27 comments

[ 3.0 ms ] story [ 61.9 ms ] thread
Am I missing something, or is there no new information here since summer 2017? Did the supreme Court ruling happen already?
This is a very important case. If the SCOTUS rules in favor of the US then corps which are active in both the US and the EU will be stuck having to decide who’s laws to follow. Unilateral extraterritorial application of domestic laws is rarely a good idea, especially when a bilateral mutual legal assistance treaty already exists (which the US didn’t use in this case).

The following amicus briefs are a good read introduction to the case:

Brief amici curiae of Bundesverband der Deutschen Industrie e.V., Deutscher Industrie- und Handelskammertag e.V., Ibec clg, Konfederacja Lewiatan, and Mouvement des Enterprises de France filed. (Distributed) http://www.supremecourt.gov/DocketPDF/17/17-2/27520/20180111...

Brief amicus curiae of European Commission on Behalf of the European Union in support of neither party filed. https://www.supremecourt.gov/DocketPDF/17/17-2/23633/2017121...

———

These are way to long to read completly, but already a quick browse can be enlightening:

Brief of petitioner United States filed. https://www.supremecourt.gov/DocketPDF/17/17-2/22902/2017120...

Brief of respondent Microsoft Corporation filed. (Distributed) Jan 17 2018 https://www.supremecourt.gov/DocketPDF/17/17-2/27619/2018011...

———

HN Readers might also enjoy this one:

Brief amicus curiae of 51 COMPUTER SCIENTISTS filed:

https://www.supremecourt.gov/DocketPDF/17/17-2/28101/2018011...

There's no reason to believe a multinational corporation can roll out a service globally and maintain it consistently with all nations's laws. See for example Google in China. They could always segment their services or be split into multiple companies.

Although it would be convenient to live in a legally consistent world, I think we are in a much better situation than hundreds of years ago, when the largest corporation had its own laws, its own army, and the ability to carry out the death penalty.

> See for example Google in China.

Yes, Google’s Services in China are adapted to local laws. But China only applies those laws inside it’s territory. China is not demanding that Google block “Tank Man”-Videos outside of China. The US wants to apply the Stored Communications Act outside of it’s territory (In casu to Ireland).

The US wants to apply the Stored Communications Act outside of it’s territory (In casu to Ireland).

Devil's-advocate point of view: if SCOTUS decides in Microsoft's favor, won't that give them carte blance to play "keep away" with any data sought by law enforcement? Any potentially-sensitive data would presumably be stored outside the US's borders in that case, in a country with laws sympathetic to the company's interests. I just don't see a good argument to be made for allowing a company chartered under US law to behave this way.

IMO, if Microsoft has the ability to access the data, then they have the responsibility to turn it over in response to a legitimate court order. The fact that they chose to store the data on a server in Ireland, a server in Washington, or a server in orbit around Mars seems immaterial. If it's under their control, it's under their control.

> Any potentially-sensitive data would presumably be stored outside the US's borders in that case, in a country with laws sympathetic to the company's interests. I just don't see a good argument to be made for allowing a company chartered under US law to behave this way.

well currently than they need to search a country that would not coporate. Currently if some bad guy would store sensitive/illegal or whatever data in germany and the us would come and ask for it, the german law enforcement would check if the request (would meet all requirements in the german law for data search, etc) is valid and if it would, they would hand over the data. that's how it should happen and how it actually happens to some extent.

But this isn't just "some bad guy" stashing data on a foreign server. The person who is the target of the search warrant handed his data over to a third party, a corporation operating under US law.

The fact that it's currently stored on a server that happens to be outside the US strikes me as one of those clever technicalities that impresses us nerds but doesn't impress judges.

The issues are not actually technological here.

These data access/privacy/disclosure issues could have and did exist in the days of paper records. The tech stuff is just a spurious justification for stepping around 200 years of treaties this country has signed, many of which cover jurisdictional issues wrt multi-national companies.

Can you clarify how segmenting the services has any effect on this? It seems that even if Microsoft had an entirely EU-only product that the same rules would apply for accessing the data.
Microsoft could do it like some other companies do it, like League of Legends in China which is leased (the whole software) to another company and not hosted by Riot Games. (well it was like that in the past, hosted by tencent until the company took over riot as a whole. but sea servers are still provided by garena as far as I know)

Currently Microsoft already has a partnership with Deutsche Telekom in Germany (https://cloud.telekom.de/software/office-365/) and they could easily lease the whole Office365 suite to Telekom, but that means that they get less money (at the moment it is still operated by microsoft and telekom is only there for additional trust and control). At the moment Office365 by Telekom is still hosted by Microsoft and Azure Germany is hosted by Microsoft aswell, but I guess they could lease it, if they really need to.

