I guarantee there will quickly be a diplomatic incident when any country requests data on American citizens held outside their territory.
One rule for the US, and another for everyone else
Google will not contest new warrants for overseas data - as long as they are made outside the Second Circuit, according to the US Department of Justice. The DoJ made the revelation in a reply brief issued as part of the ongoing battle between the US government and Microsoft over emails held on servers in Ireland, which Uncle …
I never understood the Microsoft case anyway, there have been rules in effect for decades on getting this information - you petition the Irish courts (in this particular case) with the assistance of the local authorities and if the case has any merit, the information will be given to the local authorities and they will hand it over to the US... It would have been much quicker and have caused a lot less fuss that trying to play Team America: World Police.
Blunderbirds are GO!
"I never understood the Microsoft case anyway, there have been rules in effect for decades on getting this information - you petition the Irish courts (in this particular case) with the assistance of the local authorities"
But that would acknowledge that US law doesn't apply globally which is what they have tried to pretend to date - despite evidence to the contrary: https://www.theregister.co.uk/2005/04/08/wto_online_gambling/
"the DoJ said: “In the wake of those decisions, Google has reversed its previous stance and informed the government that it will comply with new Section 2703 warrants outside the Second Circuit.”"
Presumably Google can look forward to some exceedingly large fines in the EU under the GDPR then:
"Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater."
You would hope the arguement 'We intimidated these people into breaking the law for us, now tell the hold outs to do the same' would convince a judge to do what they want. The US could get all this data if it wanted by cooperating with the countries the servers are in. For some reason they'd rather strong arm their own companies rather than ask for help no matter how willingly it would be rendered.
What happens when Moscow based employees disclose the data on all US cittizens without leaving their desks?
Or Beijing based employees?
Or Paris based employees?
Microsoft, Google, etc are also corporations registered according to the laws of these countries - they must comply with them too.
"Microsoft, Google, etc are also corporations registered according to the laws of these countries - they must comply with them too."
Microsoft have attempted to fix this by making sure local data custodians are required to approve access requests. i.e. someone based in the US doesn't have the access rights to get EU data without the appropriate EU approvals...
"The DoJ made the revelation in a reply brief issued as part of the ongoing battle between the US government and Microsoft over emails held on servers in Ireland, which Uncle Sam says should be handed over according to section 2703 of the Stored Communications Act."
Your laws do not apply over this side of the pond.
Of course US laws don't apply in other countries, but the do apply in the USA. The FBI and USA spooks in general would like to have complete access to everything and anything that is in the USA or can be tricked, coerced or downright kidnapped to be in USA territory. This case is about coercing US companies to bring data into the USA. The US courts probably don't take into account any illegality that would cause in other countries. It sounds like madness to me.
Of course US laws don't apply in other countries
IANAL. However, based on what I know about it:
Not according to USA law. USA laws apply to USA corporations and USA citizens regardless of their location. This is the current interpretation of the 14th amendment to the USA constitution.
The underlying issue in the Google case is that despite this being very questionable under Eu data protection law it can relocate the data to be processed to USA without the explicit consent of the data subject (it is based on the umbrella consent in their end-user agreement). This is the basis of the DOJ argument in their cases. Rather unsurprisingly DOJ has won this one every time so far. It just asks for the data to be relocated and now has full subject access.
Microsoft was slightly smarter (or dumber - depends on the viewpoint). Its end-user agreement actually does not allow for this. Thus, Microsoft claims that it cannot relocate the data from Ireland to the USA without the subject consent and while in Ireland it is under governance of Microsoft Ireland and thus not subject to USA law. DOJ as a result tried to argue that Microsoft Ireland, which is an Irish company is subject to USA law as a wholly owned subsidiary. That rather unsurprisingly did not fly - "far fetched" is not the word for this one.
So all it will take for Google to get off the hook is to make its EULA legal per Eu law. It is illegal as per the most recent changes to it which prohibit change of jurisdiction for dispute resolution to outside Eu and a whole raft of other things.
"So all it will take for Google to get off the hook is to make its EULA legal per Eu law."
First, they're ALREADY on trial (facto has already been established), so trying to change the EULA's now would be closing the stable after the horse bolted. Second, since Google's global headquarters is in the US, doesn't the US law take precedence over all other laws because that's where the (insert currency here) ultimately stops? After all, it's not like Google execs can be arrested under EU law and extradited to the EU for trial.
Don't take this personally but I don't give a flying fuck what US laws the USA thinks are valid outside their territory, they do not apply here (clue, I'm not in the USA). They also do not apply to US citizens here, US Marshals cannot come over here and pick up some US citizen and take him back to the USA for trial, not legally anyway. What happens when someone or something enters US territory is another matter - US laws apply in the USA.
Similarly citizens of, say, the Republic of Ireland should respect Irish laws concerning, say, data privacy and incidentally so should US citizens if they happen to be in the Republic of Ireland.
You may well say that Google can do what it likes with any data that it can get its sticky fingers on - I wouldn't bet on that situation lasting long once it becomes unpleasant for its customers.
"They also do not apply to US citizens here, US Marshals cannot come over here and pick up some US citizen and take him back to the USA for trial, not legally anyway."
Oh? What specific law says this cannot apply? And what about extradition and the like?
"That generally requires the offense to have also been illegal in the country you are extraditing from."
It also requires the agreement and assistance of local plod - who have to do the "picking up" and other legwork. Handing over to US marshals only happens when the plane lands in the USA.
"The FBI and USA spooks in general would like to have complete access to everything and anything that is in the USA or can be tricked, coerced or downright kidnapped to be in USA territory. "
Salient point about "kidnapped" - FBI agents _stole_ data disks in the Kim Dotcom extradition case and breached a court order by removing them from New Zealand to the USA after a high court judge had explicitly ordered that they not do that.
