Google Fails to Block Email Search Warrant

John Lister's picture

A US court has ordered Google to hand over emails that it stores on computers in another country. That's a contrast to a previous ruling involving Microsoft, and highlights the complexity of applying national laws to Internet issues.

The case involves an FBI search warrant that applies to a criminal suspect. Google had refused to comply with the warrant on two grounds: that there wasn't enough evidence for a seizure to overcome the restrictions placed by the constitution, and that the emails were physically stored outside of the US and thus couldn't be covered by a domestic warrant.

Email Search Not Classed as 'Seizure'

A federal court rejected both arguments.

Judge Thomas Rueter said the FBI getting hold of the emails would not count as a seizure because "there is no meaningful interference" with the person's "possessory interest" in the data. In other words, the fact that the FBI could see the emails wouldn't stop the suspect continuing to "possess" the data themselves. (Source: reuters.com)

Rueter also noted that Google regularly moves the physical location of customer emails from one place to another without it being a legal issue for the customer.

On the second point, in which Google noted that the emails were stored outside the US - Rueter ruled that the location issue wasn't relevant because when the FBI views the emails, the "search" will take place in the US, and thus domestic law applies.

Microsoft Received Opposing Verdict

The ruling is something of a surprise, as an appeals court previously threw out a similar court order on Microsoft involving emails it had physically stored on a server in the Republic of Ireland.

One possible reason for the difference is that Google said in its evidence that the data which makes up a user's email account is sometimes split and stored in different locations to improve performance, which means it's not always simple to say which country particular messages are stored in. (Source: computerworld.com)

In both cases, the confusion is partly because the warrants relied on the Stored Communications Act, which lay down exceptions to the Fourth Amendment when it comes to electronic data. The fourth amendment roughly translates to: "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." The problem is that the Stored Communications Act was written in 1986, and thus doesn't pay much attention to the possibilities of data moving across national borders, especially in regard to the Internet.

What's Your Opinion?

Do you agree with the court's decision to allow the search order? Should US search orders apply anywhere in the world if both the email provider and the customer are American? Is it time to update the Stored Communications Act to better reflect the modern Internet?

Rate this article: 
Average: 5 (4 votes)

Comments

Dennis Faas's picture

This is once again a tough decision. In this case, the judge uses the phrase "possessory interest" as it applies to digital media. One could easily apply this "theory" of possession to other things, such as banking information or GPS - and voila, the police and government now have rights to everything you do on your phone, computer, car, etc. Yes, the data hasn't physically moved, but the idea of having the government being able to gain access to said data based on technical wording such as this, and further actions as a result of similar rulings will surely be rejected by most.

jamies's picture

What about other locations data protection and privacy, security regulations, laws and requirements.

As in for an organisation to acquire data within the EU the organisation has to affirm that they will hold the data in a secure and safe manner and location, such that the data is held in as secure, safe and private manner as it would be if it was held in the country where it was acquired.

Now, I accept this case deals with email rather than data specifically held about individual persons.
But does the ruling not actually void any organisations affirmation that they will protect the privacy of data.
Consequently, as this ruling seems (to me) to indicate that data held by any organisation subject to USA law, courts, or their enforcement agents, is NOT protected.
Consequently: No such organisation can believe they can conform to the data protection requirements applicable in such locations as the EU

Indeed, I suspect that ruling may mean the Russian requirements provide better protection for their residents than are possible in the USA

Note - I say residents not Citizens because the USA law applies to data held, or accessible to any person or organisation subject to the USA courts, and ... if you are an 'official Resident' of almost any other country, then those laws cannot (except under treaties) be applied to foreign residents.

Residents in the UK - note extradition to the USA is pretty much they just have to ask and give a reason, not any actual evidence.

Sort of like - He accessed the FBI computers using the master administrator id and password the is printed in the manufacturer's publically available, and dispatched to any requestor regardless of what country of their postal address
OK - there is a warning that a different id and password should be set within the computer systems - but that's far too much effort for our FBI technical staff to manage. - what - who RTFM?

matt_2058's picture

I don't get it. What makes a judge think his ruling applies to all the world? Is he only giving the FBI a ruling to use as support for an extradition of sorts?

I agree with the 'resident' vs 'citizen' difference. It should make a difference. But as we all know, crimes are location dependent. And the hosting country is the law, or should be.

jamies's picture

Matt 2058,
Not sure from your response that I made the point clearly:

In a country within the EU and within Russia, the laws are pretty much that:
If you collect data on or from people, then
You may NOT pass that data to a location where the laws that applied to it on collection no longer apply.
So If the USA legislation does NOT require data be kept private and securely so, then any organisation moving data from the EU, or Russia to the USA is breaking the law.

Now the courts in the USA seem to be stating that any data held anywhere, inside, or outside the USA is subject to the USA courts control and can be distributed as they specify, regardless of the laws that applied to the data when it was collected.

This ruling effectively states that, all data held by the organisation, regardless of where it is held, is subject to the USA regulations, and they override the regulations that applied to the collection of that data.

So - if the Chinese, Russian, Afghanistan, and North Korean courts all take the same attitude - then should the USA take the same stance - and say OK - all data held by any organisation operating within the borders of those countries is to be made available to the agencies of those governments.

As in - USA power distribution companies may operate in China etc. so all the details of the power supply infrastructure in the USA is, under the USA legislation now legally required to be made available to their government agencies.

To my thinking not so much a slippery slope as a lemmings flight path?