Even though Microsoft is a U.S. corporation subject to domestic subpoenas and warrants, prosecutors are not entitled to emails stored on its servers abroad, the Second Circuit ruled last week in Microsoft Corp. v. United States, 14-cv-2985. In a majority opinion by Judge Carney, the Court held that warrants under the Stored Communications Act (“SCA”) are limited to emails stored on domestic servers. Notably, in a concurring opinion, Judge Lynch urged Congress to reassess the SCA for the purpose of balancing privacy and foreign policy interests against contemporary law enforcement needs.
Statutory and Factual Background
Enacted as part of the Electronic Communications Privacy Act in 1986, long before the rise of webmail and cloud storage, the SCA was designed to “protect the privacy of the contents of files stored by service providers and of records held by service providers,” extending “protections analogous to those provided by the Fourth Amendment.” Decision at 14-15. Under Section 2703, the government may obtain basic subscriber and transactional information by administrative subpoena, and other types of non-content records (such as email addresses, dates and times) by court order upon a showing that the records are “relevant and material to an ongoing criminal investigation.” However, to obtain “priority stored communications” (the Second Circuit’s term covering content such as email bodies and subject lines), the government must obtain a warrant, except in certain circumstances where notice is provided to the subscriber or customer. Id. at 16-18.
In December 2013, upon a government application in a drug trafficking investigation, SDNY Magistrate Judge Francis issued an SCA warrant requiring Microsoft to disclose emails and other content from a customer’s MSN account. Microsoft produced the information located in the United States but moved to quash to the extent it sought “content information” stored on servers in Ireland. Microsoft argued that an SCA warrant, like other warrants, could not reach information located outside U.S. jurisdiction. Judge Francis denied the motion, finding that the SCA warrant is not a traditional warrant subject to territorial limits, but a “hybrid” between a warrant and a subpoena, which is “executed like a subpoena in that it … does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question.” Id. at 11. District Judge Preska affirmed the ruling.
On appeal, an array of nonparties filed amicus briefs in support of Microsoft, ranging from public interest groups (including the ACLU and Electronic Frontier Foundation) to major corporations (including Amazon and Verizon), the Republic of Ireland, and members of the European Parliament. The Second Circuit reversed, finding that an SCA warrant, like any warrant obtained under Rule 41 of the Federal Rules of Criminal Procedure, is limited to U.S. jurisdictions and cannot reach emails stored abroad.
The Court noted that because “Congress ordinarily legislates with respect to domestic, not foreign matters,” a statute is presumed “to apply only within the territorial jurisdiction of the United States,” unless a contrary intent clearly appears. This presumption, as articulated in Morrison v. National Australia Bank, 561 U.S. 247 (2010), protects against “unintended clashes between our laws and those of other nations which could result in international discord.” Id. at 21.
After determining that the SCA was not intended to apply extraterritorially (a point that the government conceded), the Court held that use of the warrant here was extraterritorial, and should have been quashed, because seizure occurs at the foreign location where the content is stored, not at the domestic location where Microsoft would deliver the content to the government. Id. at 39.
In a concurring opinion, Judge Lynch argued that the extraterritorial question is close because the presence of electronic documents on foreign servers “is, in important ways, merely virtual.” Concurrence at 13. Questioning the wisdom of applying a bright line test, Judge Lynch noted that perhaps it should matter if the email belonged to an American user committing a crime on American soil. Id. at 14-15. Without downplaying potential foreign policy concerns or endorsing a particular position, Judge Lynch urged Congress to reevaluate the SCA’s scheme in light of contemporary law enforcement needs. Id. at 16-20.
Certain implications are clear. At least in the Second Circuit, service providers may now deny the government access to customer emails stored abroad, which will force the government to notify the customer or work with the host country. Users of webmail applications, from individuals to large companies, may be impacted, and the case could affect customer and service provider decision-making about where to store emails.
But is unclear whether other circuits (or the Supreme Court) will adopt this analysis, and it is also not clear how long the status quo will hold. Changes are already in the works. A bill introduced in Congress (H.R. 5323) would allow warrants to reach emails in countries that do not have Mutual Legal Assistance Treaties with the United States. Meanwhile, the executive branch is negotiating bilateral agreements, subject to legislative approval, whereby the United States would grant access to emails of non-U.S. citizens stored domestically and would obtain reciprocal access from its contracting partner country. An agreement with the United Kingdom may be on the horizon. Although many technology companies have cheered the decision, it is far from the last word on the subject.