vali_111 - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft, rivals challenge U.S. government over cloud data privacy

Microsoft's refusal to give the U.S. government customer emails stored in Ireland will likely have implications for enterprise cloud data privacy and security.

Some of Microsoft's fiercest rivals, including Apple Inc. and Inc., have come to the defense of the software giant in a controversial cloud data privacy case that could have negative implications for cloud security.

Microsoft Monday filed 10 amicus briefs, also known as "friend of the court" briefs, from a diverse group of technology firms, media companies and trade associations that support Microsoft's opposition to a U.S. search warrant for customer emails stored in a data center in Ireland. Microsoft refused to comply with the warrant, which was part of a drug-related investigation, arguing that the data center is outside the jurisdiction of the U.S. Department of Justice.

But U.S. Magistrate Judge James Francis ruled against Microsoft in April, and later a federal court ordered Microsoft to hand over the emails to prosecutors. Microsoft recently filed an appeal of the decision and says it's committed to protecting customers' data in the cloud.

The amicus briefs were signed by 28 tech and media companies, including Apple, Amazon, Hewlett-Packard Co., Verizon Communications Inc., Fox News Network LLC, and The Washington Post Co., as well as 23 trade associations and advocacy organizations such as the American Civil Liberties Union, the Electronic Frontier Foundation, the U.S. Chamber of Commerce and the Newspaper Association of America.

U.S. providers shifting stance toward cloud data privacy

According to industry observers, the case illustrates how Microsoft and other large tech companies have shifted from a once-cozy relationship with the U.S. government to staunchly supporting data privacy rights of customers.

In a press event Monday, Brad Smith, Microsoft's general counsel and executive vice president of legal and corporate affairs, contested the U.S. government's argument that it holds jurisdiction over the emails because Microsoft employees could retrieve the emails without going to Ireland. In addition, Smith said, the U.S. government is arguing that the emails are "business records" and not personal communications entitled to protection under the U.S. Constitution.

"The U.S. government has argued in this case that your email, when stored in the cloud and located in a data center, ceases to belong to you alone," Smith said. "Instead it becomes a business record of a tech company as well."

Smith said Microsoft isn't opposed to handing over the emails to the U.S. government, but he argued that the U.S. government cannot go to another country to execute a search warrant to obtain physical items, so therefore it shouldn't be allowed to do so for digital items that reside in another country. Instead, Microsoft argued, the Justice Department should respect international laws and make any requests for the emails through the Irish government.

The U.S. government has argued in this case that your email, when stored in the cloud and located in a data center, ceases to belong to you alone.
Brad SmithMicrosoft's general counsel & executive vice president of Legal and Corporate Affairs

"We absolutely believe it is a search and seizure [issue] in Ireland," Smith said. "We store this data in a physical place. And we don't choose the place at random -- we choose because that's where the customer is located."

Andrew Pincus, a lawyer who filed one of the briefs and serves as an advisor to the U.S. Chamber of Commerce, said during the press event that the economic benefit of cloud computing "is lost" if there's significant risk of exposing data by placing it in the cloud.

"Companies and certainly people aren't going to do that if it means they lose control over their proprietary information," Pincus said.

Impact on cloud security

The controversial case is heating up at a time when Microsoft has made significant investments in the cloud, particularly around Azure security, in an effort to match rival public cloud provider Amazon Web Services. Some of the recent cloud security improvements include Microsoft's Antimalware for Cloud Services and Virtual Machines, a software extension for existing Azure customers, and enhancements to the Azure Active Directory identity and access management service.

While malware and unauthorized access are chief concerns for cloud security, the DOJ case and NSA surveillance have shifted attention to where data is stored in the cloud and how that data is protected.

"Ultimately, it's about trust," Smith said. "You wouldn't put your money in a bank if you weren't confident that it would be there when you wanted to withdraw it, [and] you're not going to put your data in a data center or the cloud run by an American company if you don't have confidence about who can and cannot get access to it."

During the press event, Smith was asked if users should encrypt all email communications to prevent these kinds of legal battles. Currently, Microsoft does not encrypt emails automatically, but and Office 365 offer encryption options for users. In addition, Microsoft last summer added Transport Layer Security encryption for both outbound and inbound email in and also strengthened encryption features for Microsoft Azure Guest OS.

"Encryption definitely is important," Smith said. "It protects [data] in a wide array of scenarios."

But Smith stopped short of saying all emails and communications should be encrypted and cited law enforcement challenges in situations where the cloud provider or security firm doesn't hold the encryption keys.

"What happens when email or other data is encrypted and the service provider doesn't have the key to decrypt it?" Smith said. "Obviously that's where things have been going the last few years."

Microsoft and the organizations that participated in the amicus briefs called on Congress and the Obama administration to "engage in a holistic debate on the solutions to these issues," and explore modern legislation that properly reflected how digital content is stored and transmitted in today's world.

The case, Microsoft v. U.S., No. 14-2985, is currently in the 2nd U.S. Circuit Court of Appeals, and a decision on the appeal is expected sometime next year. The Justice Department Tuesday declined a Reuters request for comment.


Next Steps

Find out how Microsoft is trying to boost cloud security in Azure.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization encrypt email and other data stored in the cloud?
Yes, it does. I see this as a basic security measure that all companies using the cloud can and should be taking - data privacy is a real concern, and as a company, we want to support it. 
I'm a bit cynical. If it gets to push and shove and the government makes a good enough case for needing information, then these emails will be handed over. But for now, I applaud the line MSFT has taken to protect its customers' data/information.
That is the question. Why should it any different just because they are overseas? It's a tricky situation. What e-mails are they looking at? Specific threats or are they on a phishing expedition? Have they gone through the legal channels here and hit a road block because it's now international? If so and the word gets out everyone will move their cloud service out of their own country for this reason.

Todd, to answer a couple of your questions: 1) the DoJ is looking for emails connected to a drug investigation, and 2) U.S. law enforcement has NOT gone through proper channels with the Irish government to obtain the emails. I probably should have clarified that in the article. The DoJ's first and only action to obtain these emails was requesting and receiving a warrant to compel Microsoft to turn over those messages. So U.S. law enforcement didn't hit any roadblocks with the Irish government because they didn't even try. 

Also, here's the latest on the case, which Microsoft has won (for now):