Internet Jurisdiction and the Microsoft Warrants

According to a news report, “Earlier this week 28 technology and media companies, 23 trade associations and advocacy groups and 35 professors of computer science filed legal papers in support of Microsoft’s opposition to US court rulings earlier this year which said that US authorities’ search warrant powers apply to customer information held outside of the US.”

I have had difficulty understanding the legal basis for Microsoft’s objection. Is it not clear that either law enforcement authorities or civil courts can require the production of documents in the custody or control of an enterprise that is located in their territory? The information or documents or data in custody need not be physically present in the jurisdiction of the requesting authority, so long as the control is there.

I understand that Microsoft (and its many other supporters) would rather not produce the information. I understand that they may be concerned about production orders from other governments in whose jurisdiction these multinational corporations operate (though there might be an argument about ‘control’ for places not the head office of the corporation.)

I also understand that American companies would like to be able to assure foreign potential customers that their data will not be subject to inspection by American national security or police forces. My impression is that this consideration is mainly what is driving the current dispute. I have heard (without evidence) that US companies have lost business internationally since the Snowden revelations on just this ground. (I wonder if there is any need for the concern … security forces collaborate internationally, so what the Americans want they can probably get from the domestic security agencies of those potential customers.)

Nevertheless, is the assertion of the law enforcement authorities in this case novel in some way?

Is not the request similar in principle to the one that the Canada Revenue Agency made to eBay Canada for its records of power sellers, which the Federal Court required eBay Canada to retrieve from servers outside Canada, because the Canadian company had access to them for its own business purposes – i.e .the records were in its control for that purpose, and thus could be requisitioned for a tax audit?

If Microsoft’s challenge succeeds, would not any company with any kind of transborder ambitions simply keep any sensitive or embarrassing data in some data haven somewhere, out of reach of national authorities – judicial as well as administrative – of countries in which it carries on business, or even has its head office? If not, what is the dividing line or distinguishing principle?


  1. Great column, but probably a moot point like you said – Snowden revelations. It is hard to say that to “simply keep any sensitive or embarrassing data in some data haven somewhere, out of reach of national authorities” is a solution. Encryption works but infiltrating the website/servers renders encryption worthless and full bore penetration seems to be now accepted as current practice. So the old practices from time immemorial are back in force: oral, written and the higher technology of typewriters. All subject to electronic primitive electronic capture.

  2. “I have heard (without evidence) that US companies have lost business internationally since the Snowden revelations on just this ground.”

    Not sure whether you operate on the inquisitorial or adversarial model when it comes to the evidence you need or consider, but are you truly in doubt about the impact that Snowden has had on consumer confidence in US data centers?

    There’s literally an effect named after him — “The Snowden Effect”. And there are many articles about the impact of the Snowden Effect on companies concerned over PRISM, which also (but not exclusively) means impact on data centres.

    A recent article on ZDNet from September this year indicates about 1 in 10 UK companies who responded to a Cloud Industry Forum survey actually changed providers as a direct result of the Snowden Effect:

    “When specifically asked about keeping corporate data in the cloud in light of the publicity over Snowden, 59 percent of the respondents expressed concern ranging from mild to extreme.

    In fact, a third of them said the revelations had changed the way they secure information, with 17 percent changing where they put data and almost one in 10 changing cloud provider as a result of the Snowden affair.”

    Gartner says that the data centre market is to undergo dramatic changes too. One of the four disruptive factors cited is “the Snowden Effect” driving severe market fragmentation:

    “As buyers come to believe that none of the large multinational providers are trustworthy, emphasis shifts to in-country-developed technologies, and OSS and hardware. “

  3. I wasn’t particularly doubting it, Nate, it was just a matter of hearsay for me because I hadn’t gone looking it up. I find your sources credible – though the UK folks may be kidding themselves if they think their own government is not doing some snooping of its own (and sharing the results with the US).

    On the merits, a lot turns on the government’s use of a search warrant, which it is trying to make operate like a subpoena. See for example the brief of the Electronic Frontier Foundation on the point.

  4. Actually this is only the tip of the iceberg. Type “Five Eyes” into Google and read the first article — Wikipedia has a fairly comprehensive overview of the links between the US, UK, Canada, NZ and Australia. Then take a look at the second group with lesser rights as to span and content. As an aside it should not be too difficult for the US to prosecute most of the individuals involved with all the banking fraud. Perhaps an economic crime might get in the way of warrant but would a murder plot followed by murder ? Just asking.

  5. David Collier-Brown

    The normal public reaction has been almost the exact opposite to the legal profession’s.

    People are appalled that a foreign court can compel Irish employees of Microsoft to apparently break Irish law.

    The assumption seems to be that the data is Irish, that Microsoft has no right to it, and that the US is indirectly breaking Irish law by compelling US companies to commit the breach on their behalf.

    To quote a typical commentator from the nerd community*, “Surely there is some analog to extradition for search warrants, isn’t there? The idea that any nation you happen to have a presence in can demand something you have in any other nation seems like an obviously dangerous shortcut to most-abusive-common-denominator law; but being able to black-hole anything just by shifting the VM across the border presents its own problems.”

    The response at the time was that the U.S. government had sought a warrant in Ireland, and it had been refused. This remains to be proven.

    The question of control was never raised: what were raised were the public policy problems of allowing “data havens” to exist, versus those of allowing extraterritorial search-and-seizure powers to the US.

    As I noted, the facts of the case remain in question: if the U.S. had in fact applied to Ireland and failed, then they may have come to the court with dirty hands, and the public disapproval would be entirely justified…

    [* Browse with comments rated 4 and above, or you’ll be buried in vitriol: there is a lot of bad feeling directed toward the US here and elsewhere]

  6. Most would agree — US government is throwing Microsoft et al. a fig leaf to stop the drop in US companies global market share.