Google, Unlike Microsoft, Must Turn Over Foreign Emails, Rules Judge

Every year Google receives more than 25,000 requests from U.S. authorities for "disclosures of user data in criminal matters," according to a U.S. judge's recent ruling. But this one is different. An anonymous reader quotes Reuters: A U.S. judge has ordered Google to comply with search warrants seeking customer emails stored outside the U.S., diverging from a federal appeals court that reached the opposite conclusion in a similar case involving Microsoft. U.S. Magistrate Judge Thomas Rueter in Philadelphia ruled on Friday that transferring emails from a foreign server so FBI agents could review them locally as part of a domestic fraud probe did not qualify as a seizure...because there was "no meaningful interference" with the account holder's "possessory interest" in the data sought.

"Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Rueter wrote... The ruling came less than seven months after the 2nd U.S. Circuit Court of Appeals in New York said Microsoft could not be forced to turn over emails stored on a server in Dublin, Ireland that U.S. investigators sought in a narcotics case.
Google announced they'd appeal the case, saying "We will continue to push back on overbroad warrants."

Re:

[Lordpidey]

Psst: constitutional ammendments never go to the president.

Re:

[Anonymous Coward]

Nearly impossible

That's a feature, not a bug.

**AA should be concerned

[beuges]

If retrieving a copy of an email while leaving the original intact creates "no meaningful interference" with the account holder's "possessory interest" of that email, how long before this ruling is used as a defence against the RIAA and MPAA's copyright infringement efforts?

Since making a copy of a movie does not create a meaningful interference with the account holder's possessory interest of the movie, surely it can't be worth all those lawsuits?

Re:

[vel-ex-tech]

Yes, thank you. While this isn't a nice consequence of "copying isn't theft," one would hope that we could have nice things....

Re:

[jezwel]

Since making a copy of a movie does not create a meaningful interference with the account holder's possessory interest of the movie, surely it can't be worth all those lawsuits?

Guess they would need to ping you for making that copy available (if you do, ie by BitTorrent), as that *does* create a meaningful interference - potential loss of income.

Re:Constutution

[thsths]

And this is one of the reasons we are moving to Microsoft for our email and file storage. I have no idea why the 4th amendment only applies to Microsoft, not to Google, but so be it.

Of course according to Trump, aliens are not people. I wonder whether he can find a corrupt judge to support that argument.

Re:Constutution

[hawguy]

And this is one of the reasons we are moving to Microsoft for our email and file storage. I have no idea why the 4th amendment only applies to Microsoft, not to Google, but so be it.

If you're worried about the government reading your emails, why risk using a USA company at all? Use a company that has no USA presence at all. Or better, roll your own offshore and control your own encryption keys.

Of course according to Trump, aliens are not people. I wonder whether he can find a corrupt judge to support that argument.

He's right there... aliens aren't always people, sometimes they are lizards [hollywood.com], sometimes they are amorphous blobs [wikimedia.org]

Re:Constutution

[currently_awake]

I would suggest Microsoft Corporation has a "Working Business Relationship" with the US Government, that grants them more leeway in such matters.

Re:

[StevenMaurer]

Your suggestion presumes that the "US Government" is a monolithic entity, which it's not. Even the judiciary isn't completely in sync with itself.

Re:

[l0n3s0m3phr34k]

My company company is doing the same thing. We're going with an EU-based 365 tenancy, specifically in Ireland were our corporate headquarters are. Yet, having to do a migration of 300 users across three countries is not going to be fun.

Re:

[Geeky]

Is it basically the Google store your emails anywhere - might be in the US, might not, might move around?

In the Microsoft case, wasn't it Microsoft Ireland, an Irish registered subsiduary, holding the data in an Irish datacentre (and only an Irish datacentre)? To comply with the court order, Microsoft Ireland would have had to break Irish/EU data protection laws.

At least, that's my understanding of the difference.

I can't think of a good subject

[Anonymous Coward]

"no meaningful interference with the account holder's possessory interest" WTF?

I'll just leave this here:
https://www.youtube.com/watch?v=GyV_UG60dD4

Re:

[Anonymous Coward]

No your honour, doing it in the ass does not count as sex.

Re:

[lgw]

"no meaningful interference with the account holder's possessory interest" WTF?

I believe a federal judge just ruled that "copying isn't theft, since the owner still has his copy". I know I've heard that argument before somewhere. Interesting precedent.

Re:I can't think of a good subject

[drinkypoo]

I believe a federal judge just ruled that "copying isn't theft, since the owner still has his copy". I know I've heard that argument before somewhere. Interesting precedent.

Only a minority of joe schmoes believe that copyright infringement is theft. Everyone else, including federal prosecutors, know that it is not. That's why we have laws addressing copyright infringement; if it were theft, you wouldn't need any new laws to prosecute offenders, because we already have laws addressing theft.

