back to article Law's changed, now cough up: Uncle Sam serves Microsoft fresh warrant for Irish emails

The US government has issued Microsoft with a new warrant to get access to emails held on the firm's Irish servers, while asking the Supreme Court to dismiss the existing legal battle. The long-running wrangle began back in 2014, when Microsoft was taken to court by American prosecutors who wanted access to suspects' emails …

  1. Snorlax Silver badge

    Next step?

    MS asks the Supreme Court to rule on the constitutionality of the Cloud Act?

    Unlikely to get anywhere, but a stalling tactic nonetheless...

    /off to read the Cloud Act

    1. Charlie Clark Silver badge

      Re: Next step?

      I suspect trying to apply it retroactively is enough to get it thrown out of most courts.

      OTOH Trump has just made himself wide open to the next "Benghazi" because the new law will also allow non-US spooks access to data held on servers in the US. What could possibly go wrong? Okay, those provisions will probably be thrown out on constitutional grounds because of the protection that the US constitution offers to US citizens (the rest are just "aliens" and fair game for spooks, scammers, etc.).

      1. Paul Hovnanian Silver badge
        Devil

        Re: Next step?

        "I suspect trying to apply it retroactively is enough to get it thrown out of most courts."

        Ex post facto laws are in fact banned. But I suspect (and IANAL) that this would apply to data stored overseas going forward from the date of passage. No penalties for past refusal to comply with a warrant. But from here on out; hand it over.

        Devil, because that's where the details lie.

        1. Androgynous Cupboard Silver badge

          Re: Next step?

          > Ex post facto laws are in fact banned

          Not if you're HMRC

    2. Dan 55 Silver badge

      Re: Next step?

      Here's a summary of the Cloud Act so you don't have to read it:

      All your data are belong to US.

      1. Swiss Anton

        Re: Next step?

        "All your data are belong to US"

        Until we sell it on for a profit.

      2. Uffish

        Re: Cloudy

        All your data are belong to US, says US.

        There, I've put that in a wider context for the benefit of US administration types.

  2. aks

    I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.

    A search warrant against specific individual individuals or countries causes no problem for the Irish. It's the direct access they object to, allowing the USA to use 'big data' methods.

    1. Anonymous Coward
      Anonymous Coward

      I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.

      Why do you assume that? I don't.

      So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws, the Irish gubbermint will do whatever US big-tech tells them. In this case, it'll be "do as the MIB say", because that gives people like Apple a "get out of jail free card".

      1. Doctor Syntax Silver badge

        "So long as US businesses have the Irish government on a short leash, courtesy of the liberal application of tax laws"

        Well, this allows the EU to impose what's effectively a 4% global turnover tax on US companies. That probably far exceeds anything they'd have taken via a with-holding tax on EU turnover.

    2. Oh Homer
      Mushroom

      Violation of national sovereignty

      The ramifications of this go far beyond mere data protection. The US is, in effect, claiming sovereign rights over another nation. Frankly I don't think it's an overstatement that this is tantamount to a declaration of war. This is not America. You don't get to do just anything you like in our country.

      American hegemony is not exactly new, but rarely is it this brazen.

      If you're an American citizen or company operating in our country, then you are governed by our laws. If you or your government dispute this, then you need to leave. Period.

      1. Joe Montana

        Re: Violation of national sovereignty

        They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country.

        If the data was held on a server belonging to an Irish company then the US would have no way to demand the data, and would need to apply for an order through the Irish court system.

        The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.

        Employees working for an entirely Irish owned company with no US parent company would not be answerable to the US government at all, and could only be compelled to perform any action by Irish or EU governments and courts.

        If you're concerned about foreign governments interfering in your business, then support local businesses and only worry about your own government (which you cant avoid anyway, and theoretically have some control over).

        1. big_D
          Facepalm

          Re: Violation of national sovereignty

          @Joe Montana the data is on a server on Irish soil, owned and run by an Irish company, which just happens to be a subsidiary of a US company.

          And regardless, the data is in Ireland and falls under EU and Irish law. If Microsoft US hands over the data, the board of Microsoft Ireland could face large fines and imprisonment for breaking data protection laws. Microsoft Ireland cannot hand over the data to a US organisation or US law enforcement without the written permission of all identifiable persons in the communications (if they are EU citizens) or a valid EU / Irish issued warrant.

          So Microsoft US executives faces imprisonment and fines if they don't hand over the data and Microsoft Ireland (a separate entity) face imprisonment and fines if Microsoft US does hand over the data.

