The Second Circuit’s recent decision in Microsoft Corporation v. United States, No. 14-2985 (2d Cir. July 14, 2016), is a game changer in more ways than one. In direct terms, it held that the government may not, as it has in the past, use a search warrant obtained under the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (“SCA”), to compel a provider of remote computing services (such as an internet service provider, or “ISP”) to collect and produce emails of its customers that are stored in a computer server located in a foreign country. That holding, if adopted more broadly, could inadvertently free the government to use less burdensome methods to obtain such records. Or, as most expect, it could do the opposite, requiring the government to use a cumbersome treaty process to obtain the records, or in some cases, preventing it from getting the records at all. That result in turn could lead many internet companies offering cloud computing services to move their digital operations offshore. And it may even lead the government to join the many digital privacy advocates seeking an overhaul of decades-old legislation that still governs the government’s policing of online communications.
The SCA is part of the Electronic Communications Privacy Act of 1986 (ECPA), which Congress enacted to extend restrictions on wiretaps of phone calls to cover computer-generated electronic communications, such as emails. While it remains unclear whether the Fourth Amendment applies directly to protect from government searches emails and other communications transmitted through third parties such as internet service providers, the SCA was designed to provide similar protections. Under the SCA, the government can obtain certain “non-content” information (such as the identity of an email account subscriber) via a subpoena, which does not require evidence of a crime or the approval of a judge. However, in order to obtain “content” information (such as emails) that has been in the account for 180 days or less, the government must obtain a search warrant through the usual warrant process, which requires that a judge find probable cause to believe a crime has occurred and that evidence of the crime will be found in the emails.
Typically, when the government obtains an SCA warrant for emails, it serves that warrant on the ISP that hosts them. The warrant serves as a court order directing the ISP to collect certain emails and provide them to the government, which then reviews them for potential evidence. Historically, most SCA warrants were served on U.S.-based ISPs that hosted emails on servers in the United States; when the ISP received the warrant, it retrieved copies of the emails from the server and gave them to the investigating agency. But as the internet and ISPs evolved, and as remote cloud-based computing services became more prevalent, this process and the digital architecture underlying it became more global. Today, ISPs and their servers are often located in various countries, and they host emails or other electric communications in multiple locations for customers around the world. An SCA warrant for emails, even if served on a U.S.-based ISP, may thus require the ISP to retrieve communications stored on a computer abroad.
That is exactly what happened in the Microsoft case. The FBI, conducting a narcotics investigation, served an SCA warrant on Microsoft seeking emails and other information for an account that used its cloud-based Outlook.com service. As it turned out, while basic subscriber information for the account was stored in a U.S.-based server (and was turned over to the government), the emails themselves were stored on a server located in Ireland. In order to comply with the warrant, Microsoft would have had to transfer the emails from that Irish server to its own computers in the United States, and then forward the information to the government.
Instead, Microsoft objected to the warrant, arguing that the SCA did not allow for extraterritorial application, which – in its view – included compelling Microsoft to retrieve emails stored abroad. A federal magistrate judge for the Southern District of New York, who had issued the warrant, disagreed, finding that the SCA warrant process was comparable to an ordinary subpoena to a company for its documents. Outside the ISP/email context, courts have long permitted the government to issue subpoenas compelling companies to produce documents stored abroad. The magistrate judge, and a federal district court judge on review, viewed the SCA warrant process as comparable, and the extraterritorial effect of the email warrant as no bar.
The Second Circuit disagreed. It first noted the general presumption, recently reiterated by the Supreme Court in RJR Nabisco, Inc. v. European Cmty., that legislation is “meant to apply only within the territorial jurisdiction of the United States,” absent a clear indication to the contrary. It then found that, as the government conceded, nothing in the warrant provisions of the SCA suggested it could be applied extraterritorially. It also noted the SCA’s adoption of the traditional search warrant process governed by Federal Rule of Criminal Procedure 41, which historically has been limited to U.S. territorial application, and disagreed with the district court’s view that SCA email warrants are more akin to subpoenas that allowed for compelled retrieval of foreign records. Thus, the Second Circuit found, the presumption against extraterritoriality controlled.
That still left a perplexing question: Was the government actually asking for extraterritorial application of the warrant? After all, while the emails were located abroad, Microsoft itself was not. And under the warrant process, the emails would be turned over to the government within the United States, such that there was arguably no “search” outside U.S. borders in the traditional, constitutional sense.
The Second Circuit sided with Microsoft on that question as well. It found that in order to determine whether a requested application of a statute was extraterritorial, it had to identify the “territorial events or relationships” that were the “focus” of the statute; if the focus was on something happening outside the United States, the application was extraterritorial and barred under the standard presumption. Ultimately, the Second Circuit found that the SCA had been designed to address privacy in communications and it was those communications – in this case, emails – that were the focus of the statute. Thus, it was the location of the emails and their collection by Microsoft rather than the location of Microsoft and the handover of those emails to the government that mattered. And because the emails were located abroad, a warrant requiring Microsoft to retrieve them would be applied extraterritorially, which was not permitted.
