers’ expectations of confidentiality.

But surely, you say, American law officers cannot just fly to Dublin or Tokyo or Paris with a U.S. warrant, pound on a data center’s door, and demand to search the premises. No, they cannot. But our judges have been persuaded that when computer data is involved, such a “search” does not really occur abroad. Rather, it happens only after the data is transported back to the U.S. via automated network procedures and then displayed to human observers. The prosecutors go even further and argue that no “search” occurs at all, as they are only seeking “compelled production." In either case, foreign laws, individual rights and transparency fall to the wayside.

Microsoft’s lawyers will plead their case before the Second Circuit Court of Appeals in September. The case turns on a search warrant issued by federal prosecutors in New York seeking the emails of an overseas customer of Microsoft’s Outlook.com service. These emails happen to be stored on Microsoft servers in Dublin, Ireland.

Microsoft has contested the validity of this attempt to secure overseas data by means of a U.S. warrant. Its lawyers say prosecutors should instead use the existing mutual legal assistance treaty between Ireland and the U.S., which is a more transparent and less one-sided process for obtaining the desired data.

Most of the press coverage has treated the case as if it concerns only cloud providers. But in fact, it is relevant to any firm, American or foreign, that relies on U.S. cloud providers overseas.

It is often said the U.S. government’s aggressive stance will drive all companies doing business overseas to use purely local cloud providers on whom our courts have no legal claim. Firms will hire local German cloud providers in Germany, local Japanese providers in Japan, and so on, thus leading to IT fragmentation and higher costs.

Such an inefficient and balkanized cloud scenario, if it came to pass, would be bad enough. But the actual outcome will likely be worse. It often won’t be feasible for local cloud providers to step into the shoes of the established global giants. The reality is that the cloud offerings of Amazon, Microsoft, Google and a handful of other global providers have reached a scale and degree of technical sophistication that simply cannot be duplicated by local champions.

Why can’t small providers touch the global giants? One reason is money. The top dozen or so cloud providers are investing hundreds of billions of dollars in the construction of vast global networks of linked data centers, with mostly football-field-sized facilities housing e housing hundreds of thousands of individual servers. These networked centers continuously shift data between themselves to optimize service resilience, network latency and resource utilization.

Another reason why the local champions will be left behind is that cloud providers are increasingly shifting from commodity services to more differentiated offerings. Basic cloud infrastructure is evolving from simple virtualized servers to something much more complex. The very notion of “server” is dissolving into a more abstract notion of “compute fabric." Don’t worry about configuring virtual machines, providers like Amazon now say, just give us your code and we’ll run it. Amazon’s new Lambda service is an early example of this trend, sometimes known as the “serverless” cloud. Microsoft and Google are rapidly heading in the same direction.

Delving deeper, we find cloud applications that by definition cannot be copied. If you want Google Apps, Office 365 or Salesforce CRM, you won’t be able to get it from your local cloud provider. In short, cloud providers confined to single-country markets will not be able to compete on the global stage. Rudimentary local services with little more to propose than remote virtual machines will not make the cut. The real choice for customers will be between a global cloud or no cloud at all. The stakes in the Microsoft case are thus very high indeed.

Microsoft’s lawyers are confident they are on firm ground in arguing the law is with them. But it’s hard to predict how the Appeals Court judges will rule. The New York prosecutors’ claims rely on a 1986 law known as the Stored Communications Act, part of the broader Electronic Communications Privacy Act. These laws are widely understood to be outdated, because they are framed in terms of obsolete 1980s technology.

Despite the prosecutors’ aggressive interpretation of these decades-old texts, it is clear they were never intended to apply overseas - their authors simply could not have anticipated the rise of the global Internet.

What is certain is that the impact of the ruling will reach far beyond Microsoft. One way or another, the warrant case will likely end up before the Supreme Court. In lawyers’ parlance, it is difficult to imagine a case more “certworthy” than this one – that is, a case where the implications for society at large are so consequential, and the divergence of legal views so vast, that the nine justices must take it up. The court’s recent landmark Riley ruling against warrantless search and seizure of cell phone contents suggests the Supremes’ strong interest in digital privacy.

In the long run, however, it is the responsibility of Congress to revise the outdated SCA and ECPA statutes. These laws must be brought into the Internet age in a way that protects the rights of enterprise cloud customers as well as those of U.S. and foreign citizens from no-holds-barred U.S. prosecutors and compliant judges with little understanding of technology.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.