        2. Anonymous Coward
          Anonymous Coward

          Re: Violation of national sovereignty

          "They're not claiming rights over another nation, they are claiming rights over data which is privately held by a subsidiary of a US corporation that just happens to be located in another country."

          You actually believe that? It's data which is not owned by US company and it's not in US.

          That's the definition of claiming rights over another nation. Even if you are not admitting it: That's irrelevant.

        3. Tom 38

          Re: Violation of national sovereignty

          The fact is while Microsoft employees in Ireland are not directly answerable to the US government, they are answerable to senior Microsoft employees based in the US who in turn are answerable to the US government.

          In most countries, working for a company doesn't mean that you are obliged to break the laws of your country because your superiors abroad order you to.

      2. It wasnt me

        Re: Violation of national sovereignty

        Exactly. Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people? I don't get the difference with what the merkins are doing.

        By the way, I like the way you ended your post with 'period'. Very USA'ish. Full stop.

        1. wallaby

          Re: Violation of national sovereignty

          "Can we pass a law in Westminster saying that our citizens can help themselves in US shops? Or that a speed limit of 70 mph applies on US motorways to English people?"

          I think we should

          the US embassy in London refused to pay the congestion charge on the grounds of diplomatic immunity, but UK embassy staff in the US don't have that luxury as they have to pass through toll booths.

          Data held in servers in the EU should be subject to EU law only - but in reality we know that the US will never respect that nor any other laws that they don't pass.

      3. Muscleguy

        Re: Violation of national sovereignty

        Remember the US is the country which granted itself the right to invade The Hague should any US citizen by arrested by the ICJ. Thinking they can do what they like in the world is par for the course.

        See also Trump pre election thinking he could use compulsory purchase to acquire neighbouring properties for his Aberdeenshire golf resort. You can do that in the US but not here in Scotland.

        Then there's that TV series where an FBI unit is allowed to travel the world with weapons and arrest/shoot/kill bad guys in other people's countries. That is just 'Merican wish fulfilment wet dream fantasy.

        If that is their cultural reference this is little surprise. The EU equivalent with Donald Sutherland is much more realistic in terms of jurisdictional issues.

      4. jchevali

        Re: Violation of national sovereignty

        Ireland can't fight this. If they do, the tiniest US nuke could blow them up in a second.

        Ireland could fight this by allying themselves with China, whom the US can't defeat, but if they do, next step is for China to demand all data held in Ireland, so they're not going to be any better off.

        Ultimately the only recourse to the pious people of Ireland is that the Lord in his infinite mercy may grant them an afterlife where they'll not be so weak and abused by other nations. I pray for that.

    3. Velv

      I assume that the Irish government will still refuse to let the USA have direct access to servers in Ireland.

      Isn’t part of the problem that the US hasn’t even bothered to ask Ireland for access?

  3. Anonymous Coward
    Big Brother

    Cloud Act ?

    They should have called it the : Amuricah World Police F*ck Yeah ! Act...

    1. Yet Another Anonymous coward Silver badge

      Re: Cloud Act ?

      Or the "American companies all banned from operating in Europe" act

      1. This post has been deleted by its author

    2. John Smith 19 Gold badge
      Gimp

      "They should have called it the : Amuricah World Police F*ck Yeah ! Act..."

      But that would have ruined the apparently user friendly (but deeply citizen unfriendly) backronym.

      So it's no longer safe dealing with US subsidiaries if you want your data secure.

      Don't deal with US companies for data storage or transmission at all.

      1. Yet Another Anonymous coward Silver badge

        Re: "They should have called it the : Amuricah World Police F*ck Yeah ! Act..."

        Not just if you want your data secure.

        Don't deal with American companies if you don't want your users to sue you and your directors to go to jail

        1. Martin 47

          Re: "They should have called it the : Amuricah World Police F*ck Yeah ! Act..."

          That includes windows, your data may be on your PC in a foreign (i.e. non American) country but Microsoft still has access to it so, it appears, be legally forced to hand it over.

          So nothing new there then

        2. Anonymous Coward
          Anonymous Coward

          Re: "They should have called it the : Amuricah World Police F*ck Yeah ! Act..."

          Don't deal with American companies if you don't want your users to sue you and your directors to go to jail

          starts looking for American companies to deal with

          They should have given me that pay raise

        3. Doctor Syntax Silver badge

          Re: "They should have called it the : Amuricah World Police F*ck Yeah ! Act..."

          "Don't deal with American companies if you don't want your users to sue you and your directors to go to jail"

          Or be fined board-visible amounts.

