US Effort to Grab Data from Microsoft in Ireland Should Frighten All Firms Using the Cloud Overseas

[Commentary] Does your company have staff or facilities overseas? Do you use cloud services from Amazon, Google, Microsoft, Salesforce, DropBox and other leading providers? Then, in all likelihood some of your data is stored overseas, because in order to reduce network latency most of the big cloud providers now operate data centers in Europe and Asia in addition to the U.S. In the wake of the Snowden revelations, many analysts predicted overseas customers would become hesitant to use cloud providers subject to US jurisdiction. But these predictions have not come true. But now, a legal battle pitting Microsoft against the Justice Department raises fundamental questions that all CIOs should pay close attention to. For U.S. federal prosecutors now consider that virtually all data stored overseas may be theirs for the taking with a simple warrant. The cloud provider need not even be American. So long as it is subject to US jurisdiction, the prosecutors believe they can compel the provider to rifle through its overseas sites and hand over any data. The providers may not even be allowed to tell you they are going behind your back to disclose your information. Foreign laws that forbid such disclosure don’t matter. Nor do overseas employees’ or customers’ expectations of confidentiality.

What is certain is that the impact of the ruling will reach far beyond Microsoft. One way or another, the warrant case will likely end up before the Supreme Court. In the long run, however, it is the responsibility of Congress to revise the outdated SCA and ECPA statutes. These laws must be brought into the Internet age in a way that protects the rights of enterprise cloud customers as well as those of U.S. and foreign citizens from no-holds-barred U.S. prosecutors and compliant judges with little understanding of technology.

[Jeff Gould is president of SafeGov.org and CEO and director of research at Peerstone Research]