A legal battle pitting Microsoft against the Justice Department raises fundamental questions that all CIOs should pay close attention to.
Jeff Gould is president of SafeGov.org and CEO and director of research at Peerstone Research.
Does your company have staff or facilities overseas? Do you use cloud services from Amazon, Google, Microsoft, Salesforce, DropBox and other leading providers? Then, in all likelihood some of your data is stored overseas, because in order to reduce network latency most of the big cloud providers now operate data centers in Europe and Asia in addition to the U.S.
In the wake of the Snowden revelations, many analysts predicted overseas customers would become hesitant to use cloud providers subject to U.S. jurisdiction. But these predictions have not come true.
According to recent financial results, the largest cloud providers – Amazon, Microsoft and Salesforce in particular – are seeing surging growth in their cloud revenues. Amazon’s AWS alone will reap more than $8 billion this year, and is now growing at an 81 percent annual clip. Much of this growth is coming from abroad.
It appears then that Snowden’s impact on U.S. cloud providers may not be as big as feared – at least not yet. But many CIOs may not realize that other actions by the U.S. government could pose a perhaps equally grave, though subtler, threat to cloud computing. The laws that set the rules for government access to electronic data were largely written in the 1980s. Their application to data stored by enterprise customers on cloud servers is unclear. The rights of customers to contest the government’s actions or even be informed of them are uncertain.
But now, a legal battle pitting Microsoft against the Justice Department raises fundamental questions that all CIOs should pay close attention to.
For U.S. federal prosecutors now consider that virtually all data stored overseas may be theirs for the taking with a simple warrant. The cloud provider need not even be American. So long as it is subject to U.S. jurisdiction, the prosecutors believe they can compel the provider to rifle through its overseas sites and hand over any data.
The providers may not even be allowed to tell you they are going behind your back to disclose your information. Foreign laws that forbid such disclosure don’t matter. Nor do overseas employees’ or customers’ expectations of confidentiality.
But surely, you say, American law officers cannot just fly to Dublin or Tokyo or Paris with a U.S. warrant, pound on a data center’s door, and demand to search the premises. No, they cannot. But our judges have been persuaded that when computer data is involved, such a “search” does not really occur abroad. Rather, it happens only after the data is transported back to the U.S. via automated network procedures and then displayed to human observers. The prosecutors go even further and argue that no “search” occurs at all, as they are only seeking “compelled production." In either case, foreign laws, individual rights and transparency fall to the wayside.
Microsoft’s lawyers will plead their case before the Second Circuit Court of Appeals in September. The case turns on a search warrant issued by federal prosecutors in New York seeking the emails of an overseas customer of Microsoft’s Outlook.com service. These emails happen to be stored on Microsoft servers in Dublin, Ireland.
Microsoft has contested the validity of this attempt to secure overseas data by means of a U.S. warrant. Its lawyers say prosecutors should instead use the existing mutual legal assistance treaty between Ireland and the U.S., which is a more transparent and less one-sided process for obtaining the desired data.
Most of the press coverage has treated the case as if it concerns only cloud providers. But in fact, it is relevant to any firm, American or foreign, that relies on U.S. cloud providers overseas.
It is often said the U.S. government’s aggressive stance will drive all companies doing business overseas to use purely local cloud providers on whom our courts have no legal claim. Firms will hire local German cloud providers in Germany, local Japanese providers in Japan, and so on, thus leading to IT fragmentation and higher costs.
Such an inefficient and balkanized cloud scenario, if it came to pass, would be bad enough. But the actual outcome will likely be worse. It often won’t be feasible for local cloud providers to step into the shoes of the established global giants. The reality is that the cloud offerings of Amazon, Microsoft, Google and a handful of other global providers have reached a scale and degree of technical sophistication that simply cannot be duplicated by local champions.
Why can’t small providers touch the global giants? One reason is money. The top dozen or so cloud providers are investing hundreds of billions of dollars in the construction of vast global networks of linked data centers, with mostly football-field-sized facilities housing e housing hundreds of thousands of individual servers. These networked centers continuously shift data between themselves to optimize service resilience, network latency and resource utilization.
Another reason why the local champions will be left behind is that cloud providers are increasingly shifting from commodity services to more differentiated offerings. Basic cloud infrastructure is evolving from simple virtualized servers to something much more complex. The very notion of “server” is dissolving into a more abstract notion of “compute fabric." Don’t worry about configuring virtual machines, providers like Amazon now say, just give us your code and we’ll run it. Amazon’s new Lambda service is an early example of this trend, sometimes known as the “serverless” cloud. Microsoft and Google are rapidly heading in the same direction.
Delving deeper, we find cloud applications that by definition cannot be copied. If you want Google Apps, Office 365 or Salesforce CRM, you won’t be able to get it from your local cloud provider. In short, cloud providers confined to single-country markets will not be able to compete on the global stage. Rudimentary local services with little more to propose than remote virtual machines will not make the cut. The real choice for customers will be between a global cloud or no cloud at all. The stakes in the Microsoft case are thus very high indeed.
Microsoft’s lawyers are confident they are on firm ground in arguing the law is with them. But it’s hard to predict how the Appeals Court judges will rule. The New York prosecutors’ claims rely on a 1986 law known as the Stored Communications Act, part of the broader Electronic Communications Privacy Act. These laws are widely understood to be outdated, because they are framed in terms of obsolete 1980s technology.
Despite the prosecutors’ aggressive interpretation of these decades-old texts, it is clear they were never intended to apply overseas - their authors simply could not have anticipated the rise of the global Internet.
What is certain is that the impact of the ruling will reach far beyond Microsoft. One way or another, the warrant case will likely end up before the Supreme Court. In lawyers’ parlance, it is difficult to imagine a case more “certworthy” than this one – that is, a case where the implications for society at large are so consequential, and the divergence of legal views so vast, that the nine justices must take it up. The court’s recent landmark Riley ruling against warrantless search and seizure of cell phone contents suggests the Supremes’ strong interest in digital privacy.
In the long run, however, it is the responsibility of Congress to revise the outdated SCA and ECPA statutes. These laws must be brought into the Internet age in a way that protects the rights of enterprise cloud customers as well as those of U.S. and foreign citizens from no-holds-barred U.S. prosecutors and compliant judges with little understanding of technology.