    3. Chronos

      Re: Cloud Act ?

      America Rogering Someone Else, AKA ARSE Act.

      MS are between a rock and a hard place. Uncle Sam says they must, Europe and Ireland say they must not. It's not often I feel sorry for the Redmond land sharks but this time? I can't see a way they can obey either without falling foul of the other.

      In other news, several imps have perished due to the unusual cold spell in Hades.

      1. big_D

        Re: Cloud Act ?

        Exactly Chronos.

        If the CLOUD Act holds up to scrutiny, companies with a US presence will have to decide, whether they want executives in the USA to face fines and imprisonment or executives in Europe to face fines and imprisonment...

        The Microsoft model for data centers in Germany will be interesting, going forward, they are owned and run by T-Systems on Microsoft's behalf. MS don't get any physical or electronic access to the datacenter or the information in it, they have to request it from T-Systems and the DoJ would still need a European warrant to get access, just like they did before the CLOUD Act.

        1. Yet Another Anonymous coward Silver badge

          Re: Cloud Act ?

          Except if the CLOUD act force them to do anything to obtain the data. So the German owned MSFT data center can no longer accept any Windows updates or Intel CPUs in case they contain a official trojan

        2. Anonymous Coward
          Anonymous Coward

          Re: Cloud Act ?

          Seems to me to be more "F*king over American CLOUD companies act"

          If i was holding personal data (And a lot of companies are), I certainly wouldnt put it in a cloud that could be read by the FBI at a whim.

      2. Anonymous Coward
        Anonymous Coward

        Re: Cloud Act ?

        I wonder what would happen if Microsoft were to announce it was moving its HQ to Ireland and becoming an Irish company?

        Should make for an interesting US congressional election season if they did.

        1. Charles 9

          Re: Cloud Act ?

          They may also intervene. Remember, Microsoft is publicly traded, meaning the SEC can get involved.

    4. Scroticus Canis

      Re: Cloud Act ? ... F*ck yee-haa ...

      FTFY

  4. Anonymous Coward
    Anonymous Coward

    It would appear that the DoJ are trying to add the case in retrospect. The law wasn't there when the case started therefore they shouldn't be able to apply the law retrospectively.

    Oh, sorry I forgot this is in the US that thinks it rules the world and make laws that overrule the laws in sovereign countries.

    1. bombastic bob Silver badge
      Meh

      "It would appear that the DoJ are trying to add the case in retrospect"

      actually no. it's a new action related to an old case.

      I think everyone knew this was coming. Now Micro-shaft can say "we tried" and make themselves APPEAR as if they care about user privacy. But, based on EULAs and actual BEHAVIOR, they obviously do NOT.

      1. Aladdin Sane

        They do care, when it affects their bottom line.

      2. Charlie Clark Silver badge

        it's a new action related to an old case.

        Which makes it different to restrospective in what way exactly? It would set a very dangerous precedent if it succeeds. I would not be in the least surprised if the most conservative judges come down the hardest on this aspect. Will be fun to see Trump moan about judges he picks but can't sack.

      3. John Brown (no body) Silver badge

        "actually no. it's a new action related to an old case."

        ...but referencing the same warrant, not a new one. Although they are claiming that the CLOUD Act negates the need for a warrant. It's all moot anyway as they already have a legal, treaty based method to get the data. This is all about getting around the treaty method of requesting specific data in relation to specific evidence and trying to get unrestricted access to anything they feel they might want to grab.

        1. PeterGriffin

          I think that is exactly what they are attempting to do. Should they have a valid need for the data they could issue a warrant in Ireland for the data. They haven't. This either means they don't have a valid need for the data or they wish to set a precedent to circumvent international treaties and access any data they wish without appropriate oversight.

          Microsoft will resist and Google and Amazon should be trying to assist them otherwise no one in their right mind will be looking to buy cloud storage or compute services from an American based company.

    2. JimC

      Retrospective - Muddled thinking

      There's nothing retrospective going on at all. They are making a request in the present for something that exists in the present.

      Retrospective would be fining Microsoft for not handing over the data before the new law came into force. Now the new law is in force companies and people are now required to comply with it.

    3. Dal90

      It's not retroactive.

      It's a new warrant, under a new law.

      If they are quibbling about warrants, the was never a "case" that went to trial. So there is no violation of double jeopardy.

  5. Rob D.

    Responding ...

