The Neverland World of The Cloud is Over. U.S. Search Warrants Can Access Digital Information Stored Abroad

“The U.S. government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas” (David Howard - Corporate Vice President & Deputy General Counsel, Microsoft).

Microsoft's overseas data warrant dispute is definitely one the cases that privacy lawyers will be watching in 2015. The fight will now take place in the U.S. Court of Appeals for the Second Circuit. Here is a brief summary of the main issues at stake. 

The debate over privacy and technology has intensified. As it is common with new technology, the advent of cloud computing brought with it a variety of legal challenges, including privacy, jurisdictions, and intellectual property concerns. The “idea” that location is irrelevant because data simply flows in the “Neverland world of the cloud” has come to an end. Recently, a U.S. District Judge held that Microsoft must comply with a U.S. search warrant to disclose the content of digital information stored outside the United States. These (email) data are not private anymore… at least, for the moment. Explanations.

The story already started on December 4, 2013, when a Magistrate Judge (Southern District of New York) issued a warrant, without any geographic limitation, to search for and seize information associated with a Microsoft web-based email account outside the U.S. More precisely, the issue resides on whether to turn over a customer’s e-mails held in Ireland, Dublin in a drug investigation.

Unfortunately, the main legal acts related to this case, the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA), do not address this issue. However, the SCA authorizes the Government to seek the contents of stored communications that are more than 180 days old using a subpoena, court order, or a warrant. In this case, the warrant was issued under 18 U.S. Code §2703(a), which requires the Government to use the warrant procedure described in Rule 41 of the Federal Rules of Criminal Procedure; rule silent as to whether it has extraterritorial effect. Based on this rule, Microsoft argued that the U.S. Government cannot execute a search and seizure in Ireland with a warrant. The only legal basis to compel the Company, without violating international law and treaties, and the territorial integrity of sovereign nations, would be to use the Ireland-U.S. Mutual Legal Assistance Treaty (MLAT). On the contrary, the Government claimed that the service provider itself is the subject of the warrant, not the data center location, and that U.S. service providers cannot avoid compliance with compulsory SCA process. On December 18, 2013, Microsoft moved to vacate the warrant.

On April 25, 2014, a first court decision said that Internet service providers cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies. The Magistrate Judge also stated that term “warrant” in §2703(a) did not mean “warrant” (and thus declined to give the word its ordinary meaning), but instead concluded that SCA warrant is a “hybrid: part search warrant and part subpoena”, i.e. “obtained like a search warrant” and “executed like a subpoena”. On May 6, 2014, Microsoft appealed to vacate, once again, the (so-called) warrant.

In July, Chief U.S. District Judge Loretta Preska ordered that Microsoft must comply with the warrant arguing that it was more a question of control, not location (In re Microsoft Corp., No. 1:13-mj-02814 (S.D.N.Y. July 31, 2014)). Microsoft’s argued, among others, that the enforcement of the warrant would be an improper, extra-territorial application of United States law. In other words, neither ECPA nor any other source of law authorizes the Court to issue such a warrant for information stored outside the country. And, even if permitted by the ECPA, the warrant should be considered as unlawful because it violated the Fourth Amendment protection for “papers and effects” that encompasses the content of communication in which individuals have a reasonable expectation of privacy. The Government claimed that there is no extraterritorial application of the law, because the law is being applied within the United States, to a U.S. service provider, within U.S. territory.

Microsoft was therefore required to hand over email messages to U.S. prosecutors. However, the Judge suspended the order temporarily amid complaints from international companies that argued that the search and seize of data held internationally was illegal. On August 29, she lifted that suspension after prosecutors successfully convinced her that her order was not appealable. Finally, on September 8, at Microsoft's request, the Court held the company in contempt for not complying in full with the warrant, permitting the company to appeal the Court’s July 31 ruling.

Multiple questions are involved in this case: Can the U.S. Government assert a right to digital content wherever in the world it is stored? Does the cloud have a physical footprint? What law applies to data stored in the cloud? What is clear in this case is that U.S. law is reaching for data that is fundamentally foreign. Moreover, legislative history of the SCA states that the Act was “intended to apply only to access within the territorial United States” (see In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 13 Mag. 2814, 2014 U.S. Dist. LEXIS 59296, at *20 (S.D.N.Y. Apr. 25, 2014)).  It also seems that the judge is ignoring the difference between a warrant and subpoena. A warrant gives the Government the power to seize, in the U.S., evidence without notice or an opportunity to challenge. The Fourth Amendment requires that warrant “particularly describ[e] the place to be searched, and the persons or things to be seized”. In electronic searches, the need for such particularity is important when the searches by their nature “involve (…) an intrusion on privacy that is broad in scope” (Berger v. New York, 388 U.S. 41, 56 (1967)). A subpoena gives the Government the power to require a person to collect items in her possession, custody or control, regardless of location, and bring them to court, but gives the recipient an opportunity to move in advance to quash.  In sum, this super powerful “hybrid subpoena” doesn’t seem the appropriate tool in this particular situation.

Nowadays, it’s not easy to be a major Internet companies. The choices they make affect the privacy of their users. Microsoft deserves applause for protecting, fighting for, and standing for their users’ privacy/rights in U.S. Courts. As explained, there is no substantial nexus whatsoever with the United States. One may argue that the principle of territorially doesn’t cover information on the Internet. But that would transform such search warrant into a global information access tool without bounds, and be a sign that these Courts don’t respect the data privacy and information law interests of other countries. If Microsoft loses this case, companies outside the U.S. that are willing to keep their data away and safe, will most likely stop using IPS’s or hosting providers with any nexus/presence within the United states. Stretching policy, statutory interpretation, and relying on legal uncertainties are not suitable ways to access user information; and Microsoft is not willing to settle.