Amidst all the talk about the so-called Magistrates’ Revolt (referring to a group of magistrates pushing back against the government’s broad electronic search requests), it’s worth taking note of a very different kind of ruling out of the Southern District of New York. The ruling, which is now being appealed, highlights how much is still unresolved in U.S. law when it comes to the search of electronic data, including such foundational questions as: Where does a search and seizure of electronic data take place? And is a “warrant” issued under the Stored Communications Act really a warrant?
Last December Magistrate Judge James Francis III issued a search warrant pursuant to the Stored Communications Act (SCA) ordering that Microsoft produce, among other things, all emails sent to and from a particular email account. This would ordinarily be non-controversial. But here the data being sought was stored in a data center in Dublin, Ireland, even though it could be accessed by Microsoft employees based in the United States.
Microsoft moved to quash, arguing that the federal courts have no jurisdiction to issue warrants with extraterritorial reach, and thus no authority to order the search and seizure of data stored in Ireland.
The government, not surprisingly, disagreed, asserting that Microsoft was obliged to produce everything in its control, regardless of where it was stored; and that, in any event, there was no extraterritorial search, since Microsoft – not the records – was the subject of the warrant. In what reads as a reprise of the government’s briefing, Magistrate Francis ruled against Microsoft, thus teeing up an interesting appeal.
Issue # 1: Is a Warrant Under the SCA Really a Warrant?
To understand the dispute, it’s worth recalling for a moment how the Stored Communications Act works: The SCA provides three different procedural mechanisms for the government to compel consumer data from service providers such as Microsoft: administrative subpoena, court order, or warrant. If the government proceeded by subpoena, it could have obtained at least some the data stored overseas, based on long-standing doctrine requiring the production of all data controlled by the recipient of an administrative subpoena. But it could not have obtained all the information it sought – including stored address books, and, at least according to the Sixth Circuit, all emails). And it would have been required to inform the target of its search – something the government presumably did not want to do.
The government thus sought a warrant, which requires the government to surmount additional procedural hurdles and meet a higher standard of proof, but also enables it to gather emails and other data not obtainable pursuant to a subpoena (or court order). By proceeding by warrant, the government could also avoid disclosure to the customer.
This then set up the central issue in the case: Is an SCA warrant really a warrant?
Microsoft says yes; a warrant means warrant, and thus the territorial limits on warrant jurisdiction apply. But Judge Francis and the government say no; a “warrant ”under the SCA is actually part-warrant and part-subpoena. According to this argument, the government must adhere to the procedural parts of the warrant requirement (issuance by a neutral magistrate based on a finding of probable cause), but not the substantive limitations. The government could thus compel production of anything within Microsoft’s control – irrespective of its physical location – much as it could have had it chosen the route of an administrative subpoena. Moreover, concluded Judge Francis, there is no extraterritoriality problem, because the warrant was directed at Microsoft, and Microsoft is within the territorial jurisdiction of the United States.
The argument has credibility. After all, the language of the statute, which effectively compels a third party to “disclose” information in its control, reads much like the language of an administrative or grand jury subpoena. And while the statute requires adherence to the “procedural” requirements of the rules of criminal procedure governing issuance of warrants, it says nothing about the substantive or jurisdictional limits. To top it off, the warrant directs action by Microsoft, and Microsoft – the immediate recipient of the warrant – is an entity located in the United States.
The problem, of course, is that the statute uses the term “warrant,” which is a legal term of art; as Microsoft points out, if Congress meant something other than a warrant, it should have said so. And even if the warrant directs action by Microsoft, the ultimate target of the order – the information that is being sought – is the data held outside the United States, and thus presumptively outside the jurisdictional reach of a traditional warrant.
Moreover, as both sides seem to agree, law enforcement agents could not have obtained a warrant to conduct the search themselves; such a warrant – at least if targeted at the particular data held in Ireland – would be invalid because of the territorial restrictions on warrant jurisdiction. If the government wanted to do the search directly, it would either need to work out an agreement with the host nation, and/or act unilaterally and thereby run the risk of being deemed to have violated Ireland’s sovereignty. The government thus seems to be using Microsoft to do something indirectly that it couldn’t do directly itself.
To be clear, I’m not suggesting that Microsoft will – or even necessarily should – prevail. (At this point, I’m simply not taking sides.) But I do think the issue is much less clear-cut than the government and court suggest.
Issue #2: Where does the search and seizure occur?
Separate and apart from the statutory issue is a separate – and arguably more important – question about where the search and seizure of electronic data takes place. The case presents three different answers to this question: (i) Microsoft says it is the site of storage; (ii) the government suggests it is the site of access; and (iii) the court goes even further, stating that there is no search until the data is actually reviewed (although does not offer a view as to whether there might be an antecedent seizure).
If we were talking the physical world of tangible evidence and people, the answer would be clear: When government agents raid a home in Mexico, everyone agrees that a search takes place in Mexico, even if all of the documents are copied, the originals returned, and nothing is reviewed until they are transported back into the United States. Similarly, when the U.S. carries out a drone strike in Yemen, everyone agrees that the seizure occurred in Yemen, even if the drone was controlled by an operator sitting somewhere in Virginia. In other words, in the world of tangible evidence, Microsoft’s position would prevail: the locus of the search and seizure is coterminous with the location of the target itself.
So what is it, if anything, about electronic data that should be different? I can think of two possible answers, although I am sure there are more. One focuses on the speed by which electronic data can be moved; if electronic data can be transmitted from one data center to another with the click of a button, then the locus of the data at any particular moment seems somewhat irrelevant. The second draws on the argument made by Orin Kerr that the key moment of relevance is when the data is “exposed” – which would seem to focus not on the place of storage, but the place where the data is accessed and transmuted into a usable form.
Much rides on this answer – issues that I hope to explore in a later post. Suffice it to note for now that it affects much more than the SCA. The reach of the Fourth Amendment, the governing legal framework, and the ability of other nations to set and enforce their own rules for protecting the privacy of data stored in their jurisdiction, all turn to some extent on our understanding of where the search and seizure of electronic data takes place.
To sum up, this is a case well worth watching – one that raises, among other things, a number of critical, and unresolved, questions about searches of governmental access to privately-held electronic data, and the role of sovereignty in a world of non-territorial data. The potential business implications are also big. If the government has its way, company executives like Randy Milch of Verizon will no longer be able to credibly assert that “the U.S. government cannot compel us to produce our customers’ data stored in data centers outside the U.S.” (Although note that this statement that is already likely untrue with respect to information accessible by subpoena.) Overseas consumers may increasingly seek out non-U.S. based providers.