    Countries or regions like the EU with an interest in protecting individual privacy, will rule that for a cloud provider to hold data on individuals there must be regional or country bound stewardship of the data where the cloud provider is able to enforce local protections (such that CLOUD Act warrants cannot be served because the data is not under the control of an entity affected by such a warrant).

    Countries or regions with an interest in extending access to information for government organisations will apply reciprocal arrangements so that, for example, if a cloud provider wishes to operate in the region, they must provide access to any data under their control whether in the region or not.

    IANAL and some of this probably already exists, but this does seem like an awfully big can of worms to write in to the US legislative framework.

    1. big_D

      Re: Responding ...

      The current laws already state that. The data cannot be transferred out of the EU (unless the destination land has equivalent levels or data protection or things like Privacy Shield being an exception) and cannot be handed to third parties, including legal authorities, without a valid EU issued warrant.

      That means it would be illegal for Microsoft US to hand over the data under the CLOUD Act and would leave Microsoft Ireland in a very sticky situation.

      1. Anonymous Coward
        Anonymous Coward

        Re: Responding ...

        Current laws already state that. I know for certain of at least one company, and suspect several more, knowingly breaching that law. The company I know of was audited by the FCA and given a clean bill of health. The FCA simply looked the other way when it came to cloud data storage....

        So the law is worth exactly the paper it is written on.

  6. ratfox

    The case against multinationals

    Slowly but surely, the only option left to EU governments to implement the privacy protections guaranteed by their own laws will be to demand that private data must be held in European data centers operated by independent European companies, which have no need to obey US demands. I'm not sure they will go that far, or that they care enough about our privacy...

    1. John Brown (no body) Silver badge

      Re: The case against multinationals

      which makes Office365 and Google Documents, as used by governments, a bit of an embarrassment when it turns out the USG can slurp it all when they feel like it.

      Some while ago, we got a company wide memo reminding all staff, sales people in particular, to NOT use Google docs etc for business related activities.

  7. adam payne

    "Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash... There is thus no longer any live dispute between the parties, and the case is now moot."

    You can not pass laws in your own country and expect all other countries to follow your laws. Sorry but it doesn't work that way. That law doesn't apply to a different country.

    Anyone would think they passed this law to get back at Microsoft.

    1. Daniel von Asmuth
      Alien

      Extraterrestrial clouds

      The government is "unquestionably entitled" to all information stored or transmitted anywhere, rendering moot the word 'extraterritorial'; for the time being this does not apply to extraterrestrial space beyond reach of U.S. missiles and rockets.

      1. Destroy All Monsters Silver badge

        Re: Extraterrestrial clouds

        "for the time being this does not apply to extraterrestrial space beyond reach of U.S. missiles and rockets."

        "There is only little galaxy you have missed ...."

        1. Stevie

          Re: Extraterrestrial clouds

          Aieeee!

    2. Yet Another Anonymous coward Silver badge

      It can expect its laws to apply to all corporations registered in its jurisdiction.

      If foreign laws prevent you complying then you don't do business in those countries.

      This law simply says that MSFT now can't legally work in EU, in the same way it can't operate in cuba, N Korea, Iran etc

  8. Anonymous Coward
    Anonymous Coward

    USA, this is how it works:

    Something on foreign soil, you apply to the courts of that country for a warrant as it's in their sovereign territory.

    It's called due process.

    1. Stevie

      It's called due process.

      But you are forgetting one thing:

      AMERICA! F*CK YEAH!

      1. PeterGriffin

        Re: It's called due process.

        In line with their recent VISA information overreach and immigration policies it's more like: America (TM): F*ck You!

    2. Charles 9

      But what about an asset housed in one country but owned by another, and each claims sovereign rule, the former by power over the ground and the latter by having power over the owner. Which law takes precedence?

  9. Anonymous Coward
    Anonymous Coward

    The EFF has a good piece on this:

    "For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws."

    https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data

    1. onefang

      "For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe"

      For those outside of USA that like their privacy, Internet routing is about to become much more complicated.

      1. Androgynous Cupboard Silver badge

        Gosh yes, I'll have to stop using telnet and HTTP. Whatever will I replace them with?

  10. Anonymous Coward
    Anonymous Coward

    As America does not give a shit about people (renditions) did anyone really think any different about data?

    https://en.wikipedia.org/wiki/Extraordinary_rendition

    This was only a matter of time.

    1. Stevie

      rendition

      Nonononono.

      Extraordinary Rendition is when you *start* in America but take someone out of it to where American Law doesn't apply and fingernails are optional.

      CLOUD is the reverse. That's where the US drops a legal haywire grenade template over a foreign data center and declares American Law now applies there.

