vali_111 - Fotolia
Some of Microsoft's fiercest rivals, including Apple Inc. and Amazon.com Inc., have come to the defense of the software giant in a controversial cloud data privacy case that could have negative implications for cloud security.
Microsoft Monday filed 10 amicus briefs, also known as "friend of the court" briefs, from a diverse group of technology firms, media companies and trade associations that support Microsoft's opposition to a U.S. search warrant for customer emails stored in a data center in Ireland. Microsoft refused to comply with the warrant, which was part of a drug-related investigation, arguing that the data center is outside the jurisdiction of the U.S. Department of Justice.
But U.S. Magistrate Judge James Francis ruled against Microsoft in April, and later a federal court ordered Microsoft to hand over the emails to prosecutors. Microsoft recently filed an appeal of the decision and says it's committed to protecting customers' data in the cloud.
The amicus briefs were signed by 28 tech and media companies, including Apple, Amazon, Hewlett-Packard Co., Verizon Communications Inc., Fox News Network LLC, and The Washington Post Co., as well as 23 trade associations and advocacy organizations such as the American Civil Liberties Union, the Electronic Frontier Foundation, the U.S. Chamber of Commerce and the Newspaper Association of America.
U.S. providers shifting stance toward cloud data privacy
According to industry observers, the case illustrates how Microsoft and other large tech companies have shifted from a once-cozy relationship with the U.S. government to staunchly supporting data privacy rights of customers.
In a press event Monday, Brad Smith, Microsoft's general counsel and executive vice president of legal and corporate affairs, contested the U.S. government's argument that it holds jurisdiction over the emails because Microsoft employees could retrieve the emails without going to Ireland. In addition, Smith said, the U.S. government is arguing that the emails are "business records" and not personal communications entitled to protection under the U.S. Constitution.
"The U.S. government has argued in this case that your email, when stored in the cloud and located in a data center, ceases to belong to you alone," Smith said. "Instead it becomes a business record of a tech company as well."
Smith said Microsoft isn't opposed to handing over the emails to the U.S. government, but he argued that the U.S. government cannot go to another country to execute a search warrant to obtain physical items, so therefore it shouldn't be allowed to do so for digital items that reside in another country. Instead, Microsoft argued, the Justice Department should respect international laws and make any requests for the emails through the Irish government.
Brad SmithMicrosoft's general counsel & executive vice president of Legal and Corporate Affairs
"We absolutely believe it is a search and seizure [issue] in Ireland," Smith said. "We store this data in a physical place. And we don't choose the place at random -- we choose because that's where the customer is located."
Andrew Pincus, a lawyer who filed one of the briefs and serves as an advisor to the U.S. Chamber of Commerce, said during the press event that the economic benefit of cloud computing "is lost" if there's significant risk of exposing data by placing it in the cloud.
"Companies and certainly people aren't going to do that if it means they lose control over their proprietary information," Pincus said.
Impact on cloud security
The controversial case is heating up at a time when Microsoft has made significant investments in the cloud, particularly around Azure security, in an effort to match rival public cloud provider Amazon Web Services. Some of the recent cloud security improvements include Microsoft's Antimalware for Cloud Services and Virtual Machines, a software extension for existing Azure customers, and enhancements to the Azure Active Directory identity and access management service.
While malware and unauthorized access are chief concerns for cloud security, the DOJ case and NSA surveillance have shifted attention to where data is stored in the cloud and how that data is protected.
"Ultimately, it's about trust," Smith said. "You wouldn't put your money in a bank if you weren't confident that it would be there when you wanted to withdraw it, [and] you're not going to put your data in a data center or the cloud run by an American company if you don't have confidence about who can and cannot get access to it."
During the press event, Smith was asked if users should encrypt all email communications to prevent these kinds of legal battles. Currently, Microsoft does not encrypt emails automatically, but Outlook.com and Office 365 offer encryption options for users. In addition, Microsoft last summer added Transport Layer Security encryption for both outbound and inbound email in Outlook.com and also strengthened encryption features for Microsoft Azure Guest OS.
"Encryption definitely is important," Smith said. "It protects [data] in a wide array of scenarios."
But Smith stopped short of saying all emails and communications should be encrypted and cited law enforcement challenges in situations where the cloud provider or security firm doesn't hold the encryption keys.
"What happens when email or other data is encrypted and the service provider doesn't have the key to decrypt it?" Smith said. "Obviously that's where things have been going the last few years."
Microsoft and the organizations that participated in the amicus briefs called on Congress and the Obama administration to "engage in a holistic debate on the solutions to these issues," and explore modern legislation that properly reflected how digital content is stored and transmitted in today's world.
The case, Microsoft v. U.S., No. 14-2985, is currently in the 2nd U.S. Circuit Court of Appeals, and a decision on the appeal is expected sometime next year. The Justice Department Tuesday declined a Reuters request for comment.
Find out how Microsoft is trying to boost cloud security in Azure.