In a well-reported decision last week, a New York Court ordered Microsoft to produce emails stored on a server located in Dublin, Ireland. There has already been some very good legal analysis of the opinion, which Microsoft has stated that it will appeal. A key issue, of course, is whether a US-based court should have the ability to order the production of data “located” in a foreign country.
One of the issues with analyzing this problem is the application of old school ideas, like physical location, to electronic information. It’s easy (and convenient) to think about data being stored on a server, which is an actual physical item, and identifying that data as being located in that place.
But unlike actual physical objects, data is easy to copy, and copies often are stored in different places for more convenient access or for data protection and backup purposes. It’s likely that the email messages in Dublin were replicated several times, possibly on backup media such as a tape or on a backup server (both of which are physical items).
However, unlike physical objects, many people can have “access” to data at the same time, and physical proximity is generally not very important to that access. So while only people located near the server in Dublin can physically touch that server, there are likely dozens or hundreds of people throughout the world with the ability to access the server and read the data stored there. The only constraint to that access is having the security credentials to access it.
Conversely, it’s easy to turn the idea of physical access on its head. Even if you were standing next to the Dublin server, you would not have access to its data without proper credentials. Thus, even assuming that a court with jurisdiction could order to you to “get” the server, you might not have any ability to actually deliver the data stored on it. In fact, with the right security and encryption, it’s possible to limit access to that information to just one person in the entire world!
The law changes slowly, and for good reason. But until we have a better legal framework for analyzing electronic data issues, cases like the Dublin server will be difficult to predict and explain under our current legal structures.