Re:

[lgw]

It's almost as if we need laws protecting privacy, since if it were theft the 4th amendment would work properly here. Sadly, we seem to have lost the spirit of Constitutional Amendments.

Re:

[johanw]

Well, they both have in common that they are American companies. It would be more reliable to have your mail handled by a Russian server, the Russians are probably not going to cooperate with the FBI. They might snoop themselves of course, but the Russians don't care if I pirate American movies or oder pot.

Encryption... the only solution

[Anonymous Coward]

The only good and somewhat permanent solution to this would be for Google, Microsoft, etc to encrypt the e-mails end-to-end and in storage as well, so that nobody, not even them, can see what they contain. Unfortunately, doing so would remove their ability to data mine and monetize the contents of the e-mails and so they will never do this. Hence the ultimate answer will come from another direction, someone who takes over their roles as major e-mail providers but is not interested in mining the contents o

Re:

[fox171171]

The only good and somewhat permanent solution to this would be for Google, Microsoft, etc to encrypt the e-mails end-to-end and in storage as well, so that nobody, not even them, can see what they contain. Unfortunately, doing so would remove their ability to data mine and monetize the contents of the e-mails and so they will never do this. Hence the ultimate answer will come from another direction, someone who takes over their roles as major e-mail providers but is not interested in mining the contents of the e-mails. This likely will have to be some form of non-profit entity or at least a non-free e-mail service.

It is not the only solution. Likely the best solution, but since they won't do it, it is not really a solution at all in this case.

So another possibility is, sort of like frequency hopping spread spectrum, don't put the email all in one place. Break it up into fragments and spread it all over. There are data centers all over. Spread the contents between them, all in different countries, scrambled, so that you can't read them unless you have them all. If any one country forbids the transfer of the portion in

Invasion of privacy

[Anonymous Coward]

So the judge is compelling them to be complicit in commiting a crime? It would be interesting to see if the judge's immunity holds in that circumstance.

Re:

[sumdumass]

Complicit in what crime? Anyways, ever heard of sovereign immunity? That is in essence the parent to any immunity real or perceived that the judge may have.

Re: Welcome To Worlds Top Blogging Platfrom

[Type44Q]

It's not hard to tell you're a foreign-language speaker... let me guess; Hindi?

Mumbo Jumbo

[Anonymous Coward]

If it's on a foreign server, that pretty much sums it up right there.

Re:

[fibonacci8]

It sure does. That means the US court would have jurisdiction if and only if the foreign country agrees to it first. If the foreign country doesn't agree to it, this is overreach.

Maybe this judge didn't think things through.

[Sique]

I wonder what happens if an E.U. court finds that the data transfer of personal data from an E.U. located server to the U.S. without E.U. judicary oversight is illegal. That was one of the arguments in the Microsoft case. If the U.S. judge then orders Google to ignore the E.U. court, he could be held in contempt of the E.U. court and face punitive measures.

Re:

[Anonymous Coward]

US courts might have legal power over Google US, but it still has none over Google EU.

Indeed

[Bruce66423]

Corporations need to ensure that their data is held by legal subsidiaries that can only be hit with a warrant by their own country's courts and which have no ability to access data controlled by another legal subsidiary. Whilst not trivial, it is surely possible for the relevant security keys to be strictly under the control of the relevant county's board of directors. That board of directors would be protected by the courts of its domicile - though I guess members may end up being unable to travel to the U

Re:Maybe this judge didn't think things through.

[Solandri]

That was the point of the Microsoft ruling. Rulings like in this Google case can put companies (and by precedent, people) in an impossible position where in order to comply with one country's laws, they're forced to break another country's laws. Kinda like the U.S. policy that U.S. citizens have to pay U.S. taxes on income earned abroad could hypothetically cause a U.S. citizen to owe more than 100% in taxes (if the combined tax rates of the U.S. and other country exceeded 100%).

Other countries avoid the problem by accepting that their laws end at their borders, and if they want something from another country they have to work with that country for joint law enforcement action or extradition. But for some reason politicians and judges in the U.S. keep thinking U.S. law should apply all around the world.

Re: Maybe this judge didn't think things through.

[Anonymous Coward]

That is not even close to how taxation works. You deduct what you pay in the other country.

Re:Maybe this judge didn't think things through.

[Macdude]

Kinda like the U.S. policy that U.S. citizens have to pay U.S. taxes on income earned abroad could hypothetically cause a U.S. citizen to owe more than 100% in taxes

No it can't. You claim a Foreign Tax Credit for any income tax paid to a foreign government and it's deducted from your tax payable in the US. For example if your US tax rate was 35% and your foreign tax rate was 30%, you would pay 30% to the foreign government and then 5% (35% - 30%) to the US government.

See: IRS Publication 514 https://www.irs.gov/pub/irs-pd... [irs.gov]

Re:Maybe this judge didn't think things through.

