• Defying Feds, MS tries to keep user data private

    Home » Forums » Newsletter and Homepage topics » Defying Feds, MS tries to keep user data private

    Author
    Topic
    #497793


    TOP STORY

    Defying Feds, MS tries to keep user data private

    By Woody Leonhard

    Microsoft is currently fighting a federal search warrant demanding that the company release emails stored in Ireland.

    Here’s why you should be extremely concerned by a U.S. court’s actions — and what you can do about it.


    The full text of this column is posted at windowssecrets.com/top-story/defying-feds-ms-tries-to-keep-user-data-private (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

    [/tr][/tbl]

    Viewing 9 reply threads
    Author
    Replies
    • #1480679

      Is the person in question (the one who set up the @msn.com email account) an American citizen or has he/she a non-US identity?
      If he/she is an US-person, the court might be right; if he/she is a non-US person, the court should follow the normal international rules for collecting information from abroad.

    • #1480683

      There are far worse examples than Germany – which is a democratic country with a reasonable justice system and reasonable protections for its citizens.

      What about if we substituted a China or North Korea or Russia or … for Germany.

    • #1480698

      Imagine a long piece of paper 8-1/2″ wide that reaches from Broadway in New York City to Dublin, Ireland. Imagine also the paper only has writing on the part of the paper in Ireland. The government issues a lawful subpoena for the paper for the infomation on it. It is entitled to the entire sheet, as it and the information on it are functionally here. The server in Ireland is not an isolated stand-alone entity. It is part of a huge machine called the internet and is an integral part of the Redmond based machine owned by Microsoft. The data is functionally here and must be turned over.

      • #1480725

        Imagine a long piece of paper 8-1/2″ wide that reaches from Broadway in New York City to Dublin, Ireland. Imagine also the paper only has writing on the part of the paper in Ireland. The government issues a lawful subpoena for the paper for the infomation on it. It is entitled to the entire sheet, as it and the information on it are functionally here. The server in Ireland is not an isolated stand-alone entity. It is part of a huge machine called the internet and is an integral part of the Redmond based machine owned by Microsoft. The data is functionally here and must be turned over.

        Imagine a long piece of paper 8-1/2″ wide that reaches across the Pacific from Beijing China to San Francisco in the U.S. Imagine also the paper only has writing on the part of the paper in San Francisco. The Communist Chinese government issues a lawful subpoena under Chinese law for the paper for the infomation on it. It is entitled to the entire sheet, as it and the information on it are functionally in Beijing. The server in San Francisco is not an isolated stand-alone entity. It is part of a huge machine called the internet and is an integral part of the any server owned by anybody anywhere. The data is functionally in Beijing and must be turned over.

        Is that what you meant? Are you content with China, North Korea, Iran, or any other nation having access to your information just because it is stored on a server that “is part of a huge machine called the internet”?

        Good luck with that, you may get what you ask for.

        • #1480834

          It is not a question of what I want or don’t want. It is a problem with the way the law is written. The information is on an integral part of the Redmond machine that provides the service. It is not an isolated entity. You cannot access it directly. The information is functionally here. This is the law as it currently stands as I interpret it. I would like the law to be changed through due process and not as a result of some judge deciding what should be over what the law is. If you don’t like the law, contact your representative requesting them to change the law. I will support that.

          • #1480861

            It is not a question of what I want or don’t want. It is a problem with the way the law is written. The information is on an integral part of the Redmond machine that provides the service. It is not an isolated entity. You cannot access it directly. The information is functionally here. This is the law as it currently stands as I interpret it. I would like the law to be changed through due process and not as a result of some judge deciding what should be over what the law is. If you don’t like the law, contact your representative requesting them to change the law. I will support that.

            Attention Eclectic1 and edmcguirk: It is about privacy and it is about what we want! Why agree to give away our precious privacy if we do not absolutely have to? And even then we should not. The cry of every oppressed true freedom fighter used to be “Give me freedom or give me death.” The media has been lying to us for so long with their brainwashing nonsense about the masses oppressed by large corporations run by unfeeling white demagogues. In recent riots we see rioters burning and looting small businesses owned by hard working black American entrepeneurs. They too are oppressing the people? Al and Michael (you know who) and his kind would have you believe this. World history shows that one of the hallmarks of a totalitarian system is the loss of all freedoms including privacy. So this is not what we want by any means! This world is heading for a total totalitarian system called a New World Order out of which will come total enslavement by all peoples to a world dictator.