1Password also does this for their 1Password.eu accounts, of which the data is stored on EU AWS, which in turn is operated by ‘Amazon Web Services GmbH‘ :)
Unrelated to this article, but concerning the government's anti-monopoly crusade against Microsoft in the late 90s (which is relevant because many circles are unfortunately exploring government intervention against tech) ...

One common narrative is government intervention proved irrelevant because Microsoft missed mobile and the web anyway.

This is correct for mobile but wrong for the web.

Imagine no government intervention around the browser. If Microsoft controls the browser, and essentially the search engine, does Google enjoy the same trajectory? It's possible, but improbable.

Incidentally, mobile probably looks different with no Android, with Apple possibly even more dominant. However, this mobile assertion is more tenuous because it's two hypothetical steps away from non-intervention.

Whether intervention is right or wrong is a separate question altogether. But to claim that intervention had no practical effect on Microsoft undermines the pursuit of the right answer.

n/m
Already noted, just wanted an excuse to hear discussion on this topic since government intervention is gaining steam among many circles.

Didn't mean to distract from the article. Better to delete the comment?

Thanks for the reply!

I'd say keep it up. Made me think for a minute
Thanks, do you agree/disagree? Received downvotes so it seems the crowd felt like it didn't belong, but couldn't delete the comment because the option vanished.
If Microsoft has to disclose information from other countries this will be a big hit for all the other providers too. I even see the coming of a segmented internet. A future where you'll need permission to cross "internet" borders.
> A future where you'll need permission to cross "internet" borders.

Yes, a natural (if slightly delayed) consequence of the internet becoming an important part of the real world is that governments treat information moving across the internet like everything else in the real world.

I am American and believe as patriotic as anyone but honestly it does not make sense to me for the US gov to be able to go after data stored outside the US. This is a very important rulling and I worry about the ruling being the wrong one, imo.
Think about it in terms of physical documents or items, and it might make more sense.

Suppose, for example, I have leased a rare car from you. The lease has expired and I have refused to return the car. You have sued me for the return of the car. You have won, and the court has ordered me to turn over the car.

The court can force me to comply, even if I'm keeping the car in a garage I rent across the border in Mexico.

Does that raise issues of extraterritorial jurisdiction? Will Mexico be upset with the court? Will the court have to work with Mexican authorities to enforce its order?

The answer to all three of those questions is no.

The key is that the court is not ordering anything to happen in Mexico. It is just ordering me to produce the car.

Sure, I may have to act in Mexico to do this, by sending someone to go get it, or calling up the garage there and paying them to ship the car back, but those are ordinary acts that I am allowed to do in Mexico at will. As far as Mexico is concerned all that is happening is that someone (me) who has legally stored a car in a garage there is legally retrieving that car. They don't care WHY I'm retrieving the car.

Now if the court was not ordering me to produce the car, but instead was authorizing a sheriff to go seize the car from the garage, that would be an attempt at a US court at exercising extraterritorial jurisdiction, and Mexico would quite strongly object. The sheriff would have to go through the Mexican judicial system and get a Mexican order to seize the car.

The above example used a civil case, but the principles apply in general. I used the US and Mexico, but that's how it is between pretty much any pair of countries.

If it did NOT work this way, it would be a complete disaster for consumer protection regulation (and most other regulation). Any company that wanted to keep their records secret from regulators could simply keep those records in another country.

Nowadays, in the age of paperless, this could even be made automatic. Keep your internal mail servers and file servers in another country that does not have good relations with your home country and most of your internal records are now out of reach of regulators.

How does this work if the car was never in the US in the first place, and you are being ordered to turn over a car that was procured, leased, operated and contracted in Mexico entirely, nothing to do with the US, other than the fact that you live here and were ordered by a Judge to go get the car and bring it back?

Isn't this closer to what has actually happened? The account holder indicated he was from Ireland when he signed up with Microsoft, thus the account was created and maintained in Ireland to reduce latency, thus the Fed should invoke the mutual assistance treaty with Ireland to get the data properly.

The example of using the Government agents to do the bidding being bad and FORCING me to do the bidding is proper is completely wrong. If I am being forced to do something by the government, am I not acting as its agent at that point? If the government is denied a warrant for a building, it can't convince the janitor to steal the docs at the end of the night, thats just a run around the checks and balances of the law.

EU considers your personal data still partially yours even though some company is hosting them. So the analogy is broken.

Also intent is important in law. If data is kept outside US so that they are the closest to the customer it's different from doing it to keep them secret from government