Earlier this month Microsoft announced the building and expansion of data storage facilities in Germany, Ireland and the United Kingdom after an EU court invalidated a key U.S.-EU data transfer agreement in October — a response to mass National Security Agency surveillance programs revealed in the last two years.
While the move represents the first time a major U.S tech company has admitted it can’t protect user data inside U.S. borders, the question of whether it will allow Microsoft to skirt the U.S. government’s ability to obtain user data is still very much in the air.
“In terms of the Electronic Communications Privacy Act (ECPA), whether giving the data over to another company would avoid whatever legal obligations they’re under here is a very fact-specific question,” American Civil Liberties Union staff attorney Alex Abdo told InsideSources. “I’m sure that the federal government would argue that so long as Microsoft has effective control over the data, they could still be subpoenaed for it or they could still be ordered or compelled to turn it over.”
Microsoft has been fighting such a battle with the Justice Department since last year, when the government ordered the Silicon Valley giant to turn over user emails stored in a Microsoft data center in Dublin, Ireland as part of an FBI drug trafficking investigation.
Under ECPA — a law passed under the Reagan Administration in 1986 — the government can subpoena U.S. companies’ business records after they’re 180-days old. In recent years, the definition of eligible business records has expanded to include Americans’ emails after they reach the six-month threshold.
In an effort to protect users’ private data in the wake of mass surveillance program disclosures by NSA whistleblower Edward Snowden in 2013, Microsoft, along with the ACLU and others, spent the last year fighting the order and lobbying for ECPA reform, arguing the DOJ has no authority to compel the Windows maker to turn over data stored on another country’s sovereign soil, and that it must go though the foreign government in question.
The government argues that as a company based in the U.S., Microsoft is obligated to adhere to the law, regardless of the physical location of the server itself.
According to the company’s announcement two weeks ago, it will build two new data storage facilities in Magdeburg and Frankfurt am Main, Germany.
“[A]ccess to customer data stored in these new datacenters will be under the control of T-Systems, a subsidiary of Deutsche Telekom, an independent German company acting as a data trustee,” a company blog post reads. “Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision.”
Abdo said that while details about the legal relationship between Microsoft and Deutsche Telekom are unknown, it’s unlikely the DOJ would be deterred.
“I don’t think we know a whole lot about the nature of the relationship between the companies,” he explained. “If Microsoft still had some sort of effective control of the data, then it might be that a U.S. court would agree with the government, but I think that’s kind of an open legal question.”
“It will in part depend on what the courts say about the current legal fight,” Abdo added. “If they say that the government cannot compel Microsoft to turn over information currently, then I don’t think Microsoft gains by moving the data to another country, at least as a matter of U.S. law.”
Though hazy on the legal front, the move is undoubtedly aimed at giving the company a public relations boost in the wake of the Snowden leaks, which revealed Microsoft to be one of the NSA’s closest collaborators in mass surveillance programs like Prism, in some cases even handing over users’ encrypted communications.
The data center announcement was followed by a “3,000-word privacy manifesto” the day after, in which Microsoft President Brad Smith touched on everything from the Foreign Intelligence Surveillance Court — which approves surveillance requests in secret for the NSA — to Snowden himself.
“Microsoft needs to go beyond standing up for the rights of businesses and governments; we need to be a voice for people,” Smith wrote, going on to say the Ireland case “is important not just to Microsoft and its products, partners and customers, but to everyone who uses the Internet.”
“This is about the future of technology,” Smith continued. “With your help, we can create a world in which people can trust the technology they use — a world in which technology continues to empower.”
“Whatever the motive, when companies protect user privacy in a meaningful way, I think that’s a win for everyone,” Abdo said. “Now companies in the U.S., to the extent they didn’t realize it before, know that privacy matter to their customers, and it’s something for which they should be competing. And companies are trying to compete, and that’s great.”
Adbo added there’s still more Microsoft and others could be doing, including offering end-to-end encrypted services not even the companies themselves can access (a service Apple has adopted over iPhone communications, much to the chagrin of the FBI).
“It’s perfectly understandable that they would try to restructure their storage of data to avoid indiscriminate NSA surveillance,” Adbo said. “But in my mind, the solution to indiscriminate NSA surveillance is not stop indiscriminate NSA surveillance, not to try to restructure the Internet.”