In the United States, if the FBI thinks you committed a crime, it can go to a judge for a warrant and search your house. But if your house happens to be in Ireland, would a U.S. warrant give the Feds permission to search your property? Of course not.
But what about digital property? Does the FBI have the authority to access someone’s data, even if it is stored outside of the U.S.?
The Second Circuit Court of Appeals is trying to answer that second question. Microsoft and the U.S. Department of Justice are waiting for the decision that will determine whether or not law enforcement officials can access emails stored outside of U.S. borders. No matter which side wins, the ruling will affect discussions about national sovereignty and how it relates to the Internet for years to come.
The case began when a judge issued a warrant requiring Microsoft to turn over emails of a suspected drug trafficker that were stored on an Irish server. A lower court upheld the warrant’s validity when the company protested. Microsoft fought back, arguing that such a demand was an extraterritorial warrant and that investigators needed to get an Irish warrant to access the emails. The U.S. government countered that because Microsoft is based in Redmond, Washington, all of its data is subject to U.S. warrants.
Behind the dispute is the practical matter that it takes an average of 10 months to process a U.S. warrant request under a mutual legal assistance agreement. Pulling data from the Irish server remotely would take minutes.
Microsoft—and most other technology companies—provides its services in the cloud, storing data on remote servers to provide quick, multi-device access to consumers. However, the term “cloud” itself is a misnomer. It evokes the idea of data floating about, placeless. But this notion of the cloud is an illusion: data in the cloud is stored on physical servers that are situated squarely on sovereign territory, and the companies that manage the data are subject to the laws of that country.
If Microsoft wins its appeal, the U.S. government would be compelled to go through established mutual legal assistance processes to get its hands on data stored on servers outside of U.S borders. Judging from Ireland’s support of Microsoft’s position, other states favor this outcome and would quickly embrace an affirmation of their data sovereignty. Some countries, such as Russia and Australia, already require data about their citizens to be stored locally, in order to keep it beyond the reach of the United States. At least 20 more countries have considered similar laws.
If Microsoft wins its lawsuit, such “data localization” regulations could become the norm. But if that happens, technology companies would face a compliance nightmare. They would have to build expensive data storage facilities abroad, fork over hefty fines, or give up on major markets. Startups with fewer resources would find it exceedingly difficult to expand abroad, stifling the spread of innovation.
It’s not just a business problem, either. Many warn that if the court rules in Microsoft’s favor it could pave the way for a “Balkanization” of the Internet that would fracture the global network.
On the other hand, if the Department of Justice wins, the outcome may not look all that different. Microsoft insists that extending the reach of search warrants to data stored abroad will start a “global free-for-all” in which “any country with jurisdiction over a provider can reach into any other country” and plunder its emails. Suddenly, foreign companies offering localized data solutions would find their services in high demand with neither the companies nor their data subject to U.S. law. The resulting patchwork of local solutions sounds remarkably similar to the “Balkanization” situation the experts warn of.
At the moment, those warnings sound particularly prescient. Last week, the European Union’s Advocate General invalidated the existing Safe Harbor agreement that has governed data transfer from E.U. to U.S. servers due to concerns about privacy and government surveillance. Microsoft immediately filed a notice with the court, pointing out that the opinion “could subject U.S. companies to charges of violating European law any time they transfer personal data to the U.S., especially when U.S. law-enforcement agencies instigate the transfer.”
Concepts of national sovereignty on the Internet are getting hazier by the day. Last month, France’s data regulator ruled that the European Union’s “right to be forgotten” directive extends beyond Google.fr and other European search products to all search results, worldwide, for French citizens. Google responded: “As a matter of principle we respectfully disagree with the idea that one national data protection authority can assert global authority to control the content that people can access around the world.”
Simultaneously, China is reportedly pressuring U.S. tech companies to sign a pledge to turn over user data and source code in exchange for access to the massive Chinese market. Language in the document suggests the government wants a back door into encrypted communications, which could violate the privacy of foreigners communicating with Chinese citizens. Like France, China seems to prefer extraterritorial application of its domestic Internet policy—and if companies want access to the Chinese market, there may not be much they can do about it.
What the U.S. court really faces in the Microsoft case is an existential decision about the sovereignty of nations in the age of a global Internet. No matter which way the court rules, the case is indicative of problems we will continue to face as technology, built not to adhere to any international political order but to facilitate broad information-sharing and communication, clashes with an entrenched system of physical borders and interlocking jurisdictions that simply cannot contain the flow of data.