Said judge was unimpressed, but for some reason didn't declare the prosecution's case null and void.
This post has been deleted by its author
There are hundreds of email providers that are not located in the US or affiliated with any US company. I cannot see that anyone gains any advantage by sending or receiving emails via Google or any other US service provider. Therefore any moderately savvy person would not use Google to communicate anything that was even slightly naughty.
So after the US manages to catch all the stupid criminals, the more intelligent criminals will have less competition ...
And my ex employer is one of them. However, since they decided not to do any business continuity planning and made me redundant without having anyone else who knows how to admin the Linux/Postfix/etc setup - they are working really hard to shift all customers to another service.
That other service is by default Microsoft's broken by design system - without giving the customer any hint that they might like to consider where their data is stored or who has access to it.
One of the things that came out of an outage MS had a while ago is that AT LEAST one of it's authentication servers is in the US - and that means ALL assurances about privacy etc are null and void as "he who holds the keys" (authentication server) has access to the store.
"One of the things that came out of an outage MS had a while ago is that AT LEAST one of it's authentication servers is in the US"
Primarily for US servers and services. With Microsoft's security model, even if you authenticated against a remote server, your access rights are still controlled by the local / regional authentication infrastructure to the data / system you are accessing.
And if you really care about it, Microsoft offer a "bring your own keys" option with secure HSMs where even Microsoft can't access your encrypted data...
If you needed another reason to bin Google / Gmail / Drive / Apps etc, there it is... Wow, simply Wow! As was said above, the US wont reciprocate this little data-land grab. Just try seizing data on US soil and see what happens.
There was a case recently of a woman using Google-Search to find contact info for Google because she couldn't access her Gmail account. What was the top search link? A scammer hotline, one so abusive it called her a c*nt!
When Google can't even be bothered to protect its own search results, and clearly can't be bothered to keep Malware off the Play Store. What use are they? We're a long way from the days of the hip funster start-up offering worthy products. Watch BBC's Secrets-of-Silicon-Valley if you've any doubt!
That old movie trope where the Sheriff has to call off the chase because the bad guys crossed the county line (just some good ol' boys) might be false thanks to inter-agency cooperation, but the government is taking this a bit far. They're leaving out the cooperation part.
Just because Microsoft is a US corporation doesn't mean the US DOJ's powers magically extend to any foreign land Microsoft may do business in. Microsoft has no power to circumvent any law, US or foreign.
This is one of those policies we really can blame on Obama. The loss of digital freedom during his presidency was severe.
I have not read the Second Circuit decision, the district court decision, or any of the related briefs, and am not a lawyer anyhow. From secondary sources, however, including the Register, it is my understanding that the US government's position is that because Microsoft, a US based corporation, owned (through an Irish subsidiary) the Irish data center where the data in question was stored, and Microsoft operated that data center from the US, it was a proper target for the search warrant. That argument carried the day with the district court, but that decision was overturned in the Second Circuit court of appeal. As the current article points out, they have had substantial success with similar arguments in other circuits, to the point where it appears Google may largely have given up on opposition, perhaps to file amicus briefs in a future Supreme Court case. However, I am not aware of any claim by the DoJ that they intended US law enforcement authority to extend, in general, to other foreign countries.
It is possible that the officials who sought the warrant in the first place were working the US court system to expedite access to the data they sought rather than use the lengthier and more involved process defined in MLA treaties. That may offend some, and it is not unreasonable to oppose it. The Supreme Court does not yet seem to have accepted the DoJ appeal, but in view of the different outcomes in other circuits it seems reasonable that they will eventually, and the resulting decision will settle the issue.
"the government’s ability to use warrants to obtain communications abroad now depends on the 'jurisdiction and the identity of the provider'".
It does not depend on the identity of the provider and never did. It now depends on the jurisdiction, it did as soon as the Second District Circuit issued its decision, and it will do so until the Supreme Court rules on an appeal. Courts in a circuit are not required to follow decisions in any other circuit, although they may take not if them - either supporting or not - in deciding cases. The same is true for courts of appeal. The notion that DoJ is trying to influence the Supreme court by the statement quoted, apparently in a brief in a circuit other than the Second, is absurd, although it may be trying to influence a district court to avoid the messiness associated with another appeal in a different circuit.
My own preference would be for the DoJ to use mutual legal assistance treaties where they exist, and in particular in the Microsoft case in Ireland. However, it is fairly clear that there is more complexity to the issue than is commonly noted in public discussion. Orin Kerr has discussed some of this in a number of Washington Post articles. It also is clear that under some simple rules that may seem desirable on their face it would be possible to set up a business in the US to operate servers in a foreign country in such a way that the US owners and operators would be immune from these warrants (because the data are stored outside the US) and the country where they are stored has no capability to produce the stored data (for instance, because nobody in their jurisdiction has access to a necessary decryption key). Some certainly would find that desirable, but it is not clearly good public policy to give such aid and comfort to criminals and others for whom law enforcement officials can justify search warrants.
By not asking the foreign government - in Microsoft's case, Ireland - USGov does not add additional layers of people who can leak whatever information they are "requesting" (although 'demanding' is probably closer to the mark).
If you don't know USGov is looking at everything you do, you won't try to make it harder for them to get it... Of course, they would only ever use such access to spy on terrorists, never private citizens or any organisations that use MS software like Office (so would never **potentially** be involved in industrial espionage on behalf of American companies - sorry, passing on technical information that might be of use in foreign or domestic contracts...)