CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Microsoft’

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

Head In the Cloud – United States Supreme Court Takes On Application of Domestic Warrant To Information Stored Internationally

Posted on: March 9th, 2018

By: Glenn M. Kenna

The Supreme Court is set to decide a vital question this term – Can the government use a warrant served in the United States to obtain emails stored abroad?  The United States Government says it can, Microsoft disagrees.  The Case is United States v. Microsoft Corporation, in which the Supreme Court heard oral argument on February 27, 2018.

To understand the nature of the conflict a little back story is necessary.  Congress passed a law in 1986, the Electronic Communications Privacy Act (ECPA).  Part of title II of the ECPA, 18 USC § 2703, allows law enforcement agencies to issue warrants, so called Section 2703 Warrants, to discover electronic communications stored in an “electronic communications system.”  In other words, the government can serve a warrant on an email service provider, such as Microsoft, and obtain emails stored on Microsoft’s servers.

In the Microsoft case, the Government did exactly that.  It served a warrant on Microsoft in Redmond Washington to discover electronically stored communications in connection with an ongoing investigation into a crime allegedly committed in the United States.  The issue at the heart of the dispute is that the warrant sought the contents of communications stored on servers in Ireland.  In response to the warrant, Microsoft turned over domestically stored information (in this case certain metadata about the emails) but refused to turn over the contents of the communications stored abroad.  A legal battle between the Government and Microsoft has ensued, ultimately leading to the Supreme Court granting cert.

In the ongoing dispute between Microsoft and the Government, Microsoft contends that the Government’s attempt to enforce the warrant is an extraterritorial act, i.e. and attempt by the Government to enforce Untied States Law abroad.  It further asserts that complying with the warrant could run afoul of the law in the country where the information is stored.  The United States’ position is that, should the ECPA not apply to information stored abroad, every service provider would simply move their servers out of the United States – taking the communications beyond the reach of US law enforcement agencies.  Moreover, it reasons, Microsoft can access the information domestically regardless of where the information is stored, which the government contends does not require the application of the ECPA abroad.

The ECPA pre-dates the internet.  Email as we know it today did not exist in 1986.  The drafters of the ECPA could not have imagined a world where people stored their entire lives on remote servers, or a world where those servers could be located anywhere across the globe.  Those are issues with which courts continue to struggle, including the Supreme Court in this case.

It remains to be seen how the Court will rule in the Microsoft case, or if Congress will act to modernize the ECPA before the Court’s decision (indeed, a bipartisan group of senators has introduced the CLOUD act to address the issues raised in the Microsoft case.)  What is clear, however, is that Microsoft represents just one small part of an ongoing clash between law and technology.  While not at issue directly in the Microsoft case, the dispute also raises the question, what right do we have in the privacy of our electronic worlds?

If you have any questions or would like more information, please contact Glenn Kenna at [email protected].