A New York judge has ruled that US cloud providers must turn over data they have, regardless of where in the world it is stored, in a decision that could have huge implications for the use of cloud services.
The judgment from magistrate judge James Francis in New York on Friday came in response to a challenge from Microsoft that it should not have to hand data over regarding an Irish customer, as the information is stored overseas.
Microsoft deputy general counsel David Howard argued: "The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas."
However, judge Francis disagreed in his ruling, claiming, “the burden on the government would be substantial, and law enforcement efforts would be seriously impeded” if warrants for data did not cover this information.
“Even when applied to information that is stored in servers abroad, an SCA [Stored Communications Act] warrant does not violate the presumption against extraterritorial application of American law," he added.
Microsoft said it would appeal the ruling, noting that it always intended to take the case to the highest courts in the land in order to change the wording of the law governing stored data requests.
“When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a US district court judge and probably to a federal court of appeals,” wrote Howard in a blog post after the ruling.
“The magistrate judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge. This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the US.”
The cloud under threat
The ruling poses huge challenges for the wider technology market as it effectively means any company using a US cloud provider to store information could have that data seized and searched by US officials, regardless of where it is stored.
This is a major concern for many businesses, and firms such as Microsoft have gone to great lengths to try and assuage this by securing relevant credentials that should ensure data stored in Europe remains protected, as cloud is central to their future.
The ruling by judge Francis undermines this, though, and could make many firms already wary of the cloud even more reluctant to move data from their own servers.
Furthermore, firms already in the cloud with US providers – ranging from Microsoft and Google to Salesforce or Oracle – may also reconsider where they store their data, as reassurances data stored off US soil was safe may now be seen as meaningless.
The ruling could open the door for European firms to set up rival services to the US giants, to ensure they can guarantee customers that any data stored with them will not be accessible to the US’s prying eyes.
However, after the PRISM revelations of last summer, many may just decide that the cloud is not worth the risk, regardless of where data is stored.
Lawyer Stewart Room from Field Fisher Waterhouse said the ruling could potentially be “very profound”.
"The long arm of US law reaches data centres and data repositories held by US firms everywhere,” he told V3.
“This legal risk has been known about for years, but in the post-Snowden world bringing further attention to the risk is bound to be very uncomfortable for US tech companies and their customers.”
Room said firms should review their use of the cloud in light of the rulings, although he noted that for many firms day-to-day life would not change as the likelihood of being affected was slim.
“Business customers will want to review their strategies going forward, although I urge them not to panic: the key issue for business is to understand the extent of its exposures, which in most cases will be very small indeed.”
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.