Authorization that had ordered Microsoft to disclose contents of emails on their servers has been overturned on appeal. This is significant for debates about online security and privacy.
Though owned by Microsoft the emails in question were stored on a server in Ireland. This undoubtedly influenced the decision made by a US court. The decision is made based on a 30 year old ‘stored communications ‘act; but the applicability of this US law to foreign countries is debatable. The Microsoft Company is US based, but even though they own the servers and the email contained on them the applicability of US laws to hardware on foreign shores is controversial.
The investigation wanting access to the email servers were looking for information related to a drug-trafficking case. Whether they were after an individual or small group is uncertain, but it was only a very small number of accounts that to be released to the investigation. Most emails would have stayed untouched.
Microsoft, as well as other US based technology groups, have pointed out the difficulty they will have selling web services if US officials can seize information stored in foreign countries. Likewise, support for this demand to hand over this email information would justify foreign countries making the same demand on the U.S. Many US companies have written support for Microsoft position in the court case.
At present the situation has to deal with laws passed before the availability of the internet. The electronic communications Privacy act was passed in 1986; it did not consider the location of the stored records to be relavent, meaning criminals could not conceal information just by using a foreign computer system. This situation looks to be changing.
At present the criminal investigators can resort to mutual legal assistance treaties between countries, something different to only using the courts within the U.S. But this should radically change when the General Data Protection Regulation comes into effect in 2018. This new regulation extends across European countries, recognises both email and social media cultures, and aims to penalize companies for mishandling data. Fines will be in proportion to the company’s total worth, up to 4% of their annual earnings.
In defence of the courts original decision, the order to disclose the email files was a mixture of subpoena and warrant. Such rulings apply to the possession of information, not the location of the information. Microsoft would have had to disclose the content of the email, but with no need to disrupt the services of others on the server. If the emails were handed over in court there should have been no debate over international jurisdiction.