Can the Department of Justice (DoJ) armed with a warrant compel U.S. companies to turn over data stored on foreign servers? Microsoft, which has engaged in a long running scrap with the DoJ over its refusal to provide to law enforcement the substance of customer emails stored on its servers in Ireland, still wants an answer.
The case is particularly important to MSPs and MSSPs, thousands of which manage customer email security across international government boarders worldwide.
After a spate of legal battles and lower court rulings -- including a 2016 federal appeals court decision in Microsoft’s favor -- that answer is still elusive. Following oral arguments a month ago, the technology heavyweight now awaits a Supreme Court decision. The Court already has hinted it’s not convinced by Microsoft’s contention that search warrants issued in the U.S. aren’t valid outside U.S. borders. But it has also signaled its reluctance to decide the issue and has urged Congress to update the legislation in question.
There may be a controversial workaround, however, supported by IT but contested by privacy advocates, embedded in an unlikely place: The massive $1.3 trillion spending package passed by the House on Thursday and the Senate in the early morning hours on Friday. A clause in the omnibus bill, called the Clarifying Lawful Overseas Use of Data Act, or Cloud Act, endorsed by both sides of the Congressional aisle and authored by Republican Senator Orrin Hatch, attempts to update the 1986 Stored Communications Act written before the Internet age. The provision could quickly make the Supreme Court case moot.
Under existing law, mutual legal assistance treaties require a formal request to the host country by foreign nations wanting to access locally stored data. It also insists that the U.S. government only share such information in cases where the requests have been vetted by the DoJ and a U.S. judge. The Cloud Act allows U.S. authorities and approved partner countries that abide by certain customer privacy standards to bypass the treaties. It would simultaneously let U.S. judges issue warrants and enable companies to object should the request bump up against foreign law.
Microsoft, other IT heavyweights, the federal government and the U.K. all support the legislation. The question, of course, is does it still protect the private data of everyday civilians or give free reign to U.S. law enforcement? In a statement, Hatch called the Cloud Act a “clear, balanced framework for law enforcement to access data stored in other countries while at the same time encouraging our allies to strengthen their domestic privacy laws.”
But the Electronic Frontier Foundation (EFF) sees it quite differently. In a blog post, the EFF called the Cloud Act a "new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy." If approved, the Cloud Act would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is stored," the EFF said.