U.S. vs The World in Regards to Cloud Storage

U.S. vs The World in Regards to Cloud Storage

Security_Guest Absent Member.

Guest post by Phil Smith III, distinguished technologist and Senior Architect & Product Manager, Mainframe & Enterprise, at Micro Focus. 

A couple of weeks ago, the U.S. Supreme Court heard arguments in a case fascinating to privacy geeks, “United States vs Microsoft”. The conflict is centered on whether the Stored Communications Act (SCA) of 1986, which states that companies must turn over email and other stored communications (with appropriate warrants), applies when the data is stored overseas.

U.S. vs The World in Regards to Cloud Storage.jpgMicrosoft maintains that data not in the U.S. is not subject to U.S. law. The government maintains that this is a shuck: if Microsoft prevails, a company can move data offshore to place it beyond government reach. The government also asserts that a lower court decision finding that said the SCA did not apply to overseas data storage essentially makes the Act meaningless, and seriously impairs its ability to investigate crimes.

Both sides seem to have some validity, which is why this made it to SCOTUS. Obvious reactions such as “Why would the U.S. have rights to data on foreign-based servers, which are presumably subject to foreign laws?” seem overly simplistic. The logical extension of this policy would be to base all corporate data overseas, perhaps spread across multiple countries. This would ensure that even with reciprocal agreements or pressure from the U.S., no one country’s law enforcement organizations could access the data anyway. There may even be countries where local laws would shield companies from such forced data handover (particularly if the data involves citizens of those countries who are doing business with a U.S. corporation), and short of declaring war on these countries, any U.S. legal stance may be meaningless.

When the SCA passed back in 1986, of course, there was no commercial Internet, no cloud storage, and by modern standards, barely any overseas data transmission or even data storage, so it can hardly be faulted for not having foreseen the issue. A bill now pending before Congress, the CLOUD Act (a somewhat tortured acronym, full name “Clarifying Lawful Overseas Use of Data”) is intended to clarify the situation, but may not be able to solve it fully, and likely wouldn’t help this case retroactively.

Comments on this article titled “Supreme Court to decide if US has right to data on world’s servers,” as well as on the Wired piece linked above are worth reading, as is this article titled, “Microsoft still refusing to hand over private email data stored in Ireland”, which includes glimpses into the thinking of some Justices as they heard oral arguments.

0 Kudos