Federal Ruling Means Overseas Data Is Vulnerable

Microsoft was told it must hand over international customer emails. For organizations that have concerns about data privacy, consider customer managed keys.

5 August 2014

main rain ocean umbrella

A federal judge told Microsoft it must hand over customer emails held in an Irish data center, The New York Times reports. Federal prosecutors, armed with a search warrant, want Microsoft to give them these emails to pursue a criminal case.

Microsoft’s lawyers have been fighting the warrant since a federal magistrate granted it last year. But on Thursday, U.S. District Judge for the Southern District of New York Loretta A. Preska upheld the original warrant. Microsoft is appealing, and Preska agreed to stay the order for the time being.

“This type of ruling is going to open up a Pandora’s box of concerns by European countries,” lawyer Craig A. Newman told the Times.

Unprecedented Legal Fight

It’s possible that this is the first time an American firm has fought a domestic search warrant seeking overseas information, the Times suggests. This potentially trend-setting ruling does not bode well for cloud providers who want to protect their clients’ right to privacy. (Concerned customers may want to work with their cloud providers to develop a risk management framework and set of controls for data protection.)

Neither the nature of the investigation nor the nationality of the Microsoft client is public. But as we noted previously, Microsoft had particular reasons to create this European Union storage facility. For one, it would allow local privacy regulations to protect the EU customers’ data housed there. But given Preska’s ruling, that may not be the case.

Geography Does Not Guarantee Privacy

But Preska’s call won’t just frustrate Microsoft’s attempt to serve its customers. In the long run, it may also affect any business using cloud-based file sharing and collaboration solutions. If Microsoft’s appeal fails, information and content housed in data centers outside of the United States may be permanently accessible to federal government and law enforcement officials.

So there’s a strong chance content location won’t protect data privacy. So what are we to do? At this point in the discussion, we’d again like to suggest customer empowerment. For organizations that have strong concerns about data privacy, Intralinks advocates providing data owners with sole access to their own encryption keys.

Customer Managed Keys Protect Data

Such customer managed keys (CMKs) can ensure that only data owners have access to decrypted files. The cloud provider is unable to decrypt the files — unless the customer grants the vendor key access. A government agency must ask the data owner directly for the right to view the content. Possibly, if Microsoft had implemented this approach, it might have avoided having this day in court completely.

Are you interested in learning more about data protection through CMKs? Click here to read on.

Marc Songini

Marc Songini

Marc Songini has worked in the information technology field for more than 16 years. His roles have included those of journalist, analyst, and marketing communications specialist. He admits that when he started out as a cub high tech reporter, Netscape was still rocking the industry with a wondrous new user interface called a “browser.” During his 10 years with International Data Group (IDG), Marc wrote for NetworkWorld and Computerworld, both award-winning magazines. Marc specializes in cloud, enterprise apps, and figuring out the meaning of being human in an automated world.