In July 2016, the Second Circuit ruled that the Government could not employ a domestic search warrant, issued pursuant to the Stored Communications Act, 18 U.S.C. § 2703 (the “SCA”), to compel disclosure of an email account that Microsoft stored on servers in Ireland. (See our coverage of that decision here.) Yesterday, a sharply divided Court denied the Government’s petition for rehearing en banc, leaving the decision intact. The decision will presumably be met with relief in the technology sector, some of whose major players submitted amici briefs in support of Microsoft’s position. But the four dissenters expressed concern that it hamstrings the Government in its pursuit of electronic evidence, jeopardizing national security. And all of the Judges agreed that the SCA – which was passed in 1986 – is due for congressional review in light of the dramatic changes in electronic data storage that have occurred over the past 30 years.
The Panel Opinion
The case originated when Magistrate Judge Francis of the U.S. District Court for the Southern District of New York issued a warrant to be served on Microsoft at the Government’s request. It required Microsoft to turn over all emails related to an email account that the Government believed was being used for criminal activity. As it turned out, however, most of the data associated with the account was stored on servers in Ireland. Microsoft moved to quash the warrant with respect to the data located outside the United States, but the district court denied that motion.
The Second Circuit, per Judge Carney, reversed the denial of the motion to quash. Judge Carney first found that the SCA, which provided the statutory authority for the warrant, did not apply extraterritorially. She then concluded that the execution of the Microsoft search warrant would be an impermissible extraterritorial application of the SCA.
In reaching the second conclusion, Judge Carney applied the test set forth in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010), which requires courts to consider “the territorial events or relationships” that are the “focus” of a given statutory provision. Judge Carney determined that the “focus” of the SCA was on data privacy, and that it was thus an extraterritorial application of the statute to encroach on a user’s privacy by accessing data stored in Ireland.
Rehearing En Banc
- The Opinion Denying Rehearing
Because three Judges recused themselves from the case without explanation, only eight Judges participated in the rehearing en banc. Those eight split evenly, with the result that the petition was denied.
Judges Carney, Hall, and Chin, and Chief Judge Katzmann, all voted to deny the petition. Judge Carney wrote an opinion defending the panel’s initial decision, and addressing the concerns of some of her dissenting colleagues. She noted that the SCA spoke in terms of the place of “storage” of electronic communications, and that it afforded more or less stringent privacy protections to those communications depending on the circumstances under which they were stored. That, she explained, was the basis for the panel’s conclusion that the encroachment on privacy—and, accordingly, the application of the statute—occurred at the place where the data was actually stored, seized, and turned over.
She acknowledged that Microsoft employees could access the data from the United States, a fact that, according to the dissenters, precluded a finding that the execution of the Microsoft warrant was extraterritorial. But she said if the dissenters’ interpretation were correct, then the SCA would also permit a warrant for the records of an Irish citizen’s Irish bank account, in violation of Irish law, as long as the records were somehow accessible from a U.S. computer. She noted that such a result “hardly seems like a ‘domestic application’ of the SCA.”
While she recognized the dissenters’ concerns—that the panel interpretation could thwart American counter-terrorism efforts; that the “location” of data has no real connection to a user’s privacy interests in his email accounts in 2017; and that, in any event, determining the physical location of a privacy interest is an inherently awkward exercise—she ultimately dismissed them all as dictated by a statute she said was “overdue” for an update. She suggested that she would welcome an effort by Congress to align the warrant provisions of the SCA with today’s technological realities.
- The Dissents
Judges Jacobs, Cabranes, Raggi, and Droney dissented. Each filed his or her own dissent, in which the other three joined.
A common theme of the various dissents was that the panel decision threatened national security by restricting the Government’s ability to gather essential electronic evidence. Judge Cabranes complained that the panel decision provided a “blueprint” for criminals seeking to evade Government detection. He noted that in this case, the only reason that the suspect’s data was in Ireland was that he had indicated on a form that that was where he resided – so now, that is all a criminal—even one who resides in the United States—needs to do in order to make his emails warrant-proof. Judge Cabranes also pointed out that Google, Yahoo, and other major technology companies often “fragment” data so that it is not really in any one location until the user decides to access it. As a result, he worried that under the panel’s reasoning, the Government would not be able to gather important email data in any intelligible form even if it had the cooperation of other nations.
