bit-tech.net

Microsoft loses overseas data privacy case

Microsoft loses overseas data privacy case

US District Judge Loretta Preska has rejected Microsoft's appeal against a court order levelled at its Dublin-based data centre, declaring foreign-held data a valid target for US court orders.

Microsoft has lost its appeal against data disclosure on its foreign-held servers, with the the US courts declaring that a warrant served against its Dublin-based data centre must be fulfilled.

Microsoft, like any other company, frequently receives court orders requesting that it turn over data belonging to its customers. Recently, however, one such order from the US government made a request Microsoft was loath to fulfil: to turn data from its data centre in Ireland over to US authorities. Microsoft, naturally, appealed, stating that it believed laws against search and seizures on foreign soil protected said data; the government, equally naturally, said that was nonsense and that Microsoft's operations in the US make its data available upon the issuance of a valid court order regardless of the physical location of the zeros and ones.

Now, US District Judge Loretta Preska has sided with her paymasters. A report on the case by Bloomberg followed a two-hour hearing, and fully validates the decision made by US Magistrate Judge James C. Francis IV in April. 'Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States,' Preska reportedly ruled. 'As Judge Francis found, it is a question of control, not a question of the location of that information.'

The news may have a chilling effect on the burgeoning cloud computing industry. While only a naïf would presume privacy when storing data on remote systems owned by a multinational corporation, there was previously an understanding that the physical location of the servers on which the data is held would have an impact on which privacy laws applied. The court ruling suggests that the US, at least, believes this is not the case, and that any cloud provider with operations in the US will be expected to comply with data access request court orders regardless of the locality of the data or its owner.

29 Comments

Discuss in the forums Reply
RichCreedy 1st August 2014, 11:57 Quote
and no doubt, the EU will bring in laws making it illegal to release data to governments outside EU control
Gambler FEX online 1st August 2014, 12:04 Quote
So even if I choose a non us (nsa) or non uk (gchq) I must also be careful of any that has owners in the US?
Corky42 1st August 2014, 12:13 Quote
Quote:
Originally Posted by RichCreedy
and no doubt, the EU will bring in laws making it illegal to release data to governments outside EU control

I doubt the EU will do anything to prevent the release of data to governments outside the EU, if anything they will pass a law to reflect US law. It tends to be the way of these things, when one government infringes on peoples civil liberties others tend to follow.
Dave Lister 1st August 2014, 12:17 Quote
Quote:
Originally Posted by Corky42
Quote:
Originally Posted by RichCreedy
and no doubt, the EU will bring in laws making it illegal to release data to governments outside EU control

I doubt the EU will do anything to prevent the release of data to governments outside the EU, if anything they will pass a law to reflect US law. It tends to be the way of these things, when one government infringes on peoples civil liberties others tend to follow.

Completely agree. The EU is just another US puppet.
Gareth Halfacree 1st August 2014, 12:18 Quote
Quote:
Originally Posted by Gambler FEX online
So even if I choose a non us (nsa) or non uk (gchq) I must also be careful of any that has owners in the US?
Not even owners; operations would be enough. Your Swiss cloud provider has a single US customer? That'd be enough, arguably. (Enforcing a ruling against a foreign company that doesn't care if you ban it in your own country would be a challenge, mind.)

The solution, as always, is strong client-side encryption: never upload anything to your cloud provider in-the-clear. Assuming your chosen encryption method isn't crackable and/or hasn't been back-doored by the spooks, all your provider will be releasing will be the encrypted data. There are several cloud storage providers, like SpiderOak, that build this directly into their software - so-called 'zero knowledge' systems, where the provider couldn't expose the plaintext even if they wanted to.
impar 1st August 2014, 13:41 Quote
Greetings!

Does this affect, or could affect, the Microsoft accounts for login in Windows OSes?
Nexxo 1st August 2014, 14:34 Quote
That data should be encrypted, so I doubt that it would be of any use.
Corky42 1st August 2014, 14:55 Quote
Quote:
Originally Posted by Gareth Halfacree
The solution, as always, is strong client-side encryption:
<Snip>

Isn't there a law that says you have to provide the encryption key, or something like that.

Personally i think all requests for data should be handled the same way we do in the real world, a warrant should be served to the individual who owns it. (at least i think that's how it works)

Can TPTB serve a warrant on a company like Big Yellow Self Storage without first contacting the owner ?
RichCreedy 1st August 2014, 15:38 Quote
that's the problem, Microsoft takes ownership of data on its servers, so as to help with data protection laws
Gareth Halfacree 1st August 2014, 15:42 Quote
Quote:
Originally Posted by Corky42
Isn't there a law that says you have to provide the encryption key, or something like that.
The Regulation of Investigatory Powers Act (RIPA), which allows for a jail sentence if you refuse to divulge passwords and/or provide decryption keys when requested. That's a UK law, though, and would be very difficult for a US court to enforce on a UK citizen. In other words: encrypting your data before uploading it to the cloud will protect you from other countries, but not your own (assuming "your own" is the UK, or a country that has similar laws regarding encryption.)
schmidtbag 1st August 2014, 17:55 Quote
So first of all - who the hell feels the need to get info on Ireland? They're one of the most helpful countries in the world proportionate to their population and income. I don't see what the US government could possibly want from them.

