The Second Circuit has rendered its long-awaited opinion in Microsoft Corp. v. United States (Microsoft-Ireland), finding that Microsoft was not obligated to turn over to the government a customer’s emails stored exclusively on Microsoft servers outside the US pursuant to a warrant issued under the Stored Communications Act 18 U.S.C. §§ 2701 et. seq. (SCA) (a "2703(a) warrant"), part of the Electronic Communications Privacy Act (ECPA).
In addition to its practical implications discussed below, the Microsoft-Ireland opinion,issued on July 13, 2016, represents a significant development in ECPA – and by extension, Fourth Amendment – jurisprudence and underscores the increasing tension between traditional Fourth Amendment principles and the ever-evolving digital environment.
LOWER COURT FOUND FOR THE GOVERNMENT
On December 4, 2013, a Southern District of New York Magistrate Judge issued a warrant seeking to compel Microsoft to disclose the contents of a particular user’s Microsoft email account, which Microsoft had stored entirely on servers outside the United States, in Ireland. The Magistrate Judge and District Court denied Microsoft’s motion to quash this portion of the warrant. Microsoft appealed to the Second Circuit, resulting in the recent opinion.
Microsoft-Ireland has immediate practical implications for a relatively specific subset of emails. Microsoft-Ireland applies to emails (a) that are recent (less than 180-days old), (b) that reside on a US company’s servers located outside the US, and (c) that do not exist in any form or part (backup or otherwise) on the company’s servers in the US. The Court does not address whether other factors were part of its analysis, including whether or not the US email provider could access the emails from the US and/or whether the provider had control over the emails.
The Court’s holding was based on fairly specific facts. None of the customer’s email content was on servers in the United States, which may not be true for the majority of email providers. If an electronic communications provider stored a backup, archive or temporary copy of all or part of a customer’s email account on a server in the United States, arguably a 2703(a) warrant would not be quashed under Microsoft-Ireland. The Court devoted a substantial portion of its opinion to analyzing and then rejecting the government’s argument, which was adopted by the District Court, that 2703(a) warrants were “hybrid” instruments that also carried subpoena power because service providers and not law enforcement execute 2703(a) warrants. Microsoft Corp., No. 14-2985 at 28. The Second Circuit rejected the argument based on the rules of statutory construction and the plain language of the SCA. Id. at 26, 28-29.
Further, in this case, the customer’s citizenship and physical location were not known. To promote efficient email services, Microsoft stores customer’s emails on servers in a country near the zip code provided by the user, which Microsoft – like many other email providers – does not verify for accuracy. If the government sought the content of emails located abroad for a user who was clearly a United States citizen, or who was provably located in the United States, the Court may have reached a different conclusion.
Practically speaking, any emails that are older than 180-days, or that are stored in some part or form on any US server would not be protected against US law enforcement’s reach via a 2703(a) warrant. The holding leaves open the possibility that law enforcement could use other investigative tools to obtain emails stored only on non-US servers. The government can still use a Mutual Lateral Assistance Treaty (MLAT) to obtain emails stored exclusively on non-US servers, although the process of requesting, obtaining and exchanging evidence between governments under an MLAT is a rather protracted process. (Bi-lateral mutual access agreements similar to those currently being negotiated by the US and UK governments may help in this process.) The government could also ostensibly use a subpoena with proper notice under the SCA to compel a US company to turn over a customer's emails stored exclusively on non-US servers if the emails were older than 180 days.
The Second Circuit by no means asserts that subpoenas will apply extraterritorially and the Court further implied that Fourth Amendment issues might arise. See Microsoft Corp., No. 14-2985 at 37 (stating that “the protections rightly accorded user content in the face of an SCA subpoena have yet to be delineated”); see also United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010) (finding Fourth Amendment protects certain electronic communications based on users’ reasonable expectations of privacy). The Microsoft-Ireland decision may incentivize some entities or even countries to require data localization in their countries to avoid US law enforcement access.
HOW THE GOVERNMENT USES 2703(a) WARRANTS
Government entities routinely properly use the special type of warrant at issue, a 2703(a) warrant, to require electronic communications service providers (e.g., email providers) to disclose the contents of a customer’s electronic communications stored for 180 days or less. A 2703(a) warrant must also comply with ordinary search warrant procedures under Rule 41 of the Federal Rules of Criminal Procedure or state warrant procedures, in the case of a State investigation.
Thirty years ago, when Congress enacted the SCA, federal legislators were used to a “technological context very different from today’s Internet-saturated reality.” (Microsoft Corp., No. 14-2985 at 14). “[A] globally-connected Internet available to the general public for routine email and other uses was still years in the future.” See id.TheSecond Circuit felt strongly that instead of interpreting laws beyond their ordinary meaning that new law should be created to adapt to new realities. The concurring Microsoft-Ireland opinion explicitly calls for Congress to pass legislation designed to create a balanced, more appropriate option for protecting individual privacy interests and legitimate law enforcement needs. Several Congresses have considered bills to address this issue but none have reached agreement. Microsoft echoed the Second Circuit’s plea for new legislation in its public response on July 14, 2016, calling for new domestic laws and treaties.
