A ruling that Microsoft must turn over emails in a foreign data center could cost US businesses billions and make a mess of international law, experts say.
Location Analytics + Maps: 10 Eureka Moments
(Click image for larger view and slideshow.)
Microsoft executive VP and general counsel Brad Smith vowed this week to fight US District Court Judge Loretta A. Preska's ruling that the company must turn over customers' emails to the government, even though the data is stored in a Microsoft data center in Ireland. The verdict won't be immediately applied, because Preska, who unexpectedly issued a bench ruling, stayed her decision so that Microsoft can appeal. Nevertheless, many are concerned that if the ruling becomes an established precedent, it will spell trouble for not only privacy rights and international law, but also for the US tech market.
In the wake of the NSA surveillance scandal, some foreign governments and businesses have been hesitant to use US tech products. At this time last year, experts estimated that the damage to the US tech sector's reputation might cost domestic cloud companies $45 billion. Since then, Microsoft, Google, Cisco, and other large tech players have denied installing NSA backdoors in their products. Many have also enjoyed strong cloud momentum, as more businesses have embraced cloud infrastructure and hosted services to improve bottom lines.
Nevertheless, privacy and security concerns remain prevalent, especially on the international scene, where countries including China and Russia are removing US products from government use, and replacing them with local alternatives. There's a lot of political theater mixed into these concerns over data security and US trustworthiness, of course, but make no mistake: Decisions such as Preska's stoke legitimate fears.
"There's a great deal of legal uncertainty at the moment," Kate Westmoreland, a lawyer and fellow at Stanford Law School said in a phone interview. "Either way this decision unfolds in the end, the important thing is to have some business certainty."
Westmoreland cautioned in a blog post that the ruling doesn't grant the US government unrestricted access to cloud data. The ruling applies only to US-based companies, and the issue only came before Preska because another judge found probable cause to issue a search warrant in the first place. It's too soon to tell if the ruling is a good or bad thing, she wrote, because the case's outcome is less important than the legal rationale that supports it. That rationale could evolve as the case winds through years of appeals.
In the interview, Westmoreland explained some of the potential complications. "Countries will be looking to each other to see how they're handling these things. The way the US courts behave, other countries will be looking at that as a way they might approach it."
"Lost business is an obvious outcome" if the ruling is implemented, but the ramifications for international law could be much worse, according to Morgan Reed, executive director at the Association for Competitive Technology (ACT). In an interview, he told us that if the US government can compel Microsoft to turn over data in an Irish data center, "European governments may say, 'We can extract data from US citizens anywhere in the world.' "
This sort of legal interpretation could lead to a "Balkanization of the Internet," he said, that would threaten the Web's unique identity. He also worries the ruling indicates that "storing data with a company in the US essentially turns you into a US citizen" in terms of the government's reach, but not necessarily its due process protections. "Not everyone has access to the courts in the same way we do. That's unnerving."
Elad Yoran, CEO of cloud security vendor Vaultive, said even if businesses are concerned about government overreach, they shouldn't resist the cloud. "If anything is true of Microsoft's cloud, it's that it's very secure," he told InformationWeek. "The problem is, even if Microsoft builds the widest moats and highest walls, when the judge says, 'Turn the data over,' Microsoft has to. It's a question of control."
Yoran suggests that businesses should apply persistent encryption to data before moving content to the cloud, and that they hold onto the keys themselves. "The golden rule with encryption is, whoever controls the keys controls the data," he said, illustrating that even if Microsoft is forced to give a government your encrypted data, that government could have no way to read it.
Westmoreland also endorses encryption: "It means power is back with the user. There are limitations on being able to compel users to give up those keys."
Yoran, Westmoreland, and Reed each agree that the issue could take years to resolve. According to Reed, the inevitability of a lengthy appeals process might explain why Preska issued a stayed bench ruling. "This case was always going up," he says. "The ruling was a recognition that this was not the final word on this decision. The judge said, 'Why don't I speed it along?'
"It's unfortunate she did that by ruling against innovative tech companies."
Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).
Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?