In a separate concurring opinion, Judge Gerard Lynch observed that the case did not raise genuine questions of privacy and protection from unduly intrusive government searches, as the government had obtained a search warrant. Rather, he said, the case was about “the international reach of American law.” “The sole issue involved,” he found, “is whether Microsoft can thwart the government’s otherwise justified demand for the emails by the simple expedient of choosing – in its own discretion – to store them on a server in another country.” Thus, he pointed out, “the privacy of Microsoft customers’ emails is dependent not on the traditional constitutional safeguard of private communications – judicial oversight of the government’s conduct of criminal investigations – but rather on the business decisions of a private corporation.” While ultimately agreeing that the compulsion via warrant of emails stored abroad was an impermissible extraterritorial application of the SCA, he found the question a close one, and encouraged Congress to amend the statute to account for the globalization of data storage that had not been foreseen when the SCA was enacted.
The government may well appeal Microsoft to the Supreme Court. But in the meantime, what does Microsoft mean for ISPs, other providers of cloud computing and their customers? From a legal standpoint, even within the Second Circuit, the answer isn’t entirely clear. Microsoft openly presumed that if SCA warrants were barred, the government’s only means of obtaining emails stored abroad would be through a request under a mutual legal assistance treaty (MLAT) with the relevant country, assuming one existed (as indeed it does in Ireland’s case). But that may not be so. As cyberlaw scholar Orin Kerr has pointed out, it is the SCA itself that imposed the warrant requirement for electronic communications [see 18 U.S.C. § 2703(a)]; without it, the government could theoretically just issue a subpoena to Microsoft for the emails, wherever they are stored. Although the Sixth Circuit in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) held that the Fourth Amendment prohibits warrantless searches for emails, no other circuit court has followed suit, and under the “third-party doctrine” long recognized by the Supreme Court, it is not clear that email account holders who give ISPs or other cloud providers control over their emails have a reasonable expectation of privacy in those communications. See Smith v. Maryland, 442 U.S. 735 (1979); United States v. Miller, 425 U.S. 435 (1976). Thus, in holding the SCA inapplicable, the Microsoft court may ironically have weakened privacy protections for offshore email accounts. Whether the government and the courts will take that view remains to be seen; as described below, the government’s response so far suggests that it is not so confident.
Moreover, it is not certain how the Microsoft holding would be applied to cases with slightly different facts. As Judge Lynch pointed out in his concurrence, the record in Microsoft did not make clear whether the email account holder involved was a U.S. citizen or resident. If so, Judge Lynch suggested, the argument for using the SCA to obtain his or her foreign-stored emails could be stronger. In addition, some cloud services now work by splitting parts of an electronic file – such as an email – among multiple servers. If part of an email were stored in a U.S. server and part in a server abroad, would an SCA warrant compelling production of the email be extraterritorial? The government, or a court, may think not.
But what if Microsoft is right and Microsoft means that the government must use an MLAT to get emails from foreign servers? For one thing, not all countries have signed an MLAT with the United States. And even some of those countries that have may not always be keen to assist the U.S. government in its investigations. (Russia comes to mind.) Even in the best of circumstances, the MLAT process can be slow and tedious, and countries that receive requests may not be willing to provide all the materials the U.S. government could obtain through an ordinary domestic warrant, or to devote the resources needed to ensure compliance with a dense, technical request for specific electronic records. Requiring the U.S. government to go through its foreign sovereign counterparts could thus slow or even derail an investigation.
In that circumstance, cloud service providers and their customers that seek privacy and protection from government scrutiny would have a clear incentive: make sure emails are stored in servers abroad, particularly in a country that has not signed an MLAT with the United States or is otherwise uncooperative with U.S. law enforcement. Even with a showing of probable cause and a court order, the government in that case could be prevented from obtaining and reviewing the emails. That could have profound impact on law enforcement activities and on the development of the global communications architecture.
Whether or not one sees it as a welcome development, Microsoft highlights the practical uncertainty that can result from application of a 30-year-old statute to technology that is evolving at blinding speed. Unsurprisingly, the U.S. Department of Justice has responded by submitting to Congress proposed legislation that would allow the United States to enter into reciprocal agreements with other countries to facilitate the government’s ability to obtain electronic data stored abroad, including through amendments to the SCA and other statutes governing collection of electronic evidence. The Obama administration, meanwhile, is negotiating with foreign governments to develop such reciprocal agreements and enable expedited procedures that allow electronic evidence to be collected and shared across borders more quickly than through the usual MLAT process.
Whether Microsoft ultimately leads to a battle on one side of Capitol Hill (Congress) or the other (the Supreme Court), Judge Lynch’s call for clarity may yet be answered.