When it comes to protecting data privacy, Microsoft has allies.
More than 75 civil liberties groups, technology companies, trade associations and computer scientists filed legal briefs today in support of the software giant, who is fighting to protect the privacy of data stored overseas from the prying eyes of the U.S. government.
The uncommon support points to the level of concern these companies and groups have about the precedent the court battle could set should Microsoft lose.
"Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we’re seeing today," Microsoft General Counsel Brad Smith wrote in a blog post about the move. "This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology."
At issue is the government's claim that a warrant obtained from a U.S. court under the authority of the Electronic Communications Privacy Act is sufficient to force Microsoft to hand over data stored on a server in Ireland. Microsoft insists the warrant is illegal and has no authority outside the U.S. After a district court rejected that argument in July, the company appealed.
Today multiple groups (.pdf), including 28 technology and media companies, 23 trade and civil liberties groups and 35 computer scientists put their names to 10 amicus briefs filed in support of Microsoft. The companies include Verizon, Apple, Amazon, Cisco, Salesforce, HP, eBay, Infor, AT&T, and Rackspace.
"[W]e have submitted this brief in order to turn back an unlawful overreach by the U.S. government," Verizon wrote in its reason for filing the brief. "The U.S. Supreme Court has reiterated many times that U.S. statutes are presumed not to have extraterritorial application unless Congress 'clearly expressed' its 'affirmative intention' to the contrary."
>The U.S. government's move is a strong-arm tactic to establish authority over data no matter where it's located as long as the company collecting the data is based in the U.S.
The government should hew to the procedures it and other governments currently follow for obtaining data outside their jurisdiction, Microsoft and its supporters argue, by using well-established treaties and partnerships to file legal requests in the native jurisdictions where data is stored. If the U.S. government is allowed to bypass the laws of local jurisdictions and force Microsoft to turn over data held overseas, Verizon notes, it will "encourage foreign governments to claim that they can obtain data stored in the U.S." in the same manner, "which would threaten the privacy of Americans."
Microsoft's Smith noted in his post today that tech companies store data locally for good reason. If data is stored near the customers who own it, "consumers and companies can retrieve their personal information more quickly and securely."
In its appeal, filed last week in the U.S. Second Circuit Court of Appeals in New York, Microsoft likened the government's move to the German Stadtpolizei serving a warrant on the Deutsche Bank headquarters in Germany to obtain records that a U.S. reporter in New York has stashed in a safety deposit box at a U.S. branch of the bank.
The case began last December when the government obtained a warrant for the content of emails and other data belonging to a customer. Microsoft found some of the data on servers in the U.S. but found that the email contents were stored on a server in Dublin. The government insisted the warrant was valid for that data as well.
The government's move is a strong-arm tactic to establish authority over data no matter where it's located as long as the company collecting the data is based in the U.S. The aggressive and novel grab for data overseas is likely a reaction to recent events following the Edward Snowden leaks in which some countries---such as Brazil and Germany---have discussed forcing U.S. companies to store data belonging to their citizens in servers in their countries.
The government has argued that unlike letters sent through regular mail, emails stored in the cloud don't belong exclusively to the person who sends or receives them. Instead, they become the business records of the cloud provider that stores them. And since business records have a lower legal protection than personal records, the government insists it can use the warrant to obtain them.
Microsoft notes, however, that U.S. courts assume that federal statutes do not apply outside U.S. territory unless Congress explicitly states they do. "Congress expressed no such intention here," Smith notes. "That fundamental point is at the heart of this case."
The case raises important implications for the separation of powers, he notes, because the Justice Department would have to sidestep Congress’s authority in asserting that the Electronic Communications Privacy Act [ECPA] is intended to apply overseas when lawmakers themselves have not expressed this intent.
"On the contrary, ECPA’s text and history show Congress believed the law would only apply domestically," he noted. "If the DOJ wants the unprecedented power it claims here, it therefore should plead its case to Congress."
