The Microsoft ruling was made by NY District Judge Loretta Preska on Thursday, in a case where the company is opposing a US search warrant to access the emails of one of its European customers as part of a drugs investigation.
The emails are stored in Microsoft's data centre in Dublin and the company argued that US prosecutors don't have the right to seize customer information held overseas. But in a two-hour hearing the judge disagreed, saying: “It is question of control, not a question of the location of the information”.
But she temporarily suspended the order from taking effect, to allow Microsoft to appeal to a higher court.
Microsoft chief lawyer Brad Smith has confirmed it will fight the ruling, saying the decision would allow the US to snoop on customers overseas, just as the UK Government can now snoop on American citizens under its recently enacted ‘DRIP' legislation.
Smith said after the ruling: “We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the US and around the world.”
He elaborated on this in a Wall Street Journal article last Tuesday, warning: “If the US government prevails in reaching into other countries' data centres, other governments are sure to follow. One already is. Earlier this month the British government passed a law asserting its right to require tech companies to produce emails stored anywhere in the world. This would include emails stored in the US by Americans who have never been to the UK.”
The UK DRIP (Data Retention and Investigatory Powers) bill, passed earlier this month, forces internet service providers to retain metadata on all phone and IP calls, emails and social media interactions, and allows the UK security services to access it.
UK privacy experts agree the different UK and US laws and rulings have “opened up a can of worms” as single governments try to control the internet and global data access.
UK security expert Alan Woodward, a visiting professor at Surrey University and Europol adviser, told SCMagazineUK.com: “The thing about one country passing laws that affect data held in another country is - what happens when laws from different jurisdictions contradict each other?
“The Data Protection Act allows us to send data throughout the EU but not outside the EU if it's sensitive personal data. The US ruling would seem to suggest they could force a company to do that – so who's law are they going to follow? That's the big problem.
“It's the battle of the laws and it's very, very unclear who's going to win. This is the fundamental problem of the internet, and it's really coming home to roost now. The internet doesn't recognise national boundaries. These laws are coming up – like DRIP, like this US ruling – they're the catalyst to make people start thinking. But it's a vacuum at the moment.”
Security consultant Brian Honan, head of Ireland's CSIRT and special advisor on internet security to Europol, told SCMagazineUK.com: “Other governments could use similar legislation to copy what the US is doing. It'll open up a whole can of worms.”
The experts also agree the US verdict, if it stands, is bound to damage US high-tech and cloud service providers in the eyes of European customers.
Honan told SC: ““I do think Microsoft is right to challenge this because one of the fundamental concerns many companies have when putting data in the cloud or indeed using technology from a foreign nation is - who else would have access to my data and in what circumstances?
“It's going to be very harmful to US tech and cloud providers. It's going undermine a lot of trust by non-US customers in those providers. This could be an opportunity for EU tech and cloud providers. But there may be similar issues in other areas. Will I use a UK provider now because of the DRIP law?”
Woodward said: “This would turn up the volume on calls for more Euro-centric, more national-centric services. People like Google, Microsoft, Amazon know they've got to keep the users onside.”
Honan added: “This ruling should also be a timely reminder for companies looking to host their data in the cloud that they should look at doing a proper risk assessment beforehand, that they don't move their most sensitive information into the cloud, and that they encrypt any information that they do put in the cloud and keep the keys to the encryption to themselves. So that even if somebody within the cloud provider or a government body wants access to that data they're going to have to work harder for it.”
Woodward believes the problem of contradictory national laws could eventually be resolved through international conventions. He pointed out that part of putting DRIP in place was that the UK Government has appointed a senior diplomat whose job is to try and get international agreement on data access. But he said: “I suspect it will be an ongoing problem for many many years.”