DoJ claims 'dozens' of cases hit by Microsoft cloud ruling

The US Department of Justice says the progress of “dozens” of criminal cases has now been “directly affected” by a landmark ruling that limited law enforcement access to data stored on international servers.

John Lynch, chief of the computer crime and intellectual property section of the US DoJ’s criminal division, said a ruling last year that the US government couldn’t force Microsoft to hand over emails stored on servers in Ireland was starting to have wider ramifications for law enforcement.

Microsoft had challenged a search warrant issued by a US court for data held on servers in Ireland. A US District Court in Manhattan originally sided with the US government, however this was overturned on federal appeal mid last year.

Hopes for a re-hearing were dashed last month.

But, speaking at the RSA Conference 2017 in San Francisco, Lynch indicated there could be more to come.

“We’re essentially looking at our options in that direct litigation,” he said.

Law enforcement was now starting to feel the ripple effects of the case.

“Up until about six months ago, companies weren’t implementing the Microsoft decision and were waiting to see what happened,” Lynch said.

“Now we’re seeing at this point dozens of cases have been directly affected [by being denied access to data stored overseas].”

Complicating the job for investigators of criminal cases worldwide, Lynch argued, is the lack of standardisation in how cloud and data storage providers determine the jurisdiction over where their data resides.

In addition to litigating against Microsoft, Lynch noted the DoJ had also recently “challenged Google’s position” on data jurisdiction and access, winning the first round.

Google is relying on the Microsoft ruling in part to fend off attempts to access customer data.

Its jurisdictional issues are complicated by the way it stores data in its worldwide systems.

“For example, Google stores their information all over the world and sometimes splits it up and shards it into distributed databases so they don’t actually even assemble the data until there’s a request,” Lynch said.

Jurisdictional variances made it difficult both for US investigators and law enforcement to obtain data for criminal prosecutions, and for their international counterparts seeking similar cooperation, Lynch argued.

“There’s going to be ongoing litigation in this area,” Lynch predicted.

“It continues to be a very difficult issue that law enforcement is trying to grapple with because it is a problem when we can’t get the data under any regime. It can just stymie an investigation altogether.”

Should the DoJ exhaust its legal avenues, Lynch said the pursuit of legislative reform could be a possibility.

“We signalled at the end of the last administration that we were working on a legislative proposal,” he said.

“We have a new administration now. We haven’t proposed anything directly yet but we hope that -whether it’s in the courts or Congress because this is not a constitutional issue, it’s a statutory issue - we can get it fixed.”

Ry Crozier attended the RSA Conference 2017 in San Francisco as a guest of RSA.