duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Dublin email case on appeal: three reasons why Microsoft is right


In this case, the US Department of Justice (DOJ) lost and Microsoft won befoe the 2nd Circuit. The Supreme Court in October 2017 accepted to hear the DOJ appeal from that ruling in early 2018.

We stand by our opinion in this 2015 article that the DOJ is wrong and Microsoft is right.


Dublin email case on appeal: three reasons why Microsoft is right
On September 10, 2015, the US Second Circuit Court of Appeals heard oral arguments in Microsoft’s appeal of a District Court ruling ordering it to comply with a search warrant for a customer’s emails stored in its Dublin data center.

The warrant was issued pursuant to Title II of the ECPA (the Electronic Communications Privacy Act) – a law passed in 1986 before the invention of the World Wide Web - which addresses the disclosure of "stored wire and electronic communications and transactional records" held by Service Providers.

Win or lose, Microsoft is deadly serious about this case and the company’s General Counsel Brad Smith will fight all the way to the Supreme Court if that's what it takes. In January of this year, Microsoft published an impressive opening brief for its appeal, prepared with help from some of the best and most expensive legal talent in New York.

After analysing in detail the arguments, we concluded that Micorsoft had a reasonable - though far from certain - chance of winning. In this post, we draw upon that analysis as well as on Wednesday’s oral arguments not to predict the outcome but to present three reasons why we think that the US government is wrong and Microsoft is right.

Turnabout is fair play: a big mess in international legal cooperation

In a recent interview, Microsoft General Counsel Brad Smith said “People want to know what law will be applied to their data. French want their rights under French law and Brazilians under Brazilian law. What is the US government going to do when other governments reach into the US data centers, without notifying the US government.... If the US government wins, the door is open...”

It didn’t have to be this way. The government could have used the MLAT (Multilateral Legal Assistance Treaties) process with Ireland but – for reasons unknown – considered it to be too “cumbersome”. In the case of cooperation with EU countries, urgent requests can be processed in a matter of days. To prevent the destruction of evidence, US law enforcement may call a hotline on a 24/7 basis. The Irish Republic, in particular, has an outstanding reputation for law enforcement cooperation with US authorities, generally processing requests for freezing cooperation orders within 24 hours.

A ruling in favour of the US government would be an enormous blow to multilateral legal co-operation for electronic evidence, with different countries – including thoroughly authoritarian regimes – opting for a unilateral approach and citing the United States of America as the example.

The Court of Appeals does seem to be aware of this risk but may well decide that it is a problem for the other branches of the government. As one of the three judges said Wednesday morning; “We don’t do foreign relations... If Congress passes a law and the executive wields it like a blunderbuss in such a way as to cause international tensions, that’s for them to worry about.”

If the government wins, the US Tech industry would take a big hit

On Wednesday, federal prosecutors told the court that the government has the right to demand the emails - of anyone in the world - from any email provider headquartered within US borders. At the time of the initial ruling, we wrote that "the stakes are very high because, if the ruling stands, it could potentially impact not only ISP email services but also services like Office 365 and Google Apps, and even the B2B cloud services provided by AWS, IBM, Verizon and of course Microsoft itself."

This would be very bad news for US Tech companies who have finally begun to understand that there is an important principle at stake for non American customers and a lot of international business at risk.

Briefly stated, customers expect that access to their sensitive data should be governed by their own national jurisdictions (or at least by the laws of the countries where they choose to store their data) and not by the jurisdiction, however benevolent, of the HQ of their Internet or cloud provider.

According to Microsoft General Counsel Brad Smith in an interview with The Guardian, a government win would “force companies to look for more ways to encrypt data and not retain the keys." Indeed some big players such as Amazon are already offering “customer controlled” encryption for data in the cloud, sold as "security best practice" but with the additional advantage of taking the provider “out of the loop”.

Even so, the issue of US judicial intrusiveness in other countries is increasingly (albeit vaguely) seen as part of a bigger picture of technology enabled espionage, including "backdoors" in American technology exports. The big risk to US Tech is that companies and governments in many countries may well begin to think that US technology just can’t be trusted.

The legal reasoning of the US government is profoundly flawed

The fundamental issue in this case is whether the ECPA gives the federal government authority to conduct extraterritorial search and seizure, given that it is established constitutional law that US search warrants are only valid in US territory.

To get around this difficulty, federal prosecutors and the District Court ruling relied on two extraordinarily creative – but deeply flawed – legal arguments.

  • Location doesn’t matter in cyberspace: the emails are “really” stored in Seattle at Microsoft HQ

According to the government, "electronic property" is just a block of ones and zeroes “stored somewhere on somebody else’s computer" and accessible over the Internet. In other words, in “cyberspace”, geographical location doesn’t mean anything. The District Court ruling even concluded that the search and seizure of electronic property can be considered - for the purposes of the law - as happening at the headquarters of the Service Provider, in this case in Seattle.

As a matter of fact, however, the emails in question (those blocks of ones and zeroes) are really stored in a server or on a disk drive in Dublin, even if they can be copied to Seattle. All of this ill-informed and fuzzy thinking - contradicted by numerous judicial precedents and thoroughly debunked by 35 eminent computer scientists in an amicus curiae brief filed with the court - doesn’t change that physical reality.

  • A search warrant under the ECPA is “not really” a search warrant but a hybrid subpoena

This is a crucial - if highly technical - legal point in the government’s case. Warrants give law enforcement the right to enter and search premises while a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.

The government claimed that the document issued as a search warrant was in fact a “hybrid subpoena”. When the Court asked if the ECPA warrant was “a subpoena dressed up as a warrant that also has the powers of a subpoena”, the government attorneys said it was indeed.

The problem with this argument is that it is totally inconsistent with the statute Congress actually wrote. In fact, the ECPA provides for both warrants and subpoenas, but does so separately and treats them very differently. A simple subpoena is enough to order the production in court of the business records of a Service Provider but Congress required a warrant (a very different legal instrument in the Anglo-American legal tradition) for the search and seizure of private communications held in trust.

One might also add that the Eighth Circuit Court of Appeals in an earlier case rejected the argument that subpoena rules should apply to warrants issued under the ECPA, noting that “while warrants for electronic data are often served like subpoenas (via fax), Congress called them warrants and we find that Congress intended them to be treated as warrants.”

Conclusion

The stakes are very high. Who will win – the "national security state" or the open international Internet ?

Microsoft has surprised a good many people by assuming the mantel of a principled industry leader, defending not only the interests of the US Tech industry but also the rights of users to privacy in the digital world.

We think Microsoft is right.

Thursday, September 10th 2015
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory Ltd is a European firm, headquartered in the UK, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.