The dissents also questioned the panel’s conclusion that privacy was the focus of the SCA, and that it thus could not countenance encroachment on privacy outside the United States. They noted that many provisions of the statute were focused not on how data should be stored, but the circumstances under which it could be disclosed—suggesting that as long as the disclosure occurs in the United States, the statute is operating domestically. They also attacked the panel’s assumption that the user’s privacy is “located” where the server for his email account is, arguing that (1) privacy is not really “located” anywhere; but (2) if you must pick a location, it is probably where the user and his phone are, as opposed to where the data is stored.
The third major theme of the dissents was that the extraterritoriality rule could not be justified by reference to privacy because it did not meaningfully protect anyone’s privacy. They noted that warrants under the SCA must be supported by a finding of probable cause, and that this privacy protection is more substantial, and less arbitrary, than privacy protections that are dependent on the location of the user’s data server.
Analysis and Implications
This decision deals a blow to federal prosecutors, who, in most cases, will presumably not have any idea where a suspect’s data is stored until after they obtain a warrant for it. And once a prosecutor discovers that a sought-after account has its servers overseas, he won’t have a clear way of obtaining it absent cooperation from the foreign government. In some cases, this may be easy to obtain pursuant to a letter rogatory, directed to a country whose law enforcement works closely with the United States. But in other cases, this may be harder for the government to obtain. It may also be the case that the level of cooperation will turn on how foreign governments perceive the United States and its foreign policy. A nation that is known for steady leadership and multilateral and peaceful negotiations with other countries should get the most cooperation on sensitive subjects, such as law enforcement and data privacy.
It is ironic that electronic communications – whose prime virtue is that they are accessible and reproducible from anywhere – may be more difficult for prosecutors to obtain, after this decision, than some paper ones. Under the Court’s ruling, while a witness or subject of an investigation will be able to access their email files from within the United States, the government will not be able to do this using a warrant from a federal court. At the same time, the decision is likely to be celebrated by the many Americans who are uncomfortable with the idea of creating an electronic “paper trail” that could, in theory, become readily accessible to the Government.
One thing that is clear is that, although the Government may have reached the end of the road in the Second Circuit, we have not heard the end of these issues. An evenly split en banc polling decision is rare. Notably, Judge Lunch—who concurred in the original panel decision, but on different grounds—retired shortly before the en banc poll, so it is impossible to know whether his participation would have affected the outcome. Given the sharp divisions in the Second Circuit over this issue, it seems highly plausible that other Circuits may reach a different conclusion about extraterritorial application of the SCA, such that law enforcement capabilities may, for a time, vary among Circuits. In light of this possibility and the government’s apparent concern for public safety given the result in this appeal, the Government will almost certainly seek review in the Supreme Court; given the cautionary notes sounded by the dissenters, they may well get it.
The difficulty in determining the relevant “focus” of the SCA suggests that lower courts could benefit from Supreme Court guidance clarifying the Morrison standard. Even apart from the SCA and the issues raised here, the reach of Morrison should be of particular concern in the white-collar defense community given the government’s high level of interest in prosecuting people in other countries for violations of U.S. law, even when U.S. statutes specifically exempt such persons from the reach of U.S. law. See United States v. Hoskins, No. 16-1010 (2d Cir.) (pending appeal presenting the question of whether a defendant who is neither a U.S. person nor an employee of a domestic concern can nonetheless be prosecuted for violations of the Foreign Corrupt Practices Act under an “aiding-and-abetting” theory).
At the same time, Congress should revisit the hopelessly outdated SCA to match the realities of the digital age, which were unknown and perhaps unforeseeable in 1986 when the statute was enacted. The current SCA is not well-tailored to the current cloud-based internet landscape and creates uncertainty for defense lawyers and for the government. Also, while the public’s expectation of privacy is always changing, the SCA’s treatment of emails stored for 180 days of more (no search warrant is required) treats emails as less protected than written documents. Although skepticism about the legislative process is understandable given that it is easier to cast votes in favor of more government power (in order to avoid being labeled “soft on crime”), a revised SCA is probably the only way to fix the problem presented in the Microsoft case.