Microsoft won a huge victory in the name of user privacy on Thursday as an appeals court has ruled that a federal warrant to seize email from a Microsoft server in Ireland is invalid.
Federal investigators received a warrant for email contents as part of a criminal investigation in December 2013, touching off a debate between the tech industry and law enforcement about jurisdiction and data storage.
The timing plays nicely with Microsoft’s Worldwide Partner Conference (WPC) where the company’s president and chief legal officer Brad Smith called for an internet that respects people’s rights and is “governed by good law.”
In a statement, Microsoft said: “We obviously welcome today’s decision by the United States Court of Appeals for the Second Circuit. The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”
Privacy protections for information stored on paper should persist as data moves to the cloud. This decision helps ensure this result.
— Brad Smith (@BradSmi) July 14, 2016
The warrant’s legality was previously upheld by an appeals court in April 2014. Microsoft appealed that decision in December 2014, after risking contempt of court in a procedural dispute. The tech giant launched a website to promote its position, sued the Department of Justice, and has publically acknowledged a need for cloud providers, particularly in the U.S., to win consumer trust.
The second appeal has been upheld by a panel of three judges sitting for the US Court of Appeals Second Circuit, who ruled that: “(Subsection) 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
Representatives for lobby groups including the Electronic Frontier Foundation, and the i2Coalition, and for tech companies including Rackspace, Apple, Amazon, Cisco, Hewlett-Packard, and Verizon, as well as for Ireland the European Parliament all submitted briefs in supported of Microsoft’s position.
“We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” the judges said in the ruling (PDF). “The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a US court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”
The ruling also pointed out that Microsoft had already produced “non-content information” that was stored in the U.S.
The Seattle Times reports speculation by lawyers following the case that the government would appeal the appellate decision if it lost.