This situation is just so annoying. I'm not a fan of MS but I personally appreciate how they don't want to give away customer data to governments. I'm not sure if this means just cloud data or all data (including searches).

It won't be long until the US makes some serious enemies in the world that used to be allies. I really hope to move out of the country before that happens.
Corky42 1st August 2014, 19:10 Quote
I don't think it's info on Ireland, it's info that is stored there or any other non US countries. I think (not sure) that when a warrant is served to Microsoft to provide the data it holds on a particular user account it can no longer say the warrant is invalid because the servers are outside US jurisdiction.
Locknload 1st August 2014, 19:26 Quote
If i personally had data which i considered private, and the government or (*LAUGH*) the USA asked to see it and compelled me to hand over passwords etc...They can go and kiss my big old ass, and give me a cell.

Who the funk do they think they are?

Screw them all...... Nonces!
Gareth Halfacree 1st August 2014, 20:15 Quote
Quote:
Originally Posted by schmidtbag
So first of all - who the hell feels the need to get info on Ireland? They're one of the most helpful countries in the world proportionate to their population and income. I don't see what the US government could possibly want from them.
You might want to re-read the article; you appear to have confused "data in Ireland" with "data on Ireland."
Quote:
Originally Posted by Locknload
If i personally had data which i considered private, and the government or (*LAUGH*) the USA asked to see it and compelled me to hand over passwords etc...They can go and kiss my big old ass, and give me a cell.
There's at least one person in prison right now who believed that. For some, it's actually a smart way of reducing their sentence. Let's say, for example, that Joe Madeupname is a criminal. He's a child pornographer, or a terrorist, or a spy. He has pictures, videos, whatever kind of data that would result in a hefty prison sentence were they to be found, so he encrypts them. He gets raided, and his decryption keys are demanded under RIPA. "No," he says. Et voila: a potential 15-to-life sentence just became five years (two if they can't convince the judge that the case involves child endangerment or national security.)

Then there's the flipside of the legislation: if Steve Differentmadeupname is innocent but suspected of a crime, and he can't prove that the chunk of seemingly random data they pulled off his hard drive isn't an encrypted volume, or can't unlock a genuine encrypted volume because he's honestly forgotten the password or deleted the key, that's two year's in chokey regardless of his innocence relating to the original crime.

Then there's hidden volumes: TrueCrypt, backdoored or not, had the ability to have multiple levels of encryption. Create a 50GB encrypted volume, protect it with PasswordA, store a few files in it. Create a hidden volume on that encrypted volume, encrypt it with PasswordB. If raided, give LEO PasswordA; there is, in an ideal implementation, no way for them to prove that there is a second password that unlocks an additional layer of data. Get-out-of-RIPA-free card, basically.
Alecto 1st August 2014, 22:21 Quote
Quote:
Originally Posted by Gareth Halfacree
[... and he can't prove that the chunk of seemingly random data they pulled off his hard drive isn't an encrypted volume

For real ? Every computer with a hard drive installed (including, among others, those used by the judge, jury and court officials ...) has some unused space left on its hard drive(s), lest the OS would get into trouble. Who gets to decide that they don't have to prove there isn't an encrypted volume hidden there and consequently serve 2-5 years in jail because they couldn't possibly disprove something that doesn't exit ?

Even if that space was nothing but binary zeroes it could (in theory) still contain a hidden volume, with data and encryption key coming out as series of 00000000 purely by coincidence. So one woudl end up in jail even when there never was any hidden data container ... absurd.
kHAn_au 2nd August 2014, 11:12 Quote
Have any of you read the Azure T's & C's? It states clearly that data will be given to the US up on a valid request.
Corky42 2nd August 2014, 12:43 Quote
No they don't.
They state...
Quote:
We will not disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law.
And of most relevance to the above article...
Quote:
You may specify the geographic region of the Microsoft data centers in which Customer Data will be stored. Microsoft may transfer Customer Data within a major geographic region (for example, within the United States or within Europe) for data redundancy or other purposes. Microsoft will not transfer Customer Data outside the major geographic region you specify (for example, from the United States to Asia or from Europe to the United States) except:
  • where you configure the account to enable this, including through use of features that may not enable regional selection or may use multiple regions, as specified in the Microsoft Azure Trust Center (which Microsoft may update from time to time but Microsoft will not add exceptions for existing features in general release); or
  • where necessary to provide customer support, to troubleshoot the service or to comply with legal requirements.

