Court confirms that any US controlled cloud server is vulnerable to US government access.
Here’s a story that got little coverage but deserves a lot more.
A US district court has confirmed what has been known for the last decade, that US companies have to supply data to the US government from any server they have control over even if that server is outside the USA. Almost two years ago Office-Watch.com said “Location doesn’t matter” and the judge merely confirms that by his decision.
That means any OneDrive, OneDrive for Business, Office 365 hosted email or SharePoint service can be read by the US government. It doesn’t matter that the customer is outside the USA nor that the physical server is outside the USA. If the service provider is a US company then it’s bound by the US Federal Stored Communications Act to supply information requested by a warrant.
If you’re in the European Union then your Office 365 etc. data is probably stored on a server in the EU. That data accessible by the US government. In fact the case in question relates to data kept on a Microsoft server in Ireland.
Australia and New Zealand customers are usually serviced by a server farm in Singapore. It might be almost the opposite side of the globe, but the US government can demand a copy of the data.
This is really no surprise. Back in 2011, Microsoft’s UK head was clear that data saved on overseas servers could be accessed by the US government.
Microsoft deserves some credit for getting a legal decision about the warrant thought it’s taken them some time to do it. Let’s embrace the fact that they’ve come to the party albeit late and after pressure to do so.
Microsoft’s Deputy General Counsel says:
“It’s generally accepted that a U.S. search warrant in the physical world can only be used to obtain materials that are within the territory of the United States. A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. …
We think the same rules should apply in the online world, but the government disagrees.”
You can’t disagree with that sentiment but the legal reality is that Microsoft and other US companies can make all the promises they like because the law forces them to disclose customer information.
It’s worth remembering that this decision is separate from any NSA related information ‘warrantless’ sharing that is going on each day.
For anyone interested the case details are:
IN THE MATTER OF A WARRANT TO SEARCH A CERTAIN E-MAIL ACCOUNT CONTROLLED AND MAINTAINED BY MICROSOFT CORPORATION
13 Mag. 2814 Full decision