A US-European Crisis of Confidence over Cloud Computing Services?
In a precedent setting ruling, a US court compelled the Microsoft Corporation to disclose details of an electronic mail account stored in Ireland without obtaining permission from the local authorities. The struggle over the right of privacy on the web enters the international arena. Exclusive analysis
Adv. Admit Ivgi
| 28/07/2015
A federal court in the USA ordered the Microsoft Corporation to disclose and produce electronic mail account details and other private digital information to law enforcement authorities. This despite the fact that this information was stored in the corporation's servers in Ireland within Microsoft's cloud computing services. The significance of this ruling is that any provider of cloud services who has a branch in the USA will be obliged to cooperate with the authorities by disclosing and producing its clients’ information. This slippery slope could lead to a situation where every cloud computing service provider (like Apple and Google, for example) will be compelled to disclose private information of its clients at the demand of the state, despite the fact that the information is stored in another country, while violating the sovereignty of that country and the user's right for privacy.
The cloud service is a computer service provided to the user by remote computers to which he/she connects through the Internet or using a dedicated communication line. This characteristic enables the cloud computing service provider in one country to store the data in servers and use computer data centers located physically anywhere around the world, either in a single country or in several countries. This service enables the user to avoid the costly expenses associated with the acquisition and management of infrastructures, hardware and software.
On the other hand, the user becomes dependent on the service provider, as all of his/her personal or business information is stored, routed through and created in their facilities. In fact, the user loses his/her exclusive control over the information. Consequently, numerous statutes apply to cloud computing service providers, notably privacy protection laws intended to safeguard the user's information against disclosure, maintenance, use, etc. Apparently, these statutes are overridden when the state wishes to obtain a user's personal information, as reflected by the case of the Irish server of Microsoft USA.
In December 2013, a US enforcement agency filed a request for a search and seizure warrant to a US federal court, with the intention of compelling Microsoft USA to produce E-Mail correspondence and other private digital information of a client, who was allegedly suspected of drug trafficking violations. The information was stored in a Microsoft server located in Ireland as part of Microsoft's cloud computing services.
To the surprise of Microsoft, the member states of the European Union and Ireland in particular, the court accepted the enforcement agency's motion. It issued a warrant compelling Microsoft to produce the information. The court accepted the agency's claim that it was not necessary to approach the Irish authorities in order to request the disclosure and submission of the information, as Microsoft can copy and produce the information at the touch of a button from its offices in the USA. Microsoft appealed this warrant asking to have it revoked, claiming that whereas the information was stored in servers in a foreign country, the enforcement agency should approach the Irish authorities through the appropriate channels. The US court rejected Microsoft's appeal.
In response, Microsoft appealed to the US Supreme Court and that appeal is currently being deliberated, but this time, owing to the importance of the issue, numerous other parties joined the motion, including high-tech companies, academic institutions, media channels and others. In an irregular move, Ireland and representatives of the European Union Parliament (Ireland is a member of the European Union) also joined the motion and submitted their positions on this issue to the court.
Ireland alleged that according to international law it is recognized as a sovereign state that maintains diplomatic relations with the USA. Therefore, according to US law, the courts should respect that sovereignty and avoid violating it. Moreover, whereas there is a mutual agreement (treaty) between the USA and Ireland regarding mutual assistance in criminal investigations, the USA should conduct its operations in the context of that agreement.
The representatives of the European Union maintained that personal information, in the EU, is subject to regulation and standards that are "more rigid" than those of the USA, intended to safeguard the autonomy of the owner of the information. In the EU, the confidentiality of personal information is regarded as a basic human right that may only be infringed under the most extreme circumstances. Accordingly, whereas just like in the case of Ireland, the USA and the EU have had a treaty concerning mutual legal assistance since 2003, the USA should comply with that treaty in order to bridge that regulatory gap.
Moreover, upholding the warrant that violates the basic right for confidentiality of information will also damage many US companies operating in Europe, which maintain and manage the personal information of millions of European inhabitants. As concerns about the ease with which such information may be disclosed grow, there may be a crisis of confidence, pursuant to which states, businesses and individual EU citizens will seek to seize the information belonging to them and remove it from the custody of those companies. It was further alleged, that according to the European information security directive, Microsoft is not authorized to transfer the information to a country outside the EU and such a process is only possible through the legal authorities of Ireland.
The concern of the European Union regarding a crisis of confidence that could lead the member states to take measures against companies providing cloud computing services in order to prevent disclosure of information to foreign countries is very real concern. It has already materialized in several countries around the world, like Russia and Brazil. In those countries, bills were filed aiming for legislation according to which the personal information of the local inhabitants should only be maintained and stored in servers located in those countries.
In an era where the cloud computing technology is occupying a major role in our lives, encompasses all walks of life and is promoted by technology giants as Apple, Google and Microsoft through their various products (which often make it difficult for the user to avoid registering or using these services), a situation where the cloud computing service provider "loses control" over the user's personal information and is forced to readily disclose that information to any country interested in it could render the user's right to privacy meaningless, violate the universal basic right to human dignity and liberty, inflict personal and business damage on the user and deter potential users from using this advanced technological service.
Accordingly, the decision by the US Supreme Court regarding Microsoft's motion to revoke the warrant should be made in view of the considerations outlined above. Users should use the cloud computing service intelligently and prudently, while understanding the obligations of the cloud computing service providers with regard to the maintenance, use, copying or retention of personal information.
Admit Ivgi, Attorney-at-Law, owner of the At-Law firm, specializes in technology, cyber and information law. She represents and provides comprehensive legal services to individuals, entrepreneurs and corporations. Adv. Admit Ivgi is a researcher of cyber law at the universities of Tel-Aviv and Haifa and possesses technological experience in the cyber field, among other things, through her work for the RSA Company as an analyst and investigator of Internet fraud.
