Back in July, Microsoft won the notorious “warrant case” in Ireland when the Second Circuit court found that it had no obligation to turn over customer communications stored in Ireland to U.S. authorities. At least one reason that many privacy activists cheered the news was that it also appeared to give weight to Mutual Legal Assistance Treaties, which the original warrant had sought to circumvent.
But now, an even more preposterous order has reared its head. This time, in Belgium.
Last month a court in Mechelen fined Microsoft €30,000 for failing to hand over Skype communications dating back to 2012 — something it is technically impossible for Microsoft to do.
Firstly, the company did not own Skype in 2012, and secondly, at that time, the communications ran via a peer-to-peer system. But it is also worth noting that the Belgian court also sought to ride roughshod over MLATs.
In its defense, Microsoft argued that not only was the court order impossible to comply with, but that the company is not even subject to Belgian jurisdiction. According to Microsoft, the authorities should have invoked MLATs to try to gain the information from its Luxembourg subsidiary.
In September 2012, Skype did hand over metadata relevant to the investigation, but was unable to provide anything else.
While €30,000 may be pocket change to Microsoft, the legal arguments provide important insight and may be the harbinger of more to come. “Skype offers services in our country, so it needs to know the laws and therefore know that the court may ask interception measures,” said Belgian prosecutor Tim Hoogebemt — oblivious to the technical realities: At the time of the communications, the architecture simply didn’t support the interception of calls.
A new sweeping data retention law passed in May, largely in response to the March 22 airport terror attacks, requires telecommunications companies to store customer data for up to one year, and to provide it to the authorities on demand in terrorism investigations. This order for so-called “monitoring assistance” can be made without prior judicial review, despite the European Court of Justice landmark ruling against the Data Retention Directive in 2014.
In the Skype case, Microsoft argued that even this new law doesn’t actually apply to it since it’s a software provider, rather than a service provider. Whether that argument stacks up is something other firms will be watching closely as the current Skype architecture is no longer peer-to-peer, and Microsoft’s control over the data is significantly greater than it was in 2012.
The company has the right to appeal the — largely symbolic — fine, but without a time-machine, the Belgian authorities are unlikely to get what they want. What they will want in the future is likely to involve backdoors and much hand-wringing.
photo credit: jeanløw Paris # Monde de Geeks via photopin(license)