[Godwin O'Hitler]

Do you get 5% back if its 40% abroad?

Re:

[Sique]

No. But there are rules how to handle that: The U.S. court asks an E.U. court to allow the transfer. And then the transfer happens, or the approbriate E.U. police unit gets the data and transfers it. Somehow this U.S. judge didn't want to play by the rules.

Re:

[sithlord2]

The reason is: Google doesn't guarantee that EU email data is only stored in the EU. They store the data on servers worldwide for performance reasons, including the US.

MS stores EU email data on EU servers only.

This is a *domestic* fraud probe.

[Nutria]

That appears to mean that the person who used gmail lives in the US, and Google just randomly decided to store part of it in Ireland.

Since data stored in the cloud isn't *really* yours anymore, you disclosed the contents of the message to a 3rd party in the US. I can see why the Magistrate ruled the way he did.

Re:

[Roger W Moore]

That appears to mean that the person who used gmail lives in the US, and Google just randomly decided to store part of it in Ireland.

Then the US needs to have laws which do not allow companies to do this because once the data has left the US and entered the EU it is subject to EU law. You would not want data in the US related to chinese citizens to be subject to the chinese government accessing it would you? The same principle applies here.

Re:

[Nutria]

the US needs to have laws which do not allow companies to do this

That would simplify things.

once the data has left the US and entered the EU it is subject to EU law.

You'd think. But the judge didn't seem (according to the fortune.com article) to rule on that, only that the alleged fraudster gave up any right to privacy by giving his email for storage by a third party.

I wonder what the rules are in the tangible world. If I gave you evidence of a crime, and you flew to Ireland and put it in a storage unit, could the US government order you to go and return it from Ireland?

Twisted Logic

[SwashbucklingCowboy]

That's some twisted logic that to "seize" something it must not be available to the owner any longer.

Rulings like this will KILL US cloud providers. trying to sell services outside the US.

Re:

[John.Banister]

I wonder how that logic works with IP other than email.

Re:

[drinkypoo]

That's some twisted logic that to "seize" something it must not be available to the owner any longer.

What? That's precisely what it means. It's the same reason why copyright infringement is not theft. It's not seizure unless you're depriving someone of it.

Re:

[currently_awake]

As opposed to everyone knowing the NSA is spying on everything you do being bad for American business.

Data Extradition?

[Midnight Thunder]

I don't know if there is such a thing as 'data extradition', but surely working with Ireland would be the best approach? Anything else should surely outside of the immediate jurisdiction of US law enforcement? Maybe Google should invesigate the flip question: would the US accept e-mails on a foreign national stored on a US server to be handed over without the necessary legal paper work?

Re:

[Darren Bane]

This exists ( https://www.state.gov/document... [state.gov] ). A sizeable volume of requests are processed every year. However, some US judges don't want to use the official channels, I suspect because they are egotistical enough to think that their writ applies outside US territory. I don't mean to knock Americans, this is just human nature. An Irish policeman recently was recently in the papers for cooperation with the FBI to get Facebook to do something that could have been done much quicker by just asking the comp

Protonmail and MS Azure

[TheOuterLinux]

Protonmail is a foreign and heavily encrypted Swiss email service that uses two passwords, one for account and the other for the mailbox itself. They don't store the passwords or anything else to decrypt emails, or at least the mailboxes. For man in the middle, I have no idea. But any way, if Micro$oft doesn't have to disclose like Google does, know that Protonmail uses Azure, which is M$ owned. They have it for all desktops and smart phones, or you can just log with a web browser that supports JS.

Also be aware...

[TheOuterLinux]

Twitter dropped API keys for government spy programs a few months back because of Muslim witch hunts. However, they just partnered with Google to help them build parts of their software. Funny how Google didn't get exempt but Micro$oft, the platform that a whole bunch of our government decided to use for some reason, does. Wonder why (sarcasm) ? Duh. And now they will go after Twitter next since Google lost and is working with them. Revenge for saying no. Just something to be aware of.

Zero knowledge

[Natales]

That's why you always choose a zero knowledge provider. Someone that provides you a service but doesn't have access to read the content.

I'm pretty happy with ProtonMail [protonmail.com] in that area. They are not only located in Switzerland, with much stronger privacy laws, but also, they encrypt end-to-end, and therefore, have no access to the content. Mail between users in ProtonMail are automatically encrypted, while mail to someone outside the system can be sent as a URL the receiver has to have a password to access

"possessory interest"???

[superdave80]

...did not qualify as a seizure...because there was "no meaningful interference" with the account holder's "possessory interest" in the data sought.

I think this judge is sort of missing the point of why people fight against having their personal data seized. It's not that we don't have access to the seized data, it's that other parties have access to something that I want kept private.

I'd like to see this same argument used when I demand a bunch of classified documents from the government:

"No, no, it's OK, I just want a COPY of the classified stuff. You guys will still have your 'possessory interest'"