July 28, 2014
In an ongoing case involving Microsoft, the United States Department of Justice has taken the position that the company must disclose e-mail messages of a customer despite the fact that those messages are stored outside of the United States. This expansive assertion of jurisdiction has important adverse implications for cloud computing services.
As part of a drug trafficking investigation, the Justice Department seeks access to e-mail messages of a Microsoft customer. Those messages are stored on servers located in Ireland. The Department of Justice ordered Microsoft to produce the stored messages. Microsoft resisted, and a magistrate judge ordered the company to comply. Microsoft appealed that order in the federal district court for the Southern District of New York, and that appeal is currently pending.
Microsoft and other global service providers routinely store and process e-mail messages and other system content using servers and other equipment at locations around the world. International routing and storage of data and communications are important elements of cloud computing networks and operations.
Microsoft contends that the actions of the Justice Department in this case constitute an unconstitutional search and seizure of the customer data. The company argues that customer communications stored exclusively on equipment located outside of the U.S. are beyond the jurisdiction of U.S. authorities.
Counsel for the Irish Supreme Court filed comments in this case. Irish counsel argued that Ireland and the United States have a well-established treaty providing for cooperation between law enforcement authorities. Counsel notes that U.S. authorities should abide by the terms of that treaty and make a request directly to Irish law enforcement authorities, asking them to obtain the material in question under Irish law. Irish authorities could then share the material with their U.S. counterparts.
In this case, the Department of Justice has, in effect, asserted global jurisdiction over the electronic content of U.S. organizations and individuals. If this view of jurisdiction is accepted, U.S. authorities will have the ability to force access to the digital content of any party under their jurisdiction, no matter where in the world that content is stored.
The demand for data in this case constitutes overreaching by U.S. authorities. It sets a very bad precedent. The obvious solution is the approach suggested by the Irish authorities. The Justice Department should work with its counterparts in Ireland to use existing treaty arrangements to obtain the desired data in compliance with Ireland’s laws and procedures.
The United States government should not have the ability to assert global jurisdiction over the digital archives of American companies and individuals. Expansive digital jurisdiction by U.S. authorities will likely create an environment in which many different countries will make similar global claims for access.
The broad jurisdiction sought by the Department of Justice in this case could have significant negative consequences. It is likely to impede growth of cloud computing and other shared computing services and systems.