Electronic records outside US not covered by US warrants

The 2nd Circuit Court of Appeals ruled against the Government today in US Government vs. Microsoft. The government is investigating a drug dealer and want access to records held by Microsoft. Microsoft turned over metadata stored on US machines. But they refused to turn over the specific emails stored on machines in Dublin. The company’s position is that the federal government needs to follow the rules of the Mutual Legal Assistance Treaty between the US and Ireland.
This has been winding its way through the appeals court.
The court’s ruling today states “§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
An interesting ruling, and I see pros and cons to the ruling. It does complicate anti-spam enforcement a bit and make it easier for criminals to hide their data overseas while they might be in the US. But it’s already easy for them to do that. Many arrests of spam gangs and others for crimes committed on the Internet over email involve multiple law enforcement agencies across the world.
Full text of the ruling (.pdf link)

Related Posts

Phishing costs company $46 million

Brian Krebs posted about a tech firm that lost $46M dollars due to fraud. The company reported in its SEC filings that the money was lost when someone impersonated an employee and directed the finance department to transfer money to outside accounts.
This is becoming more common. In some cases, DMARC authentication may stop this kind of fraud. But DMARC has a lot of deployment challenges and can cause real mail to fail delivery. In other cases, criminals are using lookalike domains and they can be authenticated and pass DMARC.
This isn’t really a bulk mail issue. And it’s certainly not a deliverability issue. But it is a security issue and I think it’s important that folks are aware of this kind of online crime. Coincidentally, as I’m writing this, I’m chatting online with a compliance person at a cloud hosting company who is brainstorming policies to block phishing URLs on their site. Email is a major vector for abuse and those of us who manage sending need to be a part of the solution.

Read More

Misdirected email


While this does seem to be more common with gmail addresses, it’s not solely limited to gmail. I’ve written about this frequently.

Read More

US-EU Privacy Shield Approved

Since the Safe Harbor rules were struck down by EU courts, the US and EU have been in negotiations to replace it. This morning (pacific time) the EU approved the new rules called Privacy Shield. WSJ Article

Read More