Microsoft Dublin Case Highlights Impending Data Privacy “Firestorm”
The U.S. Justice Department is seeking to access emails stored in a Microsoft data center in Ireland which could bring data privacy and regulatory change.
14 September 2015
The "long arm of the law” reaches from Seattle to Dublin, according to the United States Justice Department, and it could set off an “international firestorm,” says lawyers involved in the Microsoft case.
The U.S. Justice Department is seeking to access emails of a U.S. citizen stored in a Microsoft data center in Ireland. At Intralinks, we are watching the outcome of this ruling closely, because governments are already considering regulatory change as a result of this case.
Microsoft vs. U.S. District Court
If you haven’t been keeping up with this case, here is the general gist. The U.S. Justice Department served Microsoft a warrant seeking access to emails that relate to the account of a U.S.-based customer stored in Microsoft’s data center in Ireland. Microsoft is fighting the warrant on two key issues. First, the emails belong to the customer, not Microsoft (the service provider). Second, the data is stored outside of U.S. jurisdiction and is therefore not subject to a U.S. warrant. The potential that this case could easily be appealed all the way to the U.S. Supreme Court is very real. This could result in a sweeping decision over the extent to which U.S. law enforcement can demand access to information, even when that information isn’t located in the U.S. The impact of this decision could be felt by both U.S.-based businesses and those doing business in the U.S.
Impact of Microsoft Ruling on Cloud and SaaS Providers
The outcome of this case is likely to have an international impact on how cloud and SaaS solutions are delivered to consumers and businesses alike. Many countries, notably Germany, are currently working through the development of data privacy laws that will impact the issue of data sovereignty.
The key argument of the government’s case against Microsoft is that the company maintained “control” over the customer’s data in question from the United States. Because of this control, the government argues, that Microsoft is within United States jurisdiction and must hand over the data.
Keep Control Over Your Data
At Intralinks, our SaaS platform is evolving to ensure that its customers maintain control of their content at all times (at rest, in motion and in use). We have both released and are developing advanced features and architecture that allow our customers to maintain unequivocal control over their content in our applications.
For data in use, in October 2014, we launched our plug-in free Information Rights Management (IRM) technology. While IRM has been around for some time, our unique implementation allows the protection of the content without having to download and install additional applications. If you are collaborating with a partner who has restriction on software downloads, that challenge is eliminated with our plug-in free IRM. For data in motion, Intralinks has long led the collaboration market in security with encryption of all data accessed from our platform.
Data at rest is the area that the Microsoft case is likely to impact the most since it specifically speaks to the control of access to the content. In September 2014, Intralinks began offering Customer Managed Encryption Keys (CMK). This solution is positioned to give encryption control to the customer through a hardware and software solution. The logical location of the data is where the encryption keys are stored (i.e. with the data owner), not with the cloud storage provider. In this case, the location of the certificate defines the data location. By using CMK, while providers store and process the data on customers’ behalf, customers maintain full control over the encryption process of their data. Each encryption or decryption request has to use a customer-controlled key and if it is not available, no entity can see the data. In this case, location of the switch to turn the keys “on” or “off” is the logical location, thus allowing or disallowing all access to data.
Pete Brown is the Director of Product Marketing at Intralinks. He has broad industry experience in SaaS applications, with deep expertise in trends and technologies related to information sharing, mobile work and data storage. In his previous role at Sonain, Pete led product marketing for cloud-based email archive with responsibilities including developing market requirements, competitive intelligence and channel enablement programs.