In a decision that may affect how US technology companies, and in particular data storage or "cloud" providers, do business with customers outside the United States, a federal district judge in New York has affirmed a decision that ordered Microsoft Corporation to produce, in response to a search warrant issued at the behest of US authorities, the contents of one of its customer's e-mail accounts stored on a Microsoft server in Ireland.
The initial order requiring disclosure
In late 2013, US government authorities secured a search warrant pursuant to the US Stored Communications Act (SCA) for information located in the e-mail account of a Microsoft customer, and thereafter served the warrant upon Microsoft in the United States. Once Microsoft determined that the target account was hosted, and its content information stored, on a server in Dublin, Ireland, it moved to quash the warrant insofar as it sought information stored outside the US. Microsoft maintained that, just as US courts lack authority to issue warrants for search and seizure of physical property located outside the US, they similarly cannot issue a warrant requiring seizure of electronic information stored outside the United States.
The same magistrate judge that approved the warrant also rejected Microsoft's argument (see In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., __ F. Supp. 2d. __, 2014 WL 1661004 (S.D.N.Y. 25 April 2014)). In so holding, the magistrate judge in effect combined (Microsoft might say improperly conflated) the requirements surrounding the issuance and effect of a search warrant with those relevant to a subpoena. It is a shibboleth that a search warrant, issued by a court to US authorities upon a showing of probable cause, empowers those authorities to search for and seize evidence located within the United States. A US search warrant, however, does not have extraterritorial application—meaning that US law enforcement agents can lawfully search and seize evidence located in Dublin, Ohio, but may not do so in Dublin, Ireland. It is equally well-established that a subpoena requires its recipient to produce responsive materials, regardless of where those materials are located, as long as the information is within the recipient's "possession, custody or control."
In the magistrate judge's view, unlike a conventional search warrant that is subject to territorial restrictions, an SCA warrant is a "hybrid"—part search warrant subject to criminal procedure requirements, and part subpoena that is served on the provider itself and hence "does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question." In re Warrant, 2014 1661004 at *5. This unique hybrid structure does not implicate the prohibition against extraterritorial application of warrants, since it has "long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information." Id. Per the court, this holding is consistent with the view that a "search" of digital information occurs only when data is exposed to "human observation," not when it is processed by a computer. Id. at *6. Thus, in the magistrate judge's view, no search would take place in this case until the information is reviewed by authorities in the US, thereby ameliorating any concerns about an extraterritorial search.
Arguments on appeal—Microsoft vs. the United States
Microsoft appealed the magistrate judge's ruling to the federal district court. (In the federal courts, magistrate judges generally handle preliminary matters in criminal and civil cases, and appeals of their rulings are often first brought to a federal district court judge.) The key disagreement between Microsoft and the government centered on whether the e-mails at issue constituted Microsoft's own records within its possession, custody or control, which records are generally subject to production. Microsoft did not contest that it had the ability to access the subject e-mails from the United States. But, per Microsoft, the content of the e-mails were not company records, but were the private information of its customer and thus entitled to heightened constitutional protection. Therefore, since the government sought the actual content of these e-mails, a search warrant was required. Microsoft analogized to a situation in which the government could subpoena a courier service to disclose records of where it shipped a customer's package, "but any government-directed exploration of a package’s contents would be a search because it would invade the reasonable expectation that sealed contents will remain private." Microsoft's Reply in Support of Objections (Docket No. 70), at 4. Accordingly, because (i) a search warrant was necessary, (ii) the e-mail content was stored in Ireland, and (iii) the SCA does not expressly authorize US courts to issue warrants for extraterritorial seizures of e-mail content, the government's proper avenue is to seek assistance from Ireland via a Mutual Legal Assistance Treaty (MLAT) or other form of mutual cooperation.
The US government characterized Microsoft's position as an attempt to avoid producing Microsoft's own records just because it chose to store them outside the United States. The government fully embraced the concept of the SCA warrant-subpoena "hybrid" which is issued only after a showing of probable cause (like a search warrant) but then is served on the company in possession or control of the information (like a subpoena) without any need for agents to physically seize the target e-mail account. In the government's view, no extraterritoriality issue is implicated here because the SCA is being applied solely to a US company within US territory. Per the government, "[a]n SCA warrant does not criminalize or regulate any conduct in a foreign country; it merely compels the provider receiving the warrant to disclose responsive records within its control to law enforcement agents located in the United States." Government's Opposition to Microsoft's Objections (Docket No. 60), at 18. The government also cautioned that allowing companies to avoid search warrants when they have chosen to move records overseas can stymie effective law enforcement because the MLAT process, in the government's view, is time consuming, dependent upon the cooperation and available resources of other nations, and in any event MLATs or equivalent measures are not in place with all jurisdictions.
Potential implications and next steps
In allowing the magistrate judge's ruling to stand, the federal district court may have inadvertently heightened tensions between the US government and privacy advocates, and raised even more challenges for US service providers as they seek to negotiate a path between compliance with US law and the privacy demands of both their customers and authorities outside the US, particularly in Europe. It has been reported, for example, that German officials previously cautioned Microsoft that their government would not utilize data storage services of US-based companies if the search warrant ruling is not overturned.
Coming as it does on the heels of various allegations about the US government's treatment of non-US data, the ruling (issued orally at a 31 July 2014 hearing) may fuel the perception, particularly in Europe, that US authorities are free to cast a wide, even trans-Atlantic, net for data whenever they wish. That perception, however, does not take into account the substantial legal and procedural safeguards that US authorities need to meet before being issued a search warrant. For example, in this case the government was conducting a criminal investigation and made a showing to the court that there was probable cause to believe that the e-mails might provide evidence of a crime. Nor does this criminal matter address the fact that, as certain US courts have found in the civil context, third party service providers cannot be compelled under the SCA to disclose the content of their customer's e-mails pursuant to a civil discovery subpoena.
Nevertheless, if the ruling stands, it may embolden other nations to seek similar data of US customers, either directly from US companies or from the local affiliates of US-based companies. This may increasingly present US providers and their affiliates with a Hobson's choice: either comply with foreign data demands at the risk of violating the SCA or related provisions that limit disclosure of e-mail content to US authorities, or else risk violating the disclosure orders of authorities outside the United States. That this type of quandary has often plagued non-US companies dealing with, for example, discovery demands emanating from US courts, will likely be of little comfort to Microsoft and other US-based providers.
The long-term, or even short-term, impact of the decision is uncertain. The district court's ruling is not binding on any other court, and the district court has stayed its ruling to enable Microsoft to appeal. In a statement issued shortly after the hearing, Microsoft stated that "[t]he only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process," and vowed to appeal promptly "to advocate that people’s email deserves strong privacy protection in the U.S. and around the world." Thus, the final word is not in, and it may be that the ultimate resolution will involve the deliberation and cooperation of not only the courts, but of industry, legislature and regulators, both in the US and elsewhere.