Thursday, February 23, 2017

Location and Intent Matter: Data Privacy vs. US Government

Data is locked away from the US authorities
Some data is locked away
Earlier this month and last Summer two interesting cases related to data privacy were decided. Both concern US search warrants for email data stored outside the United States of America. In July 2016 the United States Court of Appeals for the Second Circuit ruled that Microsoft does not need to hand over email data stored in Ireland. This February, the United States District Court for the Eastern District of Pennsylvania decided that Google must produce the emails which were stored outside the USA. The last case is not finally decided because Google plans to appeal the ruling. Independent of that, what is the take-away from these rulings? Let's take a look.

Here are key properties of the data in the Microsoft case:
  • Email account for user in Europe
  • Data is stored close to user location by design, in this case Europe. The location is determined based on user input during signup for the service.
  • The data usually is not moved during the account lifetime, but stays in the data center or region.
In the Google case, the data properties are slightly different:
  • Email account for user in USA
  • The user does not know about the data location.
  • Data is moved between data centers in a process transparent to the user. The data could even be split into chunks stored in multiple data centers.
 Even with the Google case not finally decided, a simple conclusion is that if you are an user from Europe and the data is intentionally stored in Europe with no copies in the US, then even a US-based company does not need to hand over the data to the US authorities.