Government // Cybersecurity
News
8/2/2014
08:36 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Privacy Case: What's At Stake?

A ruling that Microsoft must turn over emails in a foreign data center could cost US businesses billions and make a mess of international law, experts say.

Location Analytics + Maps: 10 Eureka Moments
Location Analytics + Maps: 10 Eureka Moments
(Click image for larger view and slideshow.)

Microsoft executive VP and general counsel Brad Smith vowed this week to fight US District Court Judge Loretta A. Preska's ruling that the company must turn over customers' emails to the government, even though the data is stored in a Microsoft data center in Ireland. The verdict won't be immediately applied, because Preska, who unexpectedly issued a bench ruling, stayed her decision so that Microsoft can appeal. Nevertheless, many are concerned that if the ruling becomes an established precedent, it will spell trouble for not only privacy rights and international law, but also for the US tech market.

In the wake of the NSA surveillance scandal, some foreign governments and businesses have been hesitant to use US tech products. At this time last year, experts estimated that the damage to the US tech sector's reputation might cost domestic cloud companies $45 billion. Since then, Microsoft, Google, Cisco, and other large tech players have denied installing NSA backdoors in their products. Many have also enjoyed strong cloud momentum, as more businesses have embraced cloud infrastructure and hosted services to improve bottom lines.

Nevertheless, privacy and security concerns remain prevalent, especially on the international scene, where countries including China and Russia are removing US products from government use, and replacing them with local alternatives. There's a lot of political theater mixed into these concerns over data security and US trustworthiness, of course, but make no mistake: Decisions such as Preska's stoke legitimate fears.

[This scam has not gone away: Read Phishing: What Once Was Old Is New Again.]

"There's a great deal of legal uncertainty at the moment," Kate Westmoreland, a lawyer and fellow at Stanford Law School said in a phone interview. "Either way this decision unfolds in the end, the important thing is to have some business certainty."

Westmoreland cautioned in a blog post that the ruling doesn't grant the US government unrestricted access to cloud data. The ruling applies only to US-based companies, and the issue only came before Preska because another judge found probable cause to issue a search warrant in the first place. It's too soon to tell if the ruling is a good or bad thing, she wrote, because the case's outcome is less important than the legal rationale that supports it. That rationale could evolve as the case winds through years of appeals.

In the interview, Westmoreland explained some of the potential complications. "Countries will be looking to each other to see how they're handling these things. The way the US courts behave, other countries will be looking at that as a way they might approach it."

"Lost business is an obvious outcome" if the ruling is implemented, but the ramifications for international law could be much worse, according to Morgan Reed, executive director at the Association for Competitive Technology (ACT).  In an interview, he told us that if the US government can compel Microsoft to turn over data in an Irish data center, "European governments may say, 'We can extract data from US citizens anywhere in the world.' "

This sort of legal interpretation could lead to a "Balkanization of the Internet," he said, that would threaten the Web's unique identity. He also worries the ruling indicates that "storing data with a company in the US essentially turns you into a US citizen" in terms of the government's reach, but not necessarily its due process protections. "Not everyone has access to the courts in the same way we do. That's unnerving."

Elad Yoran, CEO of cloud security vendor Vaultive, said even if businesses are concerned about government overreach, they shouldn't resist the cloud. "If anything is true of Microsoft's cloud, it's that it's very secure," he told InformationWeek. "The problem is, even if Microsoft builds the widest moats and highest walls, when the judge says, 'Turn the data over,' Microsoft has to. It's a question of control."

Yoran suggests that businesses should apply persistent encryption to data before moving content to the cloud, and that they hold onto the keys themselves. "The golden rule with encryption is, whoever controls the keys controls the data," he said, illustrating that even if Microsoft is forced to give a government your encrypted data, that government could have no way to read it.

Westmoreland also endorses encryption: "It means power is back with the user. There are limitations on being able to compel users to give up those keys."

Yoran, Westmoreland, and Reed each agree that the issue could take years to resolve. According to Reed, the inevitability of a lengthy appeals process might explain why Preska issued a stayed bench ruling. "This case was always going up," he says. "The ruling was a recognition that this was not the final word on this decision. The judge said, 'Why don't I speed it along?'

"It's unfortunate she did that by ruling against innovative tech companies."

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
8/2/2014 | 5:28:11 PM
Re: Encryption will save us all!!!
I like the idea of using encryption and allowing users to store keys - although it would have to be done in an easy-to-use manner. 

That being said, I still question whether the government will be able to still get access. If they have the ability to compel Microsortf to turn over data, for example, they might be able to do the same with certain users. 
mokuri
100%
0%
mokuri,
User Rank: Strategist
8/2/2014 | 1:57:49 PM
News or Editorial?
Out of curiosity, is this piece "news," as described above the headline, or an editorial? Seems more the latter. A few examples:


-- "NSA Scandal." Presumably you're referring to the greatest breach of national security in U.S. history? In some quarters, I believe Mr. Snowden's actions are viewed as having crossed the line from whistle-blowing into treason. As an editor dedicated to the principles of objective reporting, you might wish to give that point of view equal space.

-- "Estimated losses of $45B" in foreign sales by US IT companies. Come back to us when you have a hard number on actual losses. Ed Snowden's revelations are near the 14-month mark. Surely someone proclaiming gloom & doom for the US IT industry can produce a verifiable account of so-called lost sales TO DATE. If so, fine, use it in your reporting. If the numbers don't exist, let's drop this argument.

-- Impact on sales to "Russia and China." No surprise there, but suggest you check other headlines. There's this little thing called global sanctions against Russia going on due a conflict in some place called Ukraine. Re: China, I believe economists using actual numbers have noted slowing growth in that country that might contribute to reduced U.S. IT sales there. Also, it's possible that mutual U.S./China accusations over cyberspying might have dampened both countries' enthusiasm for purchasing one another's tech products.

For the record: Last time we checked, China, like Russia, was a bit totalitarian itself. Net net, U.S. companies doing business with such countries might want to check their digital moralmeters. Engaging in commerce with pariah nations that subject their people to every manner of human rights violation is morally wrong. The idea of shedding a tear over lost sales to either nation is laughable.
GinoT289
100%
0%
GinoT289,
User Rank: Strategist
8/2/2014 | 11:13:04 AM
Encryption will save us all!!!
I just love the way they always throw the encryption defense out there. Everyone knows that even the strongest encryption can be broken. That's one of the uses for a computer. It can sit there and bang away for days until it breaks the code. I'm personally staying out of the cloud until my dying day. I don't care who you are or whose encryption you use, once you put your data on someone else's server, you are vulnerable. People who don't believe that will start seeing the results once the majority of businesses and personal computer users have committed to using the cloud. By then it will be too late.
<<   <   Page 2 / 2
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.