Microsoft Privacy Case: What's At Stake? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
08:36 AM
Connect Directly

Microsoft Privacy Case: What's At Stake?

A ruling that Microsoft must turn over emails in a foreign data center could cost US businesses billions and make a mess of international law, experts say.

Location Analytics + Maps: 10 Eureka Moments
Location Analytics + Maps: 10 Eureka Moments
(Click image for larger view and slideshow.)

Microsoft executive VP and general counsel Brad Smith vowed this week to fight US District Court Judge Loretta A. Preska's ruling that the company must turn over customers' emails to the government, even though the data is stored in a Microsoft data center in Ireland. The verdict won't be immediately applied, because Preska, who unexpectedly issued a bench ruling, stayed her decision so that Microsoft can appeal. Nevertheless, many are concerned that if the ruling becomes an established precedent, it will spell trouble for not only privacy rights and international law, but also for the US tech market.

In the wake of the NSA surveillance scandal, some foreign governments and businesses have been hesitant to use US tech products. At this time last year, experts estimated that the damage to the US tech sector's reputation might cost domestic cloud companies $45 billion. Since then, Microsoft, Google, Cisco, and other large tech players have denied installing NSA backdoors in their products. Many have also enjoyed strong cloud momentum, as more businesses have embraced cloud infrastructure and hosted services to improve bottom lines.

Nevertheless, privacy and security concerns remain prevalent, especially on the international scene, where countries including China and Russia are removing US products from government use, and replacing them with local alternatives. There's a lot of political theater mixed into these concerns over data security and US trustworthiness, of course, but make no mistake: Decisions such as Preska's stoke legitimate fears.

[This scam has not gone away: Read Phishing: What Once Was Old Is New Again.]

"There's a great deal of legal uncertainty at the moment," Kate Westmoreland, a lawyer and fellow at Stanford Law School said in a phone interview. "Either way this decision unfolds in the end, the important thing is to have some business certainty."

Westmoreland cautioned in a blog post that the ruling doesn't grant the US government unrestricted access to cloud data. The ruling applies only to US-based companies, and the issue only came before Preska because another judge found probable cause to issue a search warrant in the first place. It's too soon to tell if the ruling is a good or bad thing, she wrote, because the case's outcome is less important than the legal rationale that supports it. That rationale could evolve as the case winds through years of appeals.

In the interview, Westmoreland explained some of the potential complications. "Countries will be looking to each other to see how they're handling these things. The way the US courts behave, other countries will be looking at that as a way they might approach it."

"Lost business is an obvious outcome" if the ruling is implemented, but the ramifications for international law could be much worse, according to Morgan Reed, executive director at the Association for Competitive Technology (ACT).  In an interview, he told us that if the US government can compel Microsoft to turn over data in an Irish data center, "European governments may say, 'We can extract data from US citizens anywhere in the world.' "

This sort of legal interpretation could lead to a "Balkanization of the Internet," he said, that would threaten the Web's unique identity. He also worries the ruling indicates that "storing data with a company in the US essentially turns you into a US citizen" in terms of the government's reach, but not necessarily its due process protections. "Not everyone has access to the courts in the same way we do. That's unnerving."

Elad Yoran, CEO of cloud security vendor Vaultive, said even if businesses are concerned about government overreach, they shouldn't resist the cloud. "If anything is true of Microsoft's cloud, it's that it's very secure," he told InformationWeek. "The problem is, even if Microsoft builds the widest moats and highest walls, when the judge says, 'Turn the data over,' Microsoft has to. It's a question of control."

Yoran suggests that businesses should apply persistent encryption to data before moving content to the cloud, and that they hold onto the keys themselves. "The golden rule with encryption is, whoever controls the keys controls the data," he said, illustrating that even if Microsoft is forced to give a government your encrypted data, that government could have no way to read it.

Westmoreland also endorses encryption: "It means power is back with the user. There are limitations on being able to compel users to give up those keys."

Yoran, Westmoreland, and Reed each agree that the issue could take years to resolve. According to Reed, the inevitability of a lengthy appeals process might explain why Preska issued a stayed bench ruling. "This case was always going up," he says. "The ruling was a recognition that this was not the final word on this decision. The judge said, 'Why don't I speed it along?'

"It's unfortunate she did that by ruling against innovative tech companies."