  11. Pascal Monett Silver badge

    Cloud providers can now point to a clear obligation

    to hand over your data as soon as the NSA twitches.

    Seems to me that that is as fine a beacon as any lighthouse in a storm. Keep your data away from US companies, period.

    1. Jason Bloomberg Silver badge
      Big Brother

      Re: Cloud providers can now point to a clear obligation

      Keep your data away from US companies, period.

      Agreed but it's not always easy to do. Virgin Media is owned by Liberty Global so would that make them an American company or not when it comes to American jurisdiction? Even before that VM were using Google to handle their email.

      And we in the UK can only guess what the government is going to give away to the US in their desperate need to secure a trade deal post-brexit.

      1. GrapeBunch

        Re: Cloud providers can now point to a clear obligation

        Yes. I would even use a fictitious Russian company, which I will call rooble, that offered the same facilities as the biggies, and offered decryption for which I and only I held the key. I don't know why every road leads to a USA company. It's just code, otherwise the Internet is, or should be, a level playing service. Why aren't there non-US equivalents? I'm not angry, just puzzled.

        Hackers of many independent nations could do this in their sleep.

        I just checked, and, unbelievably, rooble.com is not taken. rooble.ru is parked and for sale. rooble, like the Russian currency, but also like google with changes in two letters, just so everybody gets it. My apologies to 99% of those who have read this far. And thank you.

  12. Graham 25

    One could still legitimately argue that even though the US says its companies have an obligation to hand over things held overseas, that obligation ends at the border of the US and once the data is overseas the law does not apply.

    Its like giving yourself the right to vote in a foreign country because the US says you can. It means squat overseas and the companies can just take the view that they have no right to do anything overseas as the law stated doesnt apply outside of the US.

    I look forward to the EU demanding a US company hands over Trumps accounts as they can compel the auditors of Trumps estate in the USA using a similar trick.

    1. TheVogon

      "I look forward to the EU demanding a US company hands over Trumps accounts"

      No need to ask a US company. He uses Deutsche Bank.

  13. Brewster's Angle Grinder Silver badge
    Gimp

    Dear El Reg,

    I kept reading this as the "CLOWN-act". I don't know why.

    Yours etc...

  14. Neil Barnes Silver badge

    Remind me again

    Exactly *where* are the US borders?

    1. Anonymous Coward
      Anonymous Coward

      Re: Remind me again

      >Exactly *where* are the US borders?

      Apparently they don't have any unless you are Mexican and that one works like a diode.

    2. Anonymous Coward
      Anonymous Coward

      Re: Remind me again

      > Remind me again

      > Exactly *where* are the US borders?

      100 miles inside of the physical border or international entry point, all the way to the other side...

  15. Aqua Marina

    If MS Ireland were on the ball, they will have already involved the Irish equivalent of the ICO (EICO?). If they havent I'm sure some well meaning citizens could inform the EICO that the US government is trying to force an EU based company to break EU law. That should pretty much stale-mate it as EU execs would ultimately be liable if they allow the US company to trawl their systems.

    1. Charles 9

      Bit if the EU execs can be overruled by the home office's board, then you put them between Scylla and Charybdis.

  16. Franco Bronze badge

    That sound you all heard was the cloud bubble bursting, because if this does get applied in this case all of those cloud migration projects that have been going on are getting swiftly reversed.

    Pretty sure EDPR/GDPR will essentially make the use of a US based cloud provider illegal

    1. SImon Hobson Bronze badge

      Pretty sure EDPR/GDPR will essentially make the use of a US based cloud provider illegal

      It already is, it's just that Privacy Shield Figleaf hasn't yet been declared invalid/incompatible with European data protection laws. But when GDPR comes in, it will be "somewhat harder" to say that Privacy Figleaf + US Law complies.

  17. Stevie

    Bah!

    Collecting Loads Of Unspecified Data fits better and is more descriptive.

    1. Franco Bronze badge

      Re: Bah!

      Isn't that Facebook's new marketing slogan?

      1. DavidRa

        Re: Bah!

        > Isn't that Facebook's new marketing slogan?

        It's hardly "new" at this point.

  18. Malcolm Weir

    I think the inevitable side effect of this (and the similar problematic but well intentioned SESTA/FOSTA nonsense) will be the the US tech giants will look to become "jurisdiction exiles" (like tax exiles, but not about tax).

    So Google might become something like a Nevis corporation, with subsidiaries in the US, Canada, the EU, the UK, etc. The US subsidiary does is "just" a sibling to the EU one, so no-one in the US has "control" over the EU data centers.

