Microsoft opposes US access to Dublin data

Microsoft - with the backing of Verizon and the Electronic Frontier Foundation (EFF) - has filed to challenge federal prosecutors' `right' to demand access to its data stored in an Irish data centre.

Stuxnet flaw remained unpatched for four years
Stuxnet flaw remained unpatched for four years

The legal challenge - filed through the US courts earlier this week - is reportedly being watched by the European Commission with great interest, since the court order could be advanced to come under the USA Patriot Act.

As reported previously by SCMagazineUK.com, under the USA Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001), the US government has defined rights of access to all data held by US companies, no matter where in the world it is stored.

This has been a deciding factor in many European corporates – as well as the UK government - opting not to store their data with US cloud computing services.

The Electronic Privacy Information Centre (EPIC) has criticised the Patriot Act as unconstitutional, but this is the first time that a US corporation - Microsoft - has effectively challenged the data access provisions of the Act.

The Redmond-based software giant claims that, if the judicial order to surrender the email stored abroad is upheld, it “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.”

According to the New York Times, a local judge granted the search warrant last December as part of a criminal inquiry, although the newspaper says that neither the identity nor the nationality of the customer has been revealed.

The company objected, saying that because the customer's emails were stored in Dublin, they were beyond the reach of a domestic search warrant.

"Microsoft contends that the rules that apply to a search warrant in the physical world should apply online. The standard of proof for a search warrant is “probable cause” and “particularity” - that is, a person's name and where the person, evidence or information resides," adds the paper.

The New York Times quotes Lee Tien, an EFF lawyer, as saying the court order will likely act as a precedent and open the gates to unchecked investigations in the digital world, of anyone, anywhere. "US search warrants do not have extraterritorial reach,” he said, adding that the US government is trying to do an end run.

Professor John Walker, a visiting professor with the Nottingham Trent University's School of Science and Technology, told SCMagazineUK.com that case should be great concern to organisations in the UK and across Europe, as the European Commission has clear and explicit agreements on several IT issues in place with Microsoft. 

"It also throws up issues regarding US surveillance of non-US IT services, as witnessed by PRISM and other reported NSA operations. This case will leave companies - as well as government agencies - wondering where they stand when storing their data in a US cloud computing service, especially if they have explicitly requested that their data be held in a European data centre," he explained. 

"More than anything, I think the case - and the legal challenges - highlight the lack of understanding about data security issues between the US and the European Union. My own experience tells me that these issues are why the UK government shies away from using Microsoft's Office 365, and I think this case will cause private sector UK companies to follow the lead of the government," he concluded.