In the lore of the Wild West, when an outlaw needed to escape the hangman’s noose, he made a run for the border, hoping to cross the border before the sheriff could catch him. Today, with the Wild West of the Internet, where the U.S. government chases people with tools significantly more sophisticated than a tin shield and a six-shooter, and a mouse replaces a horse when crossing borders, the issue of how and when the U.S. government can obtain information about a person engaged in commerce has become a real challenge. This is especially true when the government chooses to employ the warrant provisions of the Stored Communications Act (“SCA”), passed in 1985 before “e-mail” was a recognized word.
Into this milieu stepped the Second Circuit last week, ruling that the provisions in the SCA permitting the U.S. government to seek a warrant for stored electronic communications lack extraterritorial application, thereby quashing a search warrant that had been served on Microsoft to retrieve e-mails stored on a server in Ireland. The three-judge panel concluded that an SCA warrant had the same geographic limitations as other “warrants” and could not apply to electronic communications held outside of the United States. In so holding, the court lifted the civil contempt order hanging over Microsoft’s head.
The search warrant was rendered ineffective by the happenstance of Microsoft’s routine practice of moving a customer’s data to the data center closest to where the customer had self-identified his location; in this case, to a data center located in Ireland. The panel noted that the warrant would have been perfectly effective if the data had been stored at Microsoft’s Redmond headquarters. In addition, the court held that extraterritorial application would not have been an issue had the government sought the same information through an administrative subpoena (for data in storage for more than 180 days) – but that would have required prior notice to the targeted subscriber or customer (which is not permitted under the SCA warrant) and would have given Microsoft greater opportunity to contest the subpoena without facing the jeopardy of civil contempt. Instead, under this decision, if the U.S. government continues to seek the data by compulsion, it will have to rely on cooperation from the Irish government to obtain the information from Microsoft in Ireland.
The implications of this ruling for criminal investigations ranging from credit card fraud to drug dealing to terrorism, as noted by the panel, may be enormous. As pointed out by Judge Lynch in his dissent, if the target of the inquiry was, in fact, a citizen of Ireland or another non-U.S. country, permitting Ireland to apply its laws to determine whether to provide to U.S. law enforcement its citizen’s information would be cumbersome to U.S. law enforcement but not be out of the ordinary. The circumstances become less clear if the target of the inquiry was a U.S. citizen located in Ireland or located in the United States and claiming falsely to be located in Ireland or elsewhere overseas. Not before the court was the circumstance of a person intentionally seeking to avoid disclosure as a result of a warrant by seeking out and employing a data provider that ensures data storage in an overseas server. Further, what happens if the service provider colludes with the individual to ensure that data will be stored overseas, particularly if the service provider knows of a potential criminal purpose for doing so? Would that change the application of the SCA warrant or raise a risk to the service provider of charges of conspiring to obstruct justice?
As urged by Judge Lynch in his concurring opinion, law enforcement’s concerns probably can be addressed, in large part, by legislation amending the SCA, the current version of which predates the appearance of Facebook by almost 20 years.
Whether the rustlers and bandits of today can hide their data over the border will depend, in large part, on whether and how Congress chooses to act. Stay tuned.