    The exact and precise model to follow is the "flags of convenience" practice used in commercial shipping...

    1. rh587 Silver badge

      The exact and precise model to follow is the "flags of convenience" practice used in commercial shipping...

      Ikea would also be an interesting case study.

      Ikea's based in Sweden right? Except it's headquartered in the Netherlands.

      In fact... check this out.

      The [Stichting INGKA Foundation] owns the private Dutch company INGKA Holding, based in Leiden (NL), which is the holding company that controls 315 of the 360 outlets of IKEA. INGKA does not own the IKEA franchise and trademark; these are owned by Inter IKEA Systems B.V. in Delft, also in the Netherlands, which receives 3% of all IKEA revenues in royalties. Inter IKEA Systems is owned by Inter IKEA Holding, registered in Luxembourg, which is controlled, in turn, by Interogo Foundation, a Liechtenstein foundation...

      It's an incredible tax-avoidance structure which also integrates anti-takeover mechanisms. The article doesn't mention who owns or controls the other 45 stores, and doesn't even touch on the Swedish design studios and purchasing departments who actually design and order the product that is sold by INGKA Holding.

  19. Mike Moyle

    I'm going to go out on a limb and guess that Microsoft's response is going to come from the Ireland business unit saying that they are waiting for clarification from the EDPB re: their duty as a business operating in Europe and holding data on EU citizens. That should stall things for another couple of years, at least.

  20. Anonymous Coward
    Anonymous Coward

    The "It's Not Cloudy In The Cayman Islands" Work-Around for the CLOUD Act

    1) Encrypt the data. Store it anywhere you like.

    2) Encrypt the keys, and store the encrypted keys anywhere you like.

    3) Hand the 'Key Encryption Keys' over to an external person-in-trust.

    The Person-in-trust has to be outside direct control of the Corporation. Kinda like a Team of Lawyers in the Cayman Islands, operating under a strict predefined contract that cannot be overruled. The KEKs might be hashed and RAID-like smeared over a wide group.

    1. Doctor Syntax Silver badge

      Re: The "It's Not Cloudy In The Cayman Islands" Work-Around for the CLOUD Act

      "Hand the 'Key Encryption Keys' over to an external person-in-trust."

      This is vaguely what happens in MS's German setup. I haven't read of them doing that elsewhere. I'd have thought they'd have rolled that out everywhere else in the EU starting in Ireland.

      Or go a bit more drastic.

      1. Have non-US citizens set up a company in a privacy-favouring country.

      2. Hand over to the new comapny the the operation of the non-US DCs as a franchise operation with strict contract conditions forbidding MS any access that would break local laws.

      3. Separate off US sales and operations as a local US franchise in the same way. Likewise, separate any other stuff such as development that they want to stay in the US into a local company that provides such services under contract.

      4. The non-US company takes over Microsoft Corporation on a share exchange. In effect the former MS shareholders become the shareholders of the new corporation which holds all MS's IP etc, which is listed on a non-US stock exchange and which isn't subject to US legislation and doesn't pay US taxes. Only the rump businesses in the US are subject to US law and taxes. Any MS officers who don't want to move overseas can become officers of the rump businesses; the fees paid by the non-US MS can cover their pay but they don't get to order about the new non-US business and can't be used by the US to coerce that business.

      5. Other US corporations look at the arrangements, realise it's the way to do business with the world at large and follow suit.

      6. Nice little tech industry you had there, US. Pity something nasty happened to it.

      1. Charles 9

        Re: The "It's Not Cloudy In The Cayman Islands" Work-Around for the CLOUD Act

        The hitch in your plan is that (4) requires government consent. Microsoft is publicly traded, meaning the SEC gets involved. They could see through the scheme and balk.

  21. Anonymous Coward
    Anonymous Coward

    the catholic church two step

    A few year back, when the catholic priests in America were being exposed. there was a threat of legal action against the church due to the fact that the church knew about it and actively covered it up

    Knowing the way courts in America hand out compensation based on how much the perp has, then the wealth of the Vatican was in danger.

    They then separated into The Roman catholic church and The Catholic Church of America, and the Vatican gave the Catholic Church of America a few million in its kitty. The compensation claims were levied against the Catholic Church of America and the Vatican was protected.

    So, all a company needs to do, is separate its businesses from each other in different territories. for example Microsoft USA and Microsoft EU. Two totally different companies who do not operate in each others territories or hold any data in each others territories. . Both companies buy the products they sell from a third company say Microsoft Global.