AFAIK warrants are only applicable to the country they are issued in, it's why someone like Julian Assange is held up in an embassy, because the arrest warrant isn't enforceable outside the jurisdiction that it was issued from, and why extradition orders are agreed.

This ruling in the US courts makes a mockery of international law (imho).
Nexxo 2nd August 2014, 12:48 Quote
Hmmm... I read these T&C to carefully avoid the question where these legal requirements come from. The way they are phrased, "required by law" does not state which law (local to the region where the data is stored or not), or which legal requirements (local to the region where the data is stored or not). Sneaky.
Corky42 2nd August 2014, 13:09 Quote
They don't have to state which law, AFAIK laws are only applicable in the country they are made in, if you want to apply a law that is outside its jurisdiction you have to go through the international legal system, or come to some form of agreement.
Nexxo 2nd August 2014, 13:24 Quote
But that's the point. Which juristiction are we taking about? The one of the country where the data is stored, or the one of the country where the company is based that offers the storage service? That is not specified, so left open to interpretation.
Corky42 2nd August 2014, 15:02 Quote
Well isn't that why it has ended up in the courts ?

On one hand some people say it should be the law that is applicable to the country that the company is based in.
On the other some people say it should be the law that is applicable in the country where the actual data is stored.

IMHO this isn't something that an individual countries courts should be deciding, it should be something for the international courts, or for each country to make arrangement with each other in the same way as some countries have extradition treaties with each other.

Data should be treated in the same way as a physical object like money, or people (imho)
Nexxo 2nd August 2014, 16:04 Quote
I totally agree. The problem as I see it is that people are invited to agree to ambiguous T&C that are left open to interpretation (I suspect deliberately, to sidestep the issue that the service provider cannot actually assure its privacy). Then the US pulls this stunt, the whole thing goes to court and everybody goes: "Hey, wait a minute...".

This is indeed something that the international court was made for, IMHO. But the US doesn't sign up to it, so will always be a law unto itself.
Corky42 2nd August 2014, 16:21 Quote
Isn't that the case with all T&C's though ? That they are all bound by the current laws.
To me it seems Microsoft have been as clear as they could have been, even going as far as to setup servers in Ireland to geographically, and it was assumed jurisdictional isolate data.

I'm happy to see Microsoft fighting this in the courts, and that they immediately appealed against the decision.
I just hope for the sake of not only civil rights but also from a business and jobs point of view that the decision gets overturned.
Nexxo 2nd August 2014, 17:59 Quote
"Unless required by law" does not mean "unless required by the law as it stood at the time that you agreed with the T&C". That's the tricky bit. It is all worded so loosely that it can be interpreted whichever way you want.
Corky42 2nd August 2014, 18:29 Quote
So you expect them to break a new law because it wasn't in effect when you agreed to the T&C's ? If the law changes it's up to the people that are effected to be aware of it, Ignorantia juris non excusat.

Would it be that are seeing Microsoft's T&C's as being ambiguous or vague because you are applying the law that this article talks about to them ? Not sure if the article mentions that it hasn't come into effect yet, the judge postponed it taking effect so Microsoft would have time to appeal.
Nexxo 2nd August 2014, 21:09 Quote
The problem is that if this (or any other new) law does come into effect, it will change the conditions that the user agreed to. It could be argued that the user should have realised that the law is always subject to change, but arguably you are then expecting the user to agree to conditions that may change at any time in an unforeseeable manner. This raises issues of valid and informed consent.

A more informed T&C would explicitly point out that the law is subject to change and that therefore so are the conditions in the T&C, without prior consent by the user.
Corky42 3rd August 2014, 08:50 Quote
And that's why every T&C's i have ever read says the T&C's are subject to change, normally if you don't agree with those changes you have the option to terminate the service. It's one of the many reasons why i personally think the current way cloud services operate is flawed, if you rely on it to do business and the T&C's change you may find you are forced to agree with a new term or condition.

Although the Azure privacy statement doesn't explicitly say they may need to update due to changes in the law, it does say...
Quote:
We will occasionally update our privacy statements to reflect customer feedback and changes in our Services. When we post changes to a statement, we will revise the "last updated" date at the top of the statement. If there are material changes to the statement or in how Microsoft will use your information, we will notify you either by posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review the privacy statements for the products and services you use to learn how Microsoft is protecting your information.
Nexxo 3rd August 2014, 11:37 Quote
In fact, by deferring to laws that are subject to change, the T&C can change even when they themselves don't change, thus not triggering an update warning (yo, dawg, I heard you like changes...).

I wouldn't use the cloud for anything vital.
mi1ez 4th August 2014, 01:59 Quote
Quote:
Originally Posted by Nexxo

I wouldn't use the cloud for anything vital.

This. Good to see Microsoft fighting but ultimately, who's surprised. US couldn't give a **** about people or laws.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums