A U.S. magistrate judge ruled that U.S. cloud vendors must fork over customer data even if that data resides in data centers outside the country.
A court ruling on Friday over search warrants means continued trouble for U.S. cloud providers eager to build their businesses abroad.
In his ruling, U.S. Magistrate Judge James Francis found that big ISPs — including name brands Microsoft and Google — must comply with valid warrants to turn over customer information, including emails, even if that material resides in data centers outside the U.S., according to several reports.
Microsoft challenged such a warrant a few months back and this ruling was the response.
In a blog post on Friday, Microsoft Deputy General Counsel David Howard characterized this as a necessary first step in a what will likely be a long battle. He wrote that the issue is straightforward even if the law is not:
“It’s generally accepted that a U.S. search warrant in the physical world can only be used to obtain materials that are within the territory of the United States. A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. That’s why the U.S. has entered into many bilateral agreements establishing specific procedures for obtaining evidence in another country. We think the same rules should apply in the online world, but the government disagrees.”
The ruling basically upholds the status quo for U.S. companies who have tried to reassure foreign governments that data residing in their data centers outside the U.S. will be safe from overreach by U.S. law enforcement or security agencies. The European Community, in particular, has been vocal in its distrust of U.S. authorities in the wake of Edward Snowden’s disclosures about National Security Agency data gathering practices.
European cloud providers have tried to use this to their own advantage, with some even advertising on their web sites that their data centers are immune to search under the U.S. Patriot Act. And some have claimed that U.S. security practices have slowed cloud adoption in Europe and beyond.
U.S vendors have tried to allay concerns. In January for example, Microsoft said customers could choose where their data is stored, implying that email stored in Microsoft’s Dublin data center are safe from U.S. search. Experts quickly pointed out that this does not really address the overreach problem because the Patriot Act — initiated after 9/11 as an anti-terrorism measure — compels U.S. firms to cough up not just what’s stored on U.S. soil, but anywhere.
As Gigaom’s David Meyer reported then: “All that’s needed is for the cloud provider to itself fall under U.S. jurisdiction, which Microsoft most certainly does and will continue to do.”