    There is nothing to stop someone travelling to Europe from the USA and buying or signing up for a service and access that service from the USA. I don't believe the CLOUD act would compel Microsoft EU to hand over data without applying for a warrant in the EU...

    Its a lot of fucking about, but if the company truly had any thoughts on peoples privacy then they would do something like that. For example, if Microsoft did this and google did not, then I am almost certain anyone in the EU that valued privacy from the US spooks would stop using gmail and go with Microsoft offerings.....

    1. Charles 9

      Re: the catholic church two step

      But you would think the US government would get wise to the scheme and jump in, especially with the protectionist mindset in force in Washington today.

  22. whitepines
    Mushroom

    Surprise, surprise. How long have people here known that the only way to actually keep data private is to own the hardware and software both, then keep it out of a privacy-unfriendly jurisdiction?

    The middle and latter bits are easy, use Linux, keep the hardware in the EU. The former bit is somewhat harder as it requires you move off of Intel and AMD (they retain access to the hardware via firmware bits and can be compelled to hand things over), and also modern ARM where the same general firmware is present ("for your safety", of course....)

    The big question is, will anyone bother to purchase secureable systems, or somehow try to just get away with flaunting the GDPR? I know what'll happen first, and I hope some seriously stiff (business-destroying) fines are levied as a result...

    1. Chronos

      rms (he's case sensitive) had the right idea running a Longsoon MIPS64 based notebook long before any of this kicked off. Of course, using EMACS for everything just isn't a road I want to go down.

      1. whitepines
        Linux

        What about one of the ARM Chromebooks (which actually run a normal Linux distro quite nicely)? Or one of the new POWER9 machines if you need a bit more power? MIPS isn't really the best choice for a daily driver...

        1. Chronos

          I wasn't actually suggesting using MIPS.

          The RK3399 based Orange Pi is pretty much all I need in a desktop, barring the still-closed Mali GPU and the Spectre-vulnerable A72 cores. The latter is likely to be mitigated fairly soon with retpolines. The former is the bigger issue. I can't be without 3D graphics as I use things like OpenSCAD and gEDA a lot. Come to think of it, a couple more GiB of memory would be nice. The Rock64 fulfils this requirement but it doesn't have a SATA port.

          I'd really rather not go down the *book road as, generally, the keyboards are pants and they're compromised to fit into the form factor. Starting with a mainboard you get to choose your storage, cooling, noise levels and no sodding embedded batteries welded to the case. Yes, it acts like a UPS and all that rot, I already have 24VDC to the desk and rack from a big-arsed 2kWh reservoir to cope with outages (I have a pair of Banana Pis on fileserver duties) and it seems silly to convert 230V to DC, store it and then occasionally drag it back up to 230 before converting it down again with a SMPSU. All those inefficiencies must add up and DC-DC buck converters are much more efficient than isolated SMPSUs.

    2. Doctor Syntax Silver badge

      "or somehow try to just get away with flaunting the GDPR?"

      Do you mean wave it?

      1. Sierpinski

        If you've got it, flount it?

  23. veti Silver badge

    So, I had a look at the CLOUD Act...

    And it's appalling.

    Under it, Microsoft can try to resist handing over the data if it thinks:

    “(i) that the customer or subscriber is not a United States person and does not reside in the United States; and

    “(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.

    If it files such a motion, then a US court will decide whether to grant it - that is, a US court has to interpret the laws of whatever other country is being targeted this week. I'm pretty sure that's unconstitutional, because US courts are only empowered to interpret US laws (Article 3, section 2 of the constitution).

    The mere fact that the request violates a foreign law - is no defence at all. It also has to belong to "a non-US person". How that is supposed to square with the equal protection clause, I'm not sure.

    1. Bronek Kozicki

      Re: So, I had a look at the CLOUD Act...

      I think American lawmakers are trying to build on the success (no, sadly this is not sarcasm) of FATCA , by simply following the model of "if you deal with US persons, you have to deal with US authorities too"

  24. big_D

    Correct...

    – even though it maintains it shouldn't have had to issue one.

    It shouldn't have issued under 2703 in the first place. There was no need for any of this willy waving, there are existing treaties in place, which would have been much faster and more economical for the DoJ.

    They just needed to fill out a form, contact their opposite number in Ireland, have them place it before the Irish court and, if their application had any merit, the Irish court would have ordered Microsoft Ireland to hand over the data.

    That they didn't follow "proper channels" makes it feel like it was a fishing expedition that would not have stood up in an Irish court.