            • #1480919

              Um, all those things might be important but they don’t really have anything to do with this topic. If this whole issue was entirely inside the USA, there would not even be a question about what to do. All the data would have been handed over long ago.

              The whole purpose of a subpoena is to ensure that the law is followed. The police cannot randomly grab anything they want, they have to go before court and justify that their needs are legal. That was all done in this case but there was the little detail that the data happened to be stashed outside of US borders. My belief is that the physical location is not important if the entity with real control of the data is inside the US. If it turns out that the real control is actually outside of the US, then I believe the US courts cannot command it to be delivered. Apparently the current laws do not explicitly state what entity has control and which court has authority across borders. That needs to be thrashed out.

              If you want privacy, encrypt your data. Keep ultimate control inside your own hands. However your right to privacy is not absolute. When an issue goes to court, facts need to be proven and the courts can demand facts to be exposed in court. Sure, there are times when power oversteps its bounds but this issue has nothing to do with privacy, it is only about whether the US courts can claim authority outside of US boundaries (and the reverse, can foreign courts claim authority inside the US).

              If you want to worry about privacy invasion, totalitarianism, oppression, brainwashing, riots, or a New World Order; go ahead, they all sound like real bad things. But real democratic governments with real working legal systems still need to command people to do things they don’t want to do in order to uphold even the good laws. And the enforcement of even the good laws has to stop at the borders but we still need to define where those borders are when some of the control is in the virtual world.

          • #1480922

            It is not a question of what I want or don’t want. It is a problem with the way the law is written. The information is on an integral part of the Redmond machine that provides the service. It is not an isolated entity. You cannot access it directly. The information is functionally here. This is the law as it currently stands as I interpret it. I would like the law to be changed through due process and not as a result of some judge deciding what should be over what the law is. If you don’t like the law, contact your representative requesting them to change the law. I will support that.

            In my opinion the current problem is that we don’t know where the border is. The border will be decided by a judge’s interpretation of the current law or he will choose the nearest precedent he thinks is relevant. Either we like which way the judge rules or we don’t. Either way, the lawmakers will probably get involved writing new laws to try to define how we want these issues handled In the future. (write your congressperson)

            I’m not terribly worried about where the border is defined. Wherever it is defined, companies will shift their structure to run their businesses the way they want them to be controlled. People will then decide who they do business with based on the new landscape.

            Maybe new businesses will crop up offering better encryption methods. Once the data is encrypted, the entity who owns the encryption key is where the subpoena gets served. Problem solved. (kidding)

    • #1480752

      Another good reason why all your data on the internet should be encrypted. Not encrypted by some entity that you “trust” but by your own encryption key.

      Ignoring encryption for this topic, what happens if your data is controlled by an American company but the data is dispersed across the internet and does not exist in any particular country? I do not believe that technology is currently deployed but something similar to a torrent could easily encompass that idea. (I believe that it does exist but is not usefully deployed right now)

      I believe that we should not get hung up on where the data technically is stored, we should draw stricter boundaries over what constitutes a company entity. An American company will have to respond to an American subpoena and a German company will have to respond to a German subpoena. We need to have a more formal definition of an American branch of a German company.

      Once we have a firm definition of an American entity that has control of data, they are required to comply with an American subpoena. An American branch of a German company would not have to comply with a German subpoena. The next question would be how to define if an American entity has “control” of data that exists in Ireland.

      Even if you are a foreign person existing completely outside American borders, if you contract data storage with an American company, your data is subject to an American subpoena even if the data is physically stored in some random foreign location.

      It is not about the data, it is about how you define the entity in control of the data. Even if you redefine the question to a physical item in a physical box, it is about who has control of the box and what jurisdiction the entity in control of the box answers to, not where the box physically sits.

      • #1480763

        Media tendency to present alarmist and exaggerated claims with a story and “facts” to back them is usually absent in your articles. Privacy and security issues related to the internet are extremely serious but hyping government involvement as you did seems an overreaction compared to the hacking and data theft occurring.

        Your articles are generally very well reasoned, covering both pros and cons of issues but your argument and entry into the legal “weeds” on this issue greatly exaggerate the threat as compared to unlawful access to our data. Just my thoughts.
        Dan

        • #1480779

          “…your argument and entry into the legal “weeds” on this issue greatly exaggerate the threat as compared to unlawful access to our data.”

