“Imagine this scenario: Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.”
We often say, as a careless aside, that the implications of the internet are a challenge for national laws. Libel, e-commerce and now privacy raise interesting problems that will be tested in the courts in the next few years. None are more interesting than the case currently known to the 2nd United States Circuit Court of Appeals as “In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation”.
The case will decide whether the US government’s law-enforcement officers have the right to compel Microsoft, as a US corporation, to hand over a customer’s Outlook.com emails, address book and contacts that have only ever been stored on a server in the Republic of Ireland.
The German bank what-if is from Microsoft’s opening brief. Microsoft’s argument is that, if the German government attempted to retrieve documents that Deutsche Bank was holding in New York, the US secretary of state would be “outraged by the decision to bypass existing formal procedures… and to embark instead on extra-territorial law enforcement activity on American soil in violation of international law and our own privacy laws”.
There are currently bilateral legal agreements to retrieve physical documents held abroad. The same principle, Microsoft argues, applies to email stored on a server in Ireland.
Verizon has become one of several cloud providers participating in the case as amicus curiae on behalf of Microsoft, meaning the cloud providers have registered a vested interest. Why? Because international cloud business would be damaged if the appeal fails. Even if customers were not worried about the outcome if the US government snooped in their data, the customers’ governance policies, or domestic law, would prohibit exposing it in this way.
Initially fretful businesses objected to using the cloud because they lost control of where data was stored, and for the last few years carriers have been frantically putting up data centres so they can act local. If a US-based carrier now has to explain to the customer that, even though the customer’s data has never left a domestic data centre, the US government now asserts the right to examine it – well, good luck holding on to that business.
That’s why the Warrant Case was the constant topic of debate at the recent European Cloud Law summit, held on 25 November in London. Dervish Tayyip, an assistant general counsel at Microsoft, argued that this decision will have consequences for the whole industry.
He had the room’s sympathy: governance worries have already damaged global cloud providers, especially those incorporated in the US. Tayyip speculates that the lack of legal harmonisation and certainty is why we have had “two years of lack of trust” in cloud computing already. That’s why Microsoft, Verizon and others are mounting the barricades.