Author: Ron LaPedis
Microsoft has operated a free web-based email service since 1997, after buying an email system called Hotmail, rebranding it twice and finally replacing it with Outlook.com. Like Google, Yahoo and iCloud, Outlook.com is built in the cloud – a collection of computers, disk drives and networks all working in concert with each other.
Like all cloud-based systems, data can be stored and processed anywhere within the network, with a few exceptions. Businesses in regulated industries such as healthcare or finance, or companies held to specific governmental regulations, can specify to their cloud vendor just where their data needs to be stored and processed.
As part of a FBI investigation into a drug trafficking case in December 2013, a Federal court in New York issued a warrant under the Stored Communications Act of 1986 (SCA) requiring Microsoft to produce all emails and information associated with an account they hosted.
While the information about the account was held on Microsoft’s United States servers, the actual emails were stored on a server in Dublin, Ireland, one of numerous servers Microsoft operates located around the world.
Microsoft complied with providing the account information but refused to turn over the emails, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. The judge denied Microsoft’s motion, finding that the place where the government would review the content (the United States) and not the place where the content was stored (Ireland) was the relevant place of seizure.
Microsoft appealed to the Second Circuit and was supported by several United States-based technology companies, publishers and individuals. The Irish government considered that the U.S. government’s action violated both the European Union’s Data Protection Directive and Ireland’s own data privacy laws and maintained the emails should be disclosed only on request to the Irish government pursuant to the long-standing mutual legal assistance treaty between the U.S. and Ireland.
A three-judge panel of the Second Circuit overturned the decision and the U.S. filed for an en banc rehearing. The full court split 4-4 on a vote to rehear the case, leaving the judgement in favor of Microsoft in place.
The U.S. Department of Justice filed an appeal with the Supreme Court in June 2017 and, on February 28, 2018, the Supreme Court heard the case, with a ruling originally expected by the end of the Court’s term in June.
The CLOUD act
Shortly after the oral hearings before the Supreme Court, Congress introduced the Clarifying Lawful Overseas Use of Data Act.
Among other provisions, the CLOUD Act modified the SCA to specifically cover communication providers in the United States regardless of where the actual servers may be located. The bill was supported by both the DOJ and Microsoft and was signed into law on March 22.
By the end of March, the DOJ had issued a request for a new warrant for the original emails from the 2013 investigation under the new authority granted by the CLOUD Act and Microsoft complied. It also requested that the Court vacate the original case and send it back to the Second Circuit, where the matter could then be rendered moot and have the lawsuit dismissed.
What this means to cops
The CLOUD act goes a long way to help law enforcement track evidence around the world. It consists of two main parts:
- The first part applies to data in the “possession, custody, or control” of providers, regardless of where the data is geographically located. The second part authorizes executive agreements to allow foreign governments to request content directly from U.S.-based cloud service providers. In other words, CLOUD means that the gate swings both ways.
The CLOUD act also provides mechanisms for the companies or the courts to reject or challenge requests if they believe the request violates the privacy rights of the foreign country where the data is stored – and this could be a problem.
The European General Data Protection Regulation (GDPR) became effective in May of 2018 and has yet to be tested in court. However, in April 2018, a court had already ruled that a citizen of the European Union had the right to request that Google remove links to articles about his criminal conviction and sentence under the older Data Protection Directive. Like the GDPR, its precursor also had a right to erasure or ‘the right to be forgotten.”
It remains to be seen how GDPR will affect the CLOUD act if a criminal learns that a warrant for his data is about to be issued and requests that it be deleted. But perhaps worse, what will happen to background checks when a criminal is allowed to request that his or her history be deleted from online databases? This is a story that may be rewritten many times over the next few years.