          Did you read the references linked to in the article? There’s not much, if any, exaggeration at all. We already know how far-reaching, or over-reaching, the U S government can be, and increasingly is. Why would you think other governments wouldn’t be? Because some Europeans appear to have strong privacy protection? There’s a lot more to the world than Europe. Because no equivalents of Edward Snowden have come forth from other countries? The countries most likely to want the sort of data from the U S that the U S wants from Microsoft are those most likely to execute Snowden-equivalents simply on suspicion. Or maybe they’d just hack into the servers of interest and take what they want.

        • #1480780

          I’ve got very mixed feelings about speaking to my Congressman or Senators about this issue. Congress’s track record when dealing with privacy isn’t all that great, and its record dealing with technology is abysmal. Asking Congress to legislate to fix this situation could easily backfire. I’m not sure I want to take the chance.

        • #1480782

          Media tendency to present alarmist and exaggerated claims with a story and “facts” to back them is usually absent in your articles. Privacy and security issues related to the internet are extremely serious but hyping government involvement as you did seems an overreaction compared to the hacking and data theft occurring.

          Your articles are generally very well reasoned, covering both pros and cons of issues but your argument and entry into the legal “weeds” on this issue greatly exaggerate the threat as compared to unlawful access to our data. Just my thoughts.
          Dan

          Did you read the references linked to in the article? There’s not much, if any, exaggeration at all. We already know how far-reaching, or over-reaching, the U S government can be, and increasingly is. Why would you think other governments wouldn’t be? Because some Europeans appear to have strong privacy protection? There’s a lot more to the world than Europe. Because no equivalents of Edward Snowden have come forth from other countries? The countries most likely to want the sort of data from the U S that the U S wants from Microsoft are those most likely to execute Snowden-equivalents simply on suspicion. Or maybe they’d just hack into the servers of interest and take what they want.

    • #1480784

      It is not about privacy. It’s about who has control of the data. Does the US have control over companies with branches outside of the US and on the flip side do foreign countries have control over branches inside the US.

      I think it’s very likely that US government will allow foreign branches to be outside US control in order to claim that US branches are outside of foreign control.

      I think there will be a lot of wrangling over just how far outside US borders the US can control without allowing any foreign control to seep inside US borders.

    • #1480959

      News of Microsoft’s concern for the privacy of users information came at about the same time those of us who have used Microsoft Money Portfolio Manager for years got the news that it would be discontinued on December 22. Despite an abundance of protests and cries of dismay from thousands of loyal users of Microsoft products, Microsoft is going ahead with plans to discontinue the Portfolio Manager. They have advised users to migrate their data to Microsoft Money My Watchlist. Problem is that for most of us the migration didn’t work and we lost years of investment data. So much for loyalty to Microsoft.

      • #1482393

        There are several views of this subject covering different sensitive data ownership aspects.
        Although many are important, these are creating “data noise” and obscuring the issue at hand.

        Here are my 2¢ from the perspective of Records Management, Data Privacy, and Compliance.
        – All data and transactions created (regardless of type) are beholding to the local/state/country rules and regulations of where the data or transaction is created.
        – The country hosting the data (or application) does not have ownership or jurisdiction over data & transactions owned or created in other countries.
        – The “CLOUD” is nothing more than a private or public distributed data repository that can span multiple countries.
        – A cloud vendor can and often needs to move data between the cloud servers as performance, capacity, and load balancing needs require.

        Side note: A user best practice would be to encrypt any and all data on host services (cloud, etc…).

        Summary:
        1. If the account owner created the information in question while under U.S. jurisdiction (in-country) then a properly issued U.S. warrant needs to be complied with regardless where the actual data is stored or being hosted in the cloud or otherwise.
        2. If the account owner misstated or lied about its home location (where the account owner is actually creating the data/transactions), then a brief investigation to determine the actual data/transaction origination is necessary before proper country jurisdiction can be identified and followed.

        GeorgeMM

      • #1482696

        From the legal standpoint, the internet is just a series of tubes, so it should have the same regulatory standpoint as, say, the Keystone pipeline. Once the pipeline is installed, the oil at the other end is ours, and we can legally commandeer it. That part I’m sure is clear to everyone. But the idea that Canada would somehow have legal claim to the refinery at our end of the pipeline is just silly nonsense. You can’t send a refinery through a pipeline, especially one as skinny as CAT5. I think it is safe to say we can trust our government has this clear level of understanding and we can expect them to take appropriate actions without ordinary citizens getting involved.

