Mark your calendars: September 9th could be the day that tech historians mention when they talk about the death of cloud computing. That’s because September 9th is when Microsoft goes to the2nd Circuit Court of Appeals to argue that non-Microsoft data residing in Microsoft datacenter in a non-US jurisdiction should not be subject to US warrants.
The US Department of Justice (DOJ) served a warrant to Microsoft in December 2013 to seize the contents of a mailbox of a suspected drug trafficker. That’s not a big deal – I worked in the hosting business in Ireland and I saw the local police visit a few times. What made this case interesting was that the DOJ was seeking access to the contents of an Outlook mailbox that was stored in Microsoft’s facilities in Dublin, Ireland, well outside of the 50 states, and actually a completely different jurisdiction with different privacy and protection laws.
Microsoft resisted and the case went to court. Microsoft lost, the case made headlines, Microsoft appealed, and lost, and on September 9th the case goes before the 2nd Circuit Court of Appeals. Microsoft will argue that:
- The contents of the mailbox are not their data
- The mailbox resides outside US jurisdiction
- To supply the mailbox content to the DOJ will break European and Irish laws
The US DOJ will argue that:
- The contents of the mailbox is Microsoft’s data
- US law dictates that any data owned by any US corporation, anywhere in the world is subject to warrants issued by the USA
Since the Last Ruling
Few ever heard of Microsoft’s General Counsel & Executive Vice President for Legal and Corporate Affairs, Brad Smith, before this case arose. But now Smith is a well-known personality in the Microsoft world. Smith has written on Microsoft “On the Issues” blog and spoken at events multiple times about this case and the importance of it, not just to Microsoft, but to any US-owned company that wishes to sell cloud services to more than just 4% of the world’s population (the USA).
What has gotten Microsoft so riled up? Imagine if your company used a product made by a French company and France’s legal system then issued a warrant to seize access to your company’s data? I’m not picking on France here, but maybe that data then made its way to a competitor and you lost a competitive advantage.
There is a huge distrust around the world of how the US government (or any government for that matter) will use (or abuse) access to data. I work in a country where cloud computing is the norm for “upgrades” or new deployments. For example, our small little market is one of the leaders in Office 365 adoption. Meanwhile, neighbors such as Germany have a tiny rate of adoption of services such as Office 365. Maybe Irish businesses are more flexible, but I know from talking to people that German businesses do not trust American-owned clouds for the above reason – they fear everything that the secret seizures that Edward Snowdon revealed, and the not-so-secret illegal (in the eyes of local jurisdictions such as Ireland) searches that the US DOJ is trying to conduct now.
Microsoft, and other US cloud operators, has no choice but to resist this warrant or face an inevitable doom. Microsoft has invested billions of dollars in many data center regions around the world, each of which is subject to the laws of the countries that they reside in … and in the US DOJ’s opinion, those data centers are also subject to contradicting laws.
Microsoft has publicly campaigned to raise awareness of the issue, and has garnered the support of many of their traditional competitors who have an identical fear. The government of Ireland has also filed an amicus brief (an opinion) with the Court stating that:
- If Microsoft hands over this data directly to the USA then they will break Irish/European law
- The US DOJ could have requested the Irish government to legally seize the data from Microsoft in Ireland using the Mutual Legal Assistance Treaty (MLAT). I’ve seen some comments online that MLAT can be slow – Ireland is a friend of the tech industry and of the USA (we say that we’re “closer to Boston than Berlin”) so I doubt the process would have been slow.
What Happens if Microsoft Loses?
Bad things might happen if the 2nd Circuit Court of Appeals decides for the DOJ. Microsoft, Amazon and pretty much any US-owned cloud can forget doing more business in Canada, South America, the EU, and most of Asia. The location of the data centers (has always been under USA law) will be irrelevant. In fact, Microsoft might even be forced to withdraw from those locations if they are forced to break local laws to comply with USA warrants.
I doubt we’d see businesses pull out of the cloud immediately, but the effect might be gradual. Many cloud services really are international anyway … how much data does NetFlix have on me that I care about? But Microsoft’s emphasis isn’t just on these types of companies, but also on convincing enterprises to move internal resources into the cloud. This would be impacted greatly outside the USA, probably even terminated.
So what could Microsoft do? Any corporation with huge cash reserves can fight the laws if they wish or maybe Microsoft could do what they have done in China. China as two Azure regions that are operated, not by Microsoft, but by a partner. If Microsoft goes back into business of writing and developing software, and partners out the business of running hosting facilities to local operators, Microsoft could design and help perform day-to-day operations, but the facilities would not be owned by Microsoft. This could work around the US DOJ and the court’s ruling (if they lose) but it would be very expensive and complicated, it would also fragment the services and impact on quality.
It is possible that technology could solve the problem. What if Microsoft had no access to data that they hosted? Windows Server 2016 Hyper-V is introducing a virtual TPM chip. What if this sort of technology meant that only the tenant (customer) had access to dencrypted data? The US DOJ could issue warrants all day long to Microsoft but all Microsoft could hand over is random 1s and 0s. The US DOJ would be forced to get the data via the suspect, that is, the owner of the data.
The best case scenario is that the 2nd Circuit Court of Appeals decides in favor with Microsoft which means that although Microsoft only hosts the data, they do not own the data.