A US court has ruled that Google must obey domestic search warrants for data stored overseas – and a data privacy expert has said that governments outside the US must do their bit to protect their citizens from future requests.
The ruling means Google is legally obliged to hand over collected data to authorities upon request, irrespective of where it is collected and/or stored. It followed Google’s refusal to fully comply with two search warrants issued by the FBI — the search giant only offered data stored on its US servers.
In appealing the judgment, Google cited the July 2016 victory of Microsoft in the US Court of Appeals, which found the corporation did not have to hand over emails stored on cloud systems in Ireland to investigators probing drug trafficking. Microsoft successfully argued investigators should have approached Irish authorities to secure access to the files.
However, Google’s argument was not recognized. The Judge’s decision makes clear that while Google distributes its file systems across the world, it ultimately remains an American corporation — and American courts can force it to offer up users’ private information upon request.
“Google regularly transfers user data from data center to another without customer knowledge. Such transfers do not interfere with a customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner’s control over his information, this interference is minimal and temporary,” the Judge said.
In essence, in the Judge’s view, as requested messages would only be opened in the US, and search warrants pursued suspects living in America, so it wasn’t, Google data automatically falls under US jurisdiction.
Peter Sommer, professor of digital forensics at Birmingham City University, thinks more cases of this type can be expected.
“Much depends on how local laws are interpreted — does a court have jurisdiction over servers in another country? Does it make any difference if, though the data is held overseas, a business within the jurisdiction can be said to have ‘control’ over it? In the US the arguments are couched over the Electronic Communications Privacy Act and the 4th Amendment. In the Google case the judge decided that the demand was technically not a ‘seizure’ because there was no interference in the account holder’s ‘possessory interest.’ Quite different issues would arise in the UK where they would have to use the new Investigatory Powers Act — which is very wide,” Professor Sommer said.
What can privacy conscious search users outside the US do to stop American authorities accessing their data? Chris Watts, an investigator for tech security firm Griffin Forensics, believes the answer is not much.
“For those worried about the FBI reading their emails, I would say if you’ve got nothing to hide, you’ve got nothing to fear, but that adage isn’t reassuring for very many. On the plus, there’s so much data in an average email account that the FBI can’t and won’t read each and every single thing people send and receive in detail — they’ll rely on algorithms that look for specific buzzphrases and keywords,” Watts said.
Nonetheless, Watts doesn’t view the ruling as a positive development, and believes national governments outside the US now have a responsibility to craft legislation which prevents overseas authorities and courts retrieving data generated within their borders.
“Giving US authorities blanket permission to subpoena any personal data they like does recall using a sledgehammer to crack a nut, and it does raise the prospect they could go after anyone, anywhere in the world. National governments should respond with laws to protect the personal data of their citizens in light of this ruling, making clear data captured in their country can’t be automatically collected.”