A United States court issues an order to Microsoft, requiring them to turn over data from a suspected drug dealer. No big deal, right? What if that data is stored in the cloud, technically on a server in Dublin, Ireland? Can that court order reach into the ephemeral cloud, and across political borders into a physical server in a foreign country?
That's the issue being debated in this landmark case, creatively captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained By Microsoft Corporation. (We'll stick with In re: MS Email.) Here are the five biggest things at stake in the case:
Where Does a Search of Cloud Storage Occur? in his initial ruling, the magistrate judge held that the search occurred when the data is read by federal agents. Since the order, pursuant to the Electronic Communications Privacy Act of 1986 (ECPA), is a sort of hybrid warrant-subpoena, where Microsoft pulls its own data and turns it over in response to a probable cause-backed court order, the judge felt that the search didn't occur until the data was put in the hands of, and read by, federal agents, reports TheWashington Post. Microsoft, of course, argues that the search occurs when the data is pulled off the servers, which can be located worldwide (in this case, Dublin, Ireland).
Efficient Administration of Justice. Microsoft wants the government to comply with mutual assistance treaties and to respect the sovereignty of foreign nations. (Ireland does too, according to Ars Technica.) The government points out that data servers are located all across the world, and if they have to negotiate a data treaty with every single country, and obtain court orders according to each country's laws, they'll never actually get around to doing their job: prosecuting criminals. Microsoft alone has around 100 data centers in 40 countries.
Faith in the U.S. Tech Industry. A non-legal issue is the viability of the U.S. tech industry, especially in regards to data storage. If the government gets its wish, it'll be able to obtain data from any server in the world that has a connection to a U.S. company, all on the basis of a U.S. court order, which itself comes from a law that was passed during the Reagan administration -- when computers ran on floppy disks. It'll also have a ripple effect on the tech industry: anyone seeking data privacy, at home and especially abroad, will turn to foreign competitors that aren't subject to the U.S.'s antiquated laws.
Ripple Effect. A Verizon friend of the court brief [PDF] notes that a decision in the government's favor could cost U.S. companies billions of dollars, would lead to U.S. court orders conflicting with other countries' data laws, and might lead to foreign countries reciprocating and removing protections for U.S. customers' data stored in their own countries.
Updated Laws. Of course, the ideal outcome would be this: a long-overdue update to antiquated 1980s data laws, such as the aforementioned ECPA, the Stored Communications Act, and more. Law written when data was stored on punch cards or 5.25-inch floppies have no place in the era of all-cloud-everything.
For more on why this case is so incredibly important, check out Orin Kerr's piece for the Post.