In a precedent setting ruling, a US court compelled the Microsoft Corporation to disclose details of an electronic mail account stored in Ireland without obtaining permission from the local authorities. The struggle over the right of privacy on the web enters the international arena. Exclusive analysis
A federal court in the USA ordered the Microsoft Corporation to disclose and produce electronic mail account details and other private digital information to law enforcement authorities. This despite the fact that this information was stored in the corporation's servers in Ireland within Microsoft's cloud computing services. The significance of this ruling is that any provider of cloud services who has a branch in the USA will be obliged to cooperate with the authorities by disclosing and producing its clients’ information. This slippery slope could lead to a situation where every cloud computing service provider (like Apple and Google, for example) will be compelled to disclose private information of its clients at the demand of the state, despite the fact that the information is stored in another country, while violating the sovereignty of that country and the user's right for privacy.
The cloud service is a computer service provided to the user by remote computers to which he/she connects through the Internet or using a dedicated communication line. This characteristic enables the cloud computing service provider in one country to store the data in servers and use computer data centers located physically anywhere around the world, either in a single country or in several countries. This service enables the user to avoid the costly expenses associated with the acquisition and management of infrastructures, hardware and software.
On the other hand, the user becomes dependent on the service provider, as all of his/her personal or business information is stored, routed through and created in their facilities. In fact, the user loses his/her exclusive control over the information. Consequently, numerous statutes apply to cloud computing service providers, notably privacy protection laws intended to safeguard the user's information against disclosure, maintenance, use, etc. Apparently, these statutes are overridden when the state wishes to obtain a user's personal information, as reflected by the case of the Irish server of Microsoft USA.
In December 2013, a US enforcement agency filed a request for a search and seizure warrant to a US federal court, with the intention of compelling Microsoft USA to produce E-Mail correspondence and other private digital information of a client, who was allegedly suspected of drug trafficking violations. The information was stored in a Microsoft server located in Ireland as part of Microsoft's cloud computing services.
To the surprise of Microsoft, the member states of the European Union and Ireland in particular, the court accepted the enforcement agency's motion. It issued a warrant compelling Microsoft to produce the information. The court accepted the agency's claim that it was not necessary to approach the Irish authorities in order to request the disclosure and submission of the information, as Microsoft can copy and produce the information at the touch of a button from its offices in the USA. Microsoft appealed this warrant asking to have it revoked, claiming that whereas the information was stored in servers in a foreign country, the enforcement agency should approach the Irish authorities through the appropriate channels. The US court rejected Microsoft's appeal.
In response, Microsoft appealed to the US Supreme Court and that appeal is currently being deliberated, but this time, owing to the importance of the issue, numerous other parties joined the motion, including high-tech companies, academic institutions, media channels and others. In an irregular move, Ireland and representatives of the European Union Parliament (Ireland is a member of the European Union) also joined the motion and submitted their positions on this issue to the court.
Ireland alleged that according to international law it is recognized as a sovereign state that maintains diplomatic relations with the USA. Therefore, according to US law, the courts should respect that sovereignty and avoid violating it. Moreover, whereas there is a mutual agreement (treaty) between the USA and Ireland regarding mutual assistance in criminal investigations, the USA should conduct its operations in the context of that agreement.
The representatives of the European Union maintained that personal information, in the EU, is subject to regulation and standards that are "more rigid" than those of the USA, intended to safeguard the autonomy of the owner of the information. In the EU, the confidentiality of personal information is regarded as a basic human right that may only be infringed under the most extreme circumstances. Accordingly, whereas just like in the case of Ireland, the USA and the EU have had a treaty concerning mutual legal assistance since 2003, the USA should comply with that treaty in order to bridge that regulatory gap.
Moreover, upholding the warrant that violates the basic right for confidentiality of information will also damage many US companies operating in Europe, which maintain and manage the personal information of millions of European inhabitants. As concerns about the ease with which such information may be disclosed grow, there may be a crisis of confidence, pursuant to which states, businesses and individual EU citizens will seek to seize the information belonging to them and remove it from the custody of those companies. It was further alleged, that according to the European information security directive, Microsoft is not authorized to transfer the information to a country outside the EU and such a process is only possible through the legal authorities of Ireland.
The concern of the European Union regarding a crisis of confidence that could lead the member states to take measures against companies providing cloud computing services in order to prevent disclosure of information to foreign countries is very real concern. It has already materialized in several countries around the world, like Russia and Brazil. In those countries, bills were filed aiming for legislation according to which the personal information of the local inhabitants should only be maintained and stored in servers located in those countries.
In an era where the cloud computing technology is occupying a major role in our lives, encompasses all walks of life and is promoted by technology giants as Apple, Google and Microsoft through their various products (which often make it difficult for the user to avoid registering or using these services), a situation where the cloud computing service provider "loses control" over the user's personal information and is forced to readily disclose that information to any country interested in it could render the user's right to privacy meaningless, violate the universal basic right to human dignity and liberty, inflict personal and business damage on the user and deter potential users from using this advanced technological service.
Accordingly, the decision by the US Supreme Court regarding Microsoft's motion to revoke the warrant should be made in view of the considerations outlined above. Users should use the cloud computing service intelligently and prudently, while understanding the obligations of the cloud computing service providers with regard to the maintenance, use, copying or retention of personal information.
Admit Ivgi, Attorney-at-Law, owner of the At-Law firm, specializes in technology, cyber and information law. She represents and provides comprehensive legal services to individuals, entrepreneurs and corporations. Adv. Admit Ivgi is a researcher of cyber law at the universities of Tel-Aviv and Haifa and possesses technological experience in the cyber field, among other things, through her work for the RSA Company as an analyst and investigator of Internet fraud.