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Michael Endler
Michael Endler,
User Rank: Author
8/4/2014 | 5:03:43 PM
Re: News or Editorial?
Thanks for reading, and for the constructive criticism. A few thoughts:

"'NSA Scandal.' Presumably you're referring to the greatest breach of national security in U.S. history?" Sure, you can call it that, if you want. Frankly, I think at this point that the "is all the surveillance justified" argument is well-trod ground. But I'll concede I could have referenced the rationale voiced by the NSA and other agencies, even if it's implicit. Nevertheless, I think "scandal" is appropriate. Even if you think the NSA's programs are necessary, was it not scandalous that a contract employee could single-handedly execute "the greatest breach of national security in U.S. history?" The word "scandal" can apply to both government overreach, or the incompetence with which it communicated top-secret information to people less trustworthy than their bosses supposed. Take your pick.

"If the numbers don't exist, let's drop this argument." That stat isn't beyond reproach, but it wasn't really presented like it was. The paragraph states that even though analysts were predicting huge revenue losses, many cloud companies have nevertheless achieved great momentum (while also continuing to refute some allegations). If there's any subtext there, it's that privacy concerns haven't stopped Microsoft, Google, Amazon et al from raking in the cash. The question is whether they'd be raking in more cash if the Snowden leaks hadn't occurred. The tech companies certainly say so. I received this statement today, for instance, from Carson Sweet, CEO of CloudPassage: "As we've worked with EU-based enterprises on cloud security, we've seen a marked drag in public cloud IaaS adoption as the result of privacy concerns. Most of our international customers lean toward private cloud adoption as a result, and many are waiting for non-US-based cloud providers before adoption public cloud IaaS." As your comment indicates, the tech companies aren't necessarily disinterested, so you can take their position with a grain of salt, but it's one thing to be skeptical, and another to say the concerns aren't worth discussing. The empirical, irrefutable numbers you seem to want might not exist yet, but I don't think you can just "drop" the concern. 

Russia and China: The economic and political complexities among China, Russia and the United States are significant; my reference to "political theater" was meant to allude to sanctions and all the rest while maintaining a tight scope on this specific case-- but perhaps I chose too flippant a term. But even if those factors are significant, so are the governments' efforts to ditch Microsoft products. These efforts arguably use privacy concerns as an excuse to promote local agendas, so there's still some more political murkiness there. But I'll let you convince Microsoft CFO Amy Hood that, "The idea of shedding a tear over lost sales to either nation is laughable." I'll also let you convince the majority of Microsoft investors.

To be clear, I'm not debating your ethical stance here. But it's impractical to assume Microsoft will simply shrug and say, "Whatever, we don't care, China and Russia are run by people we don't like, so good riddance." Microsoft execs have repeatedly cited China as an essential growth market, and though the IT decisions of its government don't dictate the rhythms of the country's larger market, Microsoft doesn't find this topic "laughable."

Michael Endler
Michael Endler,
User Rank: Author
8/4/2014 | 4:29:01 PM
Re: Encryption will save us all!!!

Well, it depends. Users can be different than companies. Per the Stored Communications Act, a lot of the justification for companies having to turn over information derives from the fact that customers willingly gave their information to the company in the first place. Transmitting one's data to a third party, at least in some contexts, is legally tantamount to waving your expectation that privacy over that data will be respect. It might sound insane, but it's what the courts are working with, until we have clearer and more modern legal language.

But an individual user who holds the keys hasn't transmitted those keys to a third party, which muddles things, at least regarding the SCA. Westmoreland also told me that your right against self-incrimination could help you to withstand government requests for encryption keys.
Michael Endler
Michael Endler,
User Rank: Author
8/4/2014 | 4:22:50 PM
Re: The Enforcement Issue
I doubt the U.S. would physically violate another country's sovereignty over something like an email, but I imagine the government could impose all kinds of financial penalties, and potentially charge Microsoft employees in some way.
Michael Endler
Michael Endler,
User Rank: Author
8/4/2014 | 4:20:03 PM
Re: Is the subject of the investigation a US resident?
The customer in question is not publicly identified, nor is his country of origin. The data that tech companies are allowed to share regarding government requests is far, far from complete, but suffice to say, the government doesn't just ask about U.S. citizens. The impression I got talking to the people cited in this article is that the final legal rationale will be quite important. For example, even if the case does involve a U.S. citizen (which again, isn't clear), the ruling could still leave open the door for international searches. And if the case involves a foreign citizen, then the issue is academic. It's not like there's been a shortage of bizarre justifications coming out of the judiciary lately, though the courts have been kind of unpredictable regarding privacy and warrants--e.g. the Supreme Court's recent cell phone ruling increased privacy protections. Judges use smartphones, and judges use email too, after all. 

As for whether the U.S. "allows" Russia or Iran to behave similarly-- that's the potential concern, that U.S. will set a precedent for far-reaching searches of electronic data, and that other countries will base their policies similarly.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll