During a May meeting with a group of CIOs in Berlin Microsoft General Counsel Brad Smith witnessed something unusual: a CIO for a German state came in carrying a copy of a legal decision. It was a magistrate’s decision in a federal court in New York on the question of whether the U.S. government could get unilateral access to data in a data center outside the U.S. with a warrant and without knowledge of the data’s owner.
The decision was in the government’s favor, and the CIO said that until it was changed, there wasn’t even a remote possibility that his organization would contemplate putting its data in any American company’s data center, Smith recalled. He told the story while presenting at the GigaOm Structure conference in San Francisco earlier this month.
“At one level, that is part of what is at stake here,” Smith said about Microsoft’s current court battle with the government over access to a customer’s data stored in its data center in Dublin, Ireland. The legal opinion the German CIO brought to the meeting ordered Microsoft to comply with a U.S. law enforcement warrant, asking it to hand over the data.
Microsoft has support in data privacy protection fight
As Microsoft continues challenging the government on the issue, other U.S. tech giants have joined it. They include Apple, Cisco, Verizon and AT&T, among others, arguing that the power of a U.S. warrant does not extend beyond U.S. borders, and that includes data stored overseas by U.S. companies.
U.S. technology companies’ ability to retain their historic leadership in the market is at stake, Smith said. If customers don’t trust them to protect their data, they simply will not use their products and services.
Data center providers not taking sides
There is another group of U.S. companies on whom the judge’s decision has direct impact: data center providers. So far, however, this group has generally chosen to remain uninvolved.
Redwood City, California-based Equinix, the world’s largest data center colocation company, for example, has taken a neutral position. An Equinix spokesperson sent us a statement acknowledging that this was a crucial time for the industry, but chose not to comment on Microsoft’s case.
“We’re in the business of enabling the Internet and ensuring that our customers can satisfy the most stringent data sovereignty requirements,” the statement read. “We work around the world to respect local regulations and our commitment is to stay apolitical in these matters.”
The response of CenturyLink, a major colocation, hosting and cloud infrastructure service provider, was along similar lines: “U.S. law enforcement warrants extending to overseas operations, owned by U.S.-based companies, is an important issue and we are watching the case closely.”
CenturyLink competitor Internap chose to pass on commenting altogether, and representatives of CyrusOne did not respond to a request for comment.
Rackspace sides with Microsoft
One exception was Rackspace, the Texas-based provider whose vice president and associate general counsel Perry Robinson wrote us a note saying the New York magistrate’s decision in Microsoft’s case was disappointing. “Rackspace believes that those laws that prohibit a U.S. law enforcement agency from executing a U.S. warrant to search physical property located in another country apply equally to digital property which is located in another country,” Robinson wrote.
“We continue to operate under the belief that we are prohibited from accessing and disclosing customer data stored on servers or storage devices in our data centers without a properly issued, lawful request from a court with jurisdiction over both Rackspace and the data sought. We will oppose any court orders for customer data that does not adhere to the fourth amendment.”
Not my data – not my problem
It is possible that some data center providers that choose not to voice an official opinion on the matter are standing back because they do not own the servers or the data that sits in their data centers. Jelle Frank van der Zwet, global marketing manager at Interxion, a Holland-based colocation giant, said that while a provider may have an opinion on the matter, they do not necessarily have a role to play in it.
In many countries in Europe, he said, laws do not make data center providers responsible for their customers’ data. “When it comes within our [realm of responsibility] is the moment a policeman knocks on the door and says ‘I need that server,’” he said.
In such cases, local law will apply, depending on the country. “In Switzerland, under certain circumstances, we probably have the right to say ‘no’ to get into the data center,” van der Zwet said. “In other countries we just have to.”
Key law is 30 years old
In Microsoft’s case, however, the U.S. government is requesting data stored outside of the U.S. without regard for local laws. Microsoft would like to have the ability to stay neutral, to keep the issue between the government and the individual whose data the government is seeking, but it lost that ability when it was served with the warrant.
Microsoft and its supporters are pushing for reform. The key piece of legislation, the Electronic Communications Privacy Act, was enacted in 1986 to address a very different technological era. The law did not foresee that people and businesses would eventually start storing their data outside their homes or offices.
“If we’re going to retain the trust in U.S. technology, we need to answer some fundamental questions,” Smith said.
The first question is whether the government can get access to a person’s data without their knowledge. Another question (which has direct impact on data center providers, since it is a question that bothers enterprises) is what happens when there is no criminal case and the government serves a subpoena?
“Our answer is serve the subpoena on the customer, not on the data center or the service provider,” Smith said. “Don’t put the data center provider in the middle and especially don’t do it in a context where the data center provider can’t even let the customer know.”