Microsoft Wins Appeal over Foreign Data Search Warrants

A ruling issued against Microsoft two years ago ordering the company to turn over the contents of e-mails stored in an offshore datacenter has been overturned by a federal appeals court.

The decision, issued on Thursday, centers around Microsoft's refusal to comply with a search warrant issued by U.S. law enforcement in 2014 to turn over the contents of specific e-mails residing in the company's Dublin, Ireland datacenter in connection with a criminal investigation. While Microsoft did turn over requested data stored in its U.S. datacenters, the company argued that the warrant's demand to provide the Dublin e-mails was beyond the scope of U.S. law.

Despite support for Microsoft from Apple, AT&T, Cisco, Verizon and the Electronic Frontier Foundation, the U.S. District Court for the Southern District of New York upheld the search warrant.

Microsoft subsequently filed an appeal last year, arguing privacy laws superseded the court's ruling. "This case is about how we best protect privacy, ensure that governments keep people safe and respect national sovereignty while preserving the global nature of the Internet," said Microsoft President and Chief Legal Officer Brad Smith at the time.

On Thursday, a panel of three appeals court judges from the U.S. Court of Appeals for the Second Circuit overturned the ruling, noting that search warrants carried out by U.S. law enforcement agencies are typically limited to locations within U.S. borders or locations over which the United States has jurisdiction. Warrants don't traditionally extend further.

"Because Microsoft has complied with the Warrant's domestic directives and resisted only its extraterritorial aspects, we REVERSE the District Court's denial of Microsoft's motion to quash, VACATE its finding of civil contempt, and REMAND the cause with instructions to the District Court to quash the Warrant insofar as it directs Microsoft to collect, import, and produce to the government customer content stored outside the United States," the ruling said.

The decision marks a major victory for Microsoft, as well as all major cloud and data services providers seeking to ensure that customer data is protected under the laws of the countries where the data is stored. Smith hailed the decision as setting a key precedent for privacy.

"It ensures that people's privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs," Smith stated in a blog post.

At the Microsoft Worldwide Partner Conference (WPC) in Toronto this week, Smith gave an impassioned speech about Microsoft's commitment to customer privacy, speaking specifically about this case.

"We need an Internet that respects people's rights," he said at WPC. "We need an Internet that is governed by law [and] we need an Internet that's governed by good law."

Smith has stated emphatically that the Communications Storage Act under the Electronic Privacy Act of 1986 is dated and has urged Congress and the White House to create laws that are consistent with the modern world. The appeals court seemed to agree, as noted in the ruling: 

Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users' 21st-century demands for access and speed and their related, evolving expectations of privacy.

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.