    • #1481125

      Kudos to Woody for highlighting this issue — and thanks, too, to those who’ve contributed to the debate on this thread. I just thought I’d drop by with a non-US perspective, seeing as how I’m (a) a UK citizen and (b) have travelled extensively around the USA these past 40 years, on which basis I have to say:

      Do the law makers involved here have not an iota of self-awareness? Have they no insight — at all — into how the wider world has so often perceived the USA as a law unto itself? Have they never once heard the jibe that the USA is *not* the World’s Policeman?

      Evidently not. God’s sakes, if there was anything more un-American and less consistent with the nature, the spirit, of all the ‘ordinary’ Americans I’ve come to know over those decades, then it’s this wholly unnecessary excursion into the supra-legal.

      Though it’d be absurd to attempt to draw any actual parallels between North Korea’s current behaviour and the legal action going on here with Microsoft, there’s nevertheless an unfortunate and unavoidable resonance: about interference; about unwarranted extension of influence; about. . . Paranoia.

      I don’t have much time for Redmond any more than I do for any other megabucks corporation, but on this particular issue I find myself siding with Microsoft. . . which, when I come to think about it, is arguably the most persuasive evidence of the extent to which this issue is being so mishandled when it could as easily have been addressed behind the scenes.

      Europe’s lawmakers are as alive to the dangers of this post-9/11 world as any in the USA; there’s no argument that a security threat to one Western country is very much a security threat to all others. But there’s no evidence of Western security being in hazard in this case. Until there is, US lawmakers would be well advised to think rather more about covert diplomacy and less about overt confrontation — and have a darn sight more regard to the USA’s international reputation, too.

    • #1481151

      I’d be obliged if you’d explain exactly what your point is, as I’m confused to say the least.

    • #1482402

      I don’t know that I completely agree with the idea of assigning an authority based solely on the transaction location.

      Laws govern people and they can only assert authority over people who are under their control. Companies are extensions of people and are still controlled through the people who the law can control. (under threat of arrest and imprisonment)

      When I create a data transaction, where is the transaction located? At my terminal or distributed across however many servers in however many locations the transaction might be distributed across?

      Ultimately the law has to direct people to take actions that they can be held responsible for. The law needs to make a distinction between the person who has remote control of data and a local person who might not have control of the data but does have control of the physical disk drives.

      If a company has set up a hierarchy supporting data in another country, it is the hierarchical support in this country that is subject to this country’s laws. If the entire data support is in another country, then I don’t think this country can assert authority over the data even if the data support in another country is a subsidiary of a company in this country. But that is a legal distinction I don’t think has been officially decided yet.

      There clearly needs to be a line drawn. This country can control anything on this side of the line. There seems to be a disagreement over just where the line legally exists now and where the line should be in the future.

      Of course the US law enforcers and the US prosecutors want authority over everything. It is not until somebody points out that the legal standing of US authority is a model for any other country’s claims to authority inside the US. I think that the US court system will allow US authority to end right about where the US is willing to allow foreign authority to encroach.

      On some level this might seem like a simple question but there are so many related issues following right behind.

      If you want to talk about privacy, what should happen if my global company wants to charge internal phone calls back to the local departments but I am not allowed to see call records for the departments in Switzerland because even just the billing records are considered private and cannot cross international borders even if it is all inside one company.

      Or what about a global company that just wants to fire all expensive employees and move the data processing to a country where technical labor is much cheaper. Should jobs be protected by not allowing data to cross borders? Should a global company be forced to duplicate each data department in each separate country even if it could be more efficiently done in one place?

      Should a company be allowed to send data off to another country just to avoid this country’s legal requirements? How do you prove the intention when the data was sent?

      Where are the borders and what should be allowed to cross borders are questions that will keep lawyers busy for years.

    • #1482778

      “Trust government to to take appropriate action”.
      Thanks for starting 2015 with a good laugh.

      cheers, Paul

      • #1482790

        “Trust government to to take appropriate [to said Govt] action.”[/quote]
        –according to the movie Outbreak, with Dustin Hoffman.

        "Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

    Viewing 9 reply threads
    Reply To: Defying Feds, MS tries to keep user data private

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: