US Court Forces Microsoft to Provide Data on Foreign Servers: How to Keep Cloud Data Safe
This week, a US court determined that a search warrant issued in the US is sufficient to access data that is housed offshore in another jurisdiction.
2 May 2014
This week, a US court determined that a search warrant issued in the US is sufficient to access data that is housed offshore in another jurisdiction, putting US authorities in deeper conflict with foreign laws, especially data privacy laws in the European Union. The case involved Microsoft®, Inc., who was asked to hand over emails stored in Ireland. Microsoft argued that the data was outside the jurisdiction of the warrant, but a US federal court disagreed. Microsoft is appealing the decision.
Like many US companies, Microsoft had deliberately created a European-based data storage facility for European Union citizens, with the presumption that data housed within the jurisdiction of the EU would safely fall under local privacy regulations. Based on the Federal court’s ruling, this may offer very little protection.
The case has profound implications for organizations using cloud-based file sharing and collaboration solutions. If the Federal court’s decision is upheld, then data that is housed outside US territories could still be subject to access by the US government and law enforcement officials.
Organizations using cloud-based file sync and share solutions have reason to be concerned. Much of the data shared using these services are subject to strict data privacy regulations. And users of these services may have a reasonable presumption that their data is being kept private. What’s the solution?
First, we should applaud Microsoft for fighting the search warrant. Only a company with Microsoft’s resources and global presence has a reasonable prospect of getting this court decision overturned.
Second, the presumption that data location provides privacy protections is clearly at risk. Organizations need to look for additional protections for their data. One answer, which we advocate, is to provide data owners with sole access to data encryption keys. Customer managed encryption keys make sure that only the key holders have the ability to access decrypted files. Implemented correctly, the cloud provider would have no technical capability to decrypt the files if customer removes their master key(s). Under those circumstances, if a government agency were to then request data access from a cloud file storage provider, they would have no ability to provide the data. Only the data owner would be able to respond to the request. If Microsoft had used this technology, they may have avoided the warrant’s request altogether.
Ian Bruce is the VP of Corporate Communications at Intralinks. He has 20 years of international marketing experience across software, hardware, consulting, and financial services at both VC-backed start-ups and large multinationals. Prior to joining Intralinks, Ian held various marketing and communications roles at Avid Technology, HP, Novell, Systinet, and CSC.