A New York Court has held that Microsoft Corp must disclose to investigators the content of an unidentified customer’s MSN.com web based email account stored in a data center in Ireland that it controls and maintains to the US government in the context of an investigation. As the US District Judge upheld the Federal Magistrate’s decision, Microsoft, which argued that this was an illegal search and seizure of customer information held outside the US, lost its challenge to the US government search warrant. Microsoft has already indicated its intention to appeal.

This is an extremely controversial ruling concerning the way US Courts may apply and enforce legal protections to personal data stored by internet service providers in jurisdictions outside the US.

This appears to be the first case in which a global technology corporation has challenged a US search warrant searching customer’s data stored in a foreign jurisdiction. It has been reported that several US judges have been divided on whether prosecutors can in fact use search warrants to seize emails from providers.

Both parties argued during the two hour Court hearing over the interpretation of the Stored Communications Act (“SCA”) which is part of the Electronic Communications Privacy Act of 1986 and entitles regulators to obtain certain information through Court orders or warrants.

The Court held that the “Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad to law enforcement in the United States […]. As Judge Francis found, it is a question of control, not a question of the location of that information”.

It has been claimed that the US government should be required to access this particular electronically stored information via the treaty process between the US and Ireland.

Assistant US Attorney Serrin Turner however argued that this time consuming and complicated treaty process would not be required in such a case. He however stated that concerns about what other jurisdictions may do should be addressed “through political and diplomatic channels”, not by ignoring the SCA.

He also explained that the warrant did not involve a search in Ireland as such but that Microsoft was simply required to produce data under its control. He said “it makes no sense for Congress to make the government go on a wild-goose chase…when the provider is sitting here in this country and can access the data at the touch of a button”.

The Court referred to the fact that US banks have long been required to disclose records stored overseas in response to subpoenas.

The Court also heard arguments from AT&T Inc, Apple Inc, Verizon Communications Inc, Electronic Frontier Foundation and Cisco Systems Inc which supported Microsoft’s position.

The reactions

Privacy groups and major technology and telecom companies raised serious concerns about all of the legal issues at stake.

Christopher Soghoian from the American Civil Liberties Union stated for instance that “today’s decision is a major blow not just for Microsoft, but for the entire US cloud-computing industry […] If these companies wish to regain the trust of their global customers, they must embrace security technologies such as cloud cryptography, which can provide real privacy protections where the law does not”.

E Joshua Rosenkranz, a lawyer for Microsoft argued that the law does not permit US warrants to be executed in such a way overseas. He commented that “if other countries required Microsoft to provide them with emails of customers located in the US, we would consider that an astounding infringement of our sovereignty […] That is a very, very dangerous principle that the government is articulating”. He also stated that he found “pretty scary” the fact that some Chinese officials apparently requested earlier this week a password to seek some email information in the US.

Microsoft’s General Counsel, Brad Smith, stated after the Court hearing that “the only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process […]. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world”.

The Court has indicated that it will temporarily suspend the Order from taking effect to allow Microsoft to appeal to the 2nd US Circuit Court of Appeals.

There appears to be major concerns that global technology companies could lose a large portion of revenue to foreign competitors if customers fear that their data, no matter in which jurisdictions they are stored outside the US, can be subject to search warrants from US investigators.

It will be interesting to follow Microsoft’s appeal of this controversial US decision.