  25. Anonymous Coward
    Linux

    A radical proposal to keep your personal data safe

    "The surveillance imposed on us today is worse than in the Soviet Union. We need laws to stop this data being collected in the first place", Richard Stallman Apr 03 2018

  26. John70

    Cloud Services

    Wonder how this will affect all the US businesses offering cloud services.

    Will people move away from Azure, AWS, etc?

  27. steviebuk Silver badge

    Surely they could....

    ...of got around this by creating a new business that was registered in the EU but based in Ireland and linked to MS. Because it's then not a US registered company, surely US laws can't apply to the data storage arm of MS then, as it would be a separate EU registered company.

    Much how it looks like, I could be wrong, Alphabet was created by a certain company to avoid tax.

    It's Team America - World Police again.

  28. The questioner

    It's retroactive whichever way you cut it

    The law that was in force when the relevant data was created and stored did not enable US law enforcement to get their hands on that data (without a warrant).

    The CLOUD Act purports to reach a different conclusion on the basis of the same set of facts. That's retroactive under any interpretation.

    There would be no retroactivity (in the context of the US legal system) if the new law only applied to data created and stored after the CLOUD Act came into force. But that is clearly not the case here.

    Then there is that pesky issue of Irish and EU laws. Those laws have not changed and require US law enforcement to produce a warrant if it wants to get its hands on the data in question. Whilst the CLOUD Act purports to enable US law enforcement officials to side-step this requirement, that Act is unquestionably irrelevant to the interpretation and enforcement of pre-existing Irish and EU laws... which will continue to require a warrant.

    Set against this context, one has to question the US government's strategy in this case. I mean, why go to such extraordinary lengths (a protracted legal battle with Microsoft, drafting and passing the CLOUD Act, etc.) when the option of obtaining a warrant was there all along?

  29. Anonymous Coward
    Anonymous Coward

    OK, it is no secret that the ultra right-wing has taken over the US Political system and, sadly, much of the Citizenry. Trump, or his advisors, are pushing hard to isolate the US. They don't care whether other countries comply or not. If they comply then the US get everything they want. If don't comply then the US shut them down or out of the US.

    So, the effect is that the US becomes more isolated and Nationalistic. The economy is reduced which makes it even easier for the ultra right to increase its control. The Fascists are firmly in control. If any of the left or center leaning Supreme Court Justices die while there's an ultra right wing President the US Justice system will be shambles for another generation, maybe longer.

    1. Uffish

      First comes Hubris - then comes Nemesis

      Good, old fashioned, observational psychology.

  30. Jove Bronze badge

    So the gist of the outcome is that USA-based tech-giants have gotten what they wanted; legal protect from courts in overseas territories.

  31. Crisp

    "Our rules prevent us from doing something!"

    "Ok! Let's quickly change them to allow us to do what we wanted to do anyway."

    "What should I do with this shed load of unintended consequences?"

  32. Jason Bloomberg Silver badge
    Big Brother

    BoJo sez:

    https://twitter.com/BorisJohnson/status/977269315362844674

    "I thank our US friends for their hard work to pass the #CLOUDAct today: a future UK-US agreement will protect privacy and allow UK and US law enforcement to share data to keep our people safe"

    1. Androgynous Cupboard Silver badge

      Re: BoJo sez:

      No prizes for guessing what he's got planned post-brexit then. "Keep our people safe" - praytell from whom, Boris?

      I have just tweeted him pointing out that as he was himself a US citizen until last year, the US explicitly state that the UK/EU privacy laws are irrelevant and would have claimed access to his global data. Sadly I suspect Boris is output-only and I have just wasted 140 characters.

      1. Anonymous Coward
        Anonymous Coward

        Re: BoJo sez:

        >Sadly I suspect Boris is output-only and I have just wasted 140 characters.

        Up until around 100 years ago, Boris would have found a position as an officer in the British Army. He would probably have been shot by his own men for instigating some futile charge against the enemy that left too many of them dead.

  33. Charles 9

    Waiting for the Nuclear Declaration

    Probably the next thing we should be expecting is some binding declaration from the EU that US law and EU law are now irrevocably at odds with each other, meaning US ownership of EU data is also inherently in violation of GDPR, giving all US companies say 30 days to divest themselves of ALL EU data holdings before it becomes enforced. Forget the trade war with China, let's see what a data embargo with the EU will entail.

    1. Lost it

      Re: Waiting for the Nuclear Declaration

      What? You mean... Turn off GCHQ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like