SECOND CIRCUIT’S ANALYSIS CONFRONTS CONSTITUTIONAL SEARCH AND SEIZURE PRINCIPLES
In interpreting the SCA, the Second Circuit confronted longstanding Fourth Amendment principles that govern whether and how law enforcement can search in otherwise private physical spaces and seize otherwise private physical items – principles that were developed when people physically stored information in their homes. Today, however, current technology and network infrastructure facilitate the electronic storage of vast quantities of private information in distant locations. In this particular case, the Second Circuit had two unsatisfactory choices: (1) uphold the 2703(a) warrant, risking both dangerously diminishing important constitutional privacy protections and asserting US authority over data in other countries under a foreign government’s authority, or (2) invalidate the 2703(a) warrant, risking appreciably restricting the government’s ability to fulfill its duty to investigate crime.
The Court’s ruling erred on the side of protecting individuals’ privacy rights.
The Second Circuit’s conclusion turned on whether the SCA warrant provisions were intended to apply extraterritorially under the two-part test articulated in Morrison v. National Australian Bank Ltd.,561 US 247 (2010): (1) does the statute indicate a congressional intent to apply extraterritorially; and (2) whether the “territorial events or relationships” that are the “focus” of the relevant domestic contacts presented by the case nevertheless fall within the “focus” of the statutory provisions or are “the objects of the statute’s solicitude.”
The Court disposed of the first part with “relative ease,” in part because of the strong presumption against extraterritorial application of statutes. The Court then turned to the second part of the Morrison test and examined the SCA’s focus to determine if, as applied to the facts of the case, the statute would not be unlawfully extraterritorial. The Court held that the portions of the SCA under scrutiny were focused on protecting the privacy of the content of a user’s stored electronic communication based on the plain text and meaning of the SCA’s warrant provisions, the statute’s framework, procedural aspects, and legislative history. According to the Court, in enacting the SCA, Congress intended to “ensure that the protections traditionally afforded by the Fourth Amendment extended to the electronic forum.” See Microsoft Corp., No. 14-2985 at 38; see alsoH.R. Rep. No. 99-647, at 19.
The Court concluded that because the “invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed – here, where it is seized by Microsoft” in Ireland − the conduct that is the focus of the SCA would occur outside the United States, regardless of “the customer’s location and regardless of Microsoft’s home in the United States.” Because the statute concerned events occurring outside the United States, and because the SCA did not have extraterritorial application, the Second Circuit held that the execution of the Warrant would “constitute an unlawful extraterritorial application of the Act.” See Microsoft Corp., No. 14-2985 at 39.
SCOTUS CONFRONTED SIMILAR CHOICE INRILEY, ARRIVED AT SIMILAR RESULT
Like the Second Circuit in Microsoft-Ireland, the Supreme Court was faced with deciding between two unsatisfactory, similar choices in Riley v. California, 573 US ___ (2014), decided last year. The Supreme Court struck down a long-standing exception to the Fourth Amendment search warrant requirement that allowed law enforcement to search items found on an arrestee’s person without a warrant, such as an address book in the arrestee’s pocket, pictures in his or her wallet, and – until Riley – the entire contents of the arrestee’s smartphone. There, the Court was faced with either (1) upholding warrantless searches of arrestees’ smartphones, risking dangerously diminishing important constitutional privacy protections, or (2) striking down the search warrant exception, risking reducing law enforcement’s ability to fulfill its duty to investigate crimes.
In his concurrence in Riley, Justice Alito provided clear examples to emphasize the fact that neither option presented was satisfactory. However, he acknowledged that until a “workable alternative” is developed, the Court must “strikes this balance in favor of privacy interests” to protect individual privacy rights in the massive quantities of personal information we store on smartphones, even at the potential expense of law enforcement investigations.
COURTS SIDE WITH PRIVACY
Taken together, Riley and Microsoft-Irelandstand for the proposition that (a) technology has fundamentally altered how we must balance privacy interests against law enforcement interests; and (b) courts may increasingly choose to protect privacy until a balanced solution comes along, be it Congressional legislation or advances in technology.
INTERNATIONAL CLOUD STORAGE IMPLICATIONS
In the wake of the mid-2013 Edward Snowden leaks, European commercial customers pressured US cloud providers to explain how they prevent customer data against unlawful access by US intelligence agencies or other authorities. Several providers, including Microsoft, developed “European cloud” solutions. However, European competitors, citing the Bank of Nova Scotia line of cases, argued that data stored anywhere by a US cloud provider could potentially be obtained by US authorities. The fact that Microsoft received a search warrant for non-US email in the wake of the Snowden leaks gave rise, in part, to the company’s motion to quash. Microsoft, other US cloud providers and US privacy groups resoundingly applauded the Second Circuit ruling.