Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part Two)

This is the second part of my Q&A with Microsoft Executive Vice President and General Counsel Brad Smith over the company’s legal battle with the U.S. Department of Justice over e-mails stored in Ireland. The case raises important questions with respect to the privacy of digital communications and the future of cloud computing.

For those who missed it, part one can be found here.

Question: According to the U.S. government in its filings, Microsoft has not objected to handing over data stored on foreign servers to federal investigators serving warrants pursuant to the Stored Communications Act (SCA) and Electronic Communications Privacy Act (ECPA) in the past. What makes this case different?

Answer: What led to this case is a rise in the storage of content around the world. A few years ago, we started building data centers in many countries because keeping people’s content close to them helps ensure they can access it quickly and smoothly. So it’s fairly recent that the concept of a U.S. warrant for content in a datacenter abroad—like the one in this case—was even conceivable.

Looking beyond the technological change, we think it’s important that we be transparent about government requests we receive and how we respond to them. We produce a global report here and, through a separate lawsuit we filed against the U.S. government, we’re now able to report specifically on U.S. national security orders and publish those here.

Q: Microsoft has argued that it cannot turn over user e-mails to the government because the user owns those e-mails. Yet a long series of court precedents going back more than forty years say that even custodians of a third party’s records-both physical and electronic-must hand those records over to federal investigators serving a valid warrant. Why isn’t this true here?

A: This is a critical question and hits at the heart of the legal case. The warrant in our case isn’t for business records such as a record of banking transactions, a hotel bill, or a list of phone numbers that were called. Rather it’s for the content of personal communications, in this case e-mails. The courts have long recognized the distinction between business records and the content of personal communications. And not surprisingly, they have held that the contents of personal communications are entitled to a higher level of legal protection.

In our case the U.S. government is arguing that a customer’s e-mail becomes a cloud operator’s business records and hence the government can obtain it more easily. This is fundamentally at odds with traditional respect for privacy and limitations on government powers. For over two centuries the courts have held that the contents of a letter don’t become a business record of the U.S. Postal Service when they’re sent through the mail. They remain personal communications that are entitled to a higher level of legal protection. If our longstanding privacy rights are going to remain intact in the 21^st century, we need this legal approach to make the transition effectively from traditional mail to modern e-mail.

Q: According to the U.S. government’s brief, Microsoft has not produced any evidence that Microsoft would violate Irish or EU law by complying with the U.S. warrant in this case. Further, the U.S. government argues that Irish law contains similar powers for the Irish government to compel the production of records located outside Ireland by a company subject to Irish jurisdiction. How does Microsoft answer these arguments?

A: In fact, multiple EU officials have raised the prospect that compliance with the warrant would violate EU law. They haven’t yet announced a final position, and we think it’s worth hearing them out. And it’s also important to acknowledge the point made in a declaration from the former Attorney General of Ireland who was involved in negotiating the MLAT with the United States. His declaration says this type of situation is exactly why they negotiated the MLAT.

Ultimately, however, the question here is not about Irish or European law but about U.S. law. This is a law enacted by Congress. There is no reason to believe that Congress intended it to apply outside the United States. If law enforcement wants authority to apply search warrants outside of our own borders, it should go to Congress to seek that approval.

We in fact have proposed to Congress what we believe would be a sensible approach that would give law enforcement this unilateral authority when e-mails belong to an American citizen or resident. But it would require the use and strengthening of international legal processes when e-mails belong to someone else. This is the type of approach that we believe American citizens could accept when the shoe is on the other foot, so to speak. It would strike the right balance between privacy and public safety.

No doubt there are opportunities to make improvements to the legislation that is being considered.  But that will happen only if everyone starts to work on a legislative approach. And after almost two years of litigation, I think it’s fair to say that everyone will come to the table only if we win this case.