twitter facebook rss

CISO view: DoJ vs Microsoft case

Posted by on October 3, 2015.

In the DoJ vs Microsoft foreign emails case, we already know the law enforcement view; we already know the privacy activists’ view – and now we know the US security practitioners’ view.

  • there is little, if any, support for the government against Microsoft
  • there is some belief that it could affect trade for US internet companies
  • the majority of US security practitioners may be forced to reconsider using Microsoft if the government prevails

The Second Circuit Court of Appeals is currently deciding on a case between the Department of Justice and Microsoft. A ruling is expected imminently, perhaps by the end of October.

The DOJ has demanded from Microsoft the emails (and more) of an overseas customer. Those emails are stored on a server in Ireland. The DOJ has chosen not to use the international legal treaty (mutual legal assistance) to get these emails. Instead it has used a US search warrant pursuant to the 1986 Stored Communications Act.

Microsoft declined to hand over the content, saying that a US search warrant cannot apply outside of the US. So far the US courts have sided with the DoJ. The argument is that the actual search won’t happen until the data is repatriated to the US, and therefore the search will occur in the US. Both parties have allowed the case to go to the Second Circuit Court of Appeals for a ruling.

If the DoJ wins, it will mean that it can seize the data from any internet company for which it can claim jurisdiction, wherever that data is stored and to whomever that data belongs.

Third-party opinion is heavily divided. Civil liberties advocates on both sides of the Atlantic fear that a DoJ victory will add greater legal legitimacy to the US surveillance machine. In Europe it is feeding calls for the EU-US safe harbor agreement to be revoked.

Andrew K. Woods, an assistant professor of law at the University of Kentucky College of Law, has downplayed the importance of the case. In Lowering the Temperature on the Microsoft-Ireland Case he has argued against too much concern: “I think there is a powerful case to be made that a victory for Microsoft would do more harm to the future of the Internet, privacy, and public safety than would a loss.”

But USA Today argues the opposite: “If American companies can’t protect customer privacy for information stored elsewhere, the concern is that foreign companies that can make a privacy promise and stay outside the jurisdiction of U.S. law enforcement could take business away from them.”

Jeff Gould, president of and CEO and director of research at Peerstone Research, is particularly concerned. In US Effort to Grab Data from Microsoft in Ireland Should Frighten All Firms Using the Cloud Overseas he argues that foreign companies will be dissuaded from using US cloud services if the case is decided in favour of the DoJ. He goes further to suggest that since there are no competitors to the big US cloud companies, these foreign firms will withdraw from the cloud altogether.

We asked the people who will be directly affected by the ruling, six Wisegate CISOs from large international US companies, where they stand on the DoJ vs. Microsoft issue. We gave them six options:

  • The government is right and Microsoft should hand over the emails
  • I would be content for China to demand PII from Huawei systems located on US soil
  • The potential international economic effect on US internet providers should make the government reconsider
  • If the government wins, US companies with overseas customers will reconsider their use of Microsoft cloud systems
  • The government should reconsider because it negates the concept of geo-fencing
  • Microsoft has never expected to win — the challenge is solely for publicity purposes

Not a single CISO believes that the government is right in demanding the personal emails stored on a foreign server. One takes the somewhat cynical view that Microsoft has never expected to win this case, but has simply wanted to be seen as a defender of privacy.

Three believe that the potential economic effect on the US economy should make the government reconsider its position. Another three take the security view that it negates the concept of geo-fencing – particularly relevant since companies handling government data must geo-fence it within the US.

But perhaps most surprising, and potentially worrying for the government position, is that the majority of the CISOs fear that even US companies might reconsider their use of Microsoft cloud if the government wins its argument. As one of them said, “Since we are in 133 countries, if they must turn over the data, this has major implications on all of us – and could severely impact trade.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: