A federal court in Philadelphia has ruled that Google must comply with an FBI demand for certain customer data that are currently stored on Google servers located overseas.
The data belongs to targets in two separate domestic criminal investigations. The account holders are U.S residents and the crimes in question happened solely within the U.S. as well.
Google has so far refused to hand over the requested documents citing a recent decision by the U.S. Court of Appeals for the Second Circuit in a similar dispute involving Microsoft. Like Google, Microsoft had refused to comply with a court order asking it to provide the government with data that happened to be stored in one of the company's servers in Ireland.
In that case, the appellate court had ruled in favor of Microsoft and said the company should not be forced to produce data stored overseas, because doing so would amount to an extra-territorial application of U.S. laws.
Google had pointed to that decision as a precedent for why it shouldn't be compelled to produce customer data stored overseas either. Google claimed that the federal Stored Communications Act (SCA), which the government had based its search warrant on, only covers data stored within the United States.
The company noted that it had already produced all responsive data it could find stored on its domestic systems. Google also claimed that the order requiring it to provide the data was overly broad and did not specify what services exactly the government wanted Google to search for and produce.
In a 29-page ruling Friday, U.S. magistrate judge Thomas Rueter disagreed with the Second Circuit court's reasoning and held that Google must indeed produce the requested documents regardless of where they are stored.
"In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a "seizure" nor a "search" of the targets' data in a foreign country," the judge wrote.
A court order issued under the SCA is really a hybrid between a search warrant and a subpoena. Serving it does not involve government agents having to enter a service provider's property, search its servers and seize data. Rather it is executed like a subpoena that requires the recipient to hand over the requested data regardless of where it is located.
The mere act of electronically transferring data from a server outside the U.S. to Google's systems in California does not constitute a search or seizure of property. As part of delivering its services, Google regularly transfers user data between data centers, including those located outside the country, without the customer’s knowledge. Often such transfers take place automatically and as frequently as needed to keep Google's services running optimally.
In these circumstances especially, "electronically transferring data from a server in a foreign country to Google's data center in California does not amount to a 'seizure'," Judge Rueter said. "There is no meaningful interference with the account holder's possessory interest in the user data."
In a statement, Google said it would fight the ruling. "The magistrate in this case departed from precedent, and we plan to appeal the decision," the company said. "We will continue to push back on overbroad warrants."
There's a lot at stake for Google and other American companies in these cases. Following Edward Snowden's leaks, there has been a lot of concern, especially overseas about the U.S. government's access to customer data stored by U.S. cloud providers.
Google and others have said they only provide data when compelled to do so by court order and have vowed to protect customer data to the extent they can, including in court where necessary.