Show sidebar

Microsoft Case: The Government Responds, But Fails to Convince

The government has now filed its Second Circuit brief in the dispute with Microsoft (discussed here, here, and here), challenging key assertions by Microsoft and its many amici, and making a strong argument that a warrant issued under the Stored Communications Act (SCA) requires Microsoft to turn over emails in its custody and control, regardless of whether they are being held (in this case in Dublin).

After reading the government’s brief, I am increasingly convinced that nothing in the text, structure, purpose, or legislative history provides a definitive answer to the central issue in the case (a point that the government implicitly concedes), and that, as a result, the dispute really is a policy one. Should, or should not, the government be authorized to compel Microsoft and other ISPs to produce emails of other private communications located in a foreign nation? What are the ramifications of such an answer on the United States’ ability to protect private communications — including that of its citizens — stored within its borders? And what are the implications for the government’s ability (or lack thereof) to access sought-after evidence overseas?

These are questions that are best answered by legislators, not the courts. While Microsoft and the government make strong policy arguments, neither sides’ arguments are so overwhelmingly convincing as to yield an obvious answer. It is now the job of policy-makers, not the courts, to sort out the multiple and competing equities, including the longer-term privacy, diplomatic, and economic considerations, posed by the central dispute in the case. In the interim, the absence of textual clarity, coupled with the presumption against extraterritorial application and the canon of statutory construction that favors compliance with international law, means that Microsoft wins. At least for now. And ideally, with a strong exhortation from the court for Congress and the executive to step up to the plate.

The Government’s Key Arguments

The government makes multiple arguments in support of its claim that it can, pursuant to a warrant issued under the SCA, compel Microsoft to disclose its customers’ emails, regardless of where the data is located. The following highlights some of their key claims (not in the order in which they are addressed in the government’s brief).

First, the government seems to confirm that a textual analysis does not resolve the case. Specifically, the government argues in the negative, asserting that “[n]othing in the SCA’s text, structure, or purpose, or legislative history indicates that compelled production of records is limited to those stored domestically.” But, neither does the text, structure, purpose or legislative history of SCA establish the opposite — that the compelled production of emails covers those stored extraterritorially. After all, at the time of SCA’s enactment in 1986, the Internet was in its infancy. Few, if any, could have imagined a world in which emails regularly transited territorial lines, personal data is regularly stored in the cloud, and US-based ISPs operate data centers all around the globe. The issue raised by the Microsoft case simply wasn’t on the mind of the drafters — nor addressed by any subsequent amendment. As already stated, the court therefore needs to turn elsewhere to decide the case.

Second, and despite the implicit concession above, the government relies on the text of the statute— authorizing government officials to “require the disclosure” of certain information by a service provider— to push its argument that SCA warrants operate as a form of compelled disclosure, and are therefore more like subpoenas than warrants. According to the government, the SCA’s use of the term “warrant” refers to the way they are applied for and issued (by a magistrate based on a finding of probable cause), but does not incorporate any of the warrant authority’s geographic limitations.

Microsoft, in its brief, however, makes an equally persuasive claim that the use of the word “warrant” means what it says — and incorporates the full set of requirements and limitations that apply to warrant jurisdiction, including the territorial-based limitations on warrant jurisdiction.

Third, the government challenges the Microsoft’s contention (which I had found quite convincing) that, while the government can compel by subpoena the production of a company’s own records, regardless of where they are located, it does not have the authority to compel the disclosure of a customer’s property retained by the company and held outside the United States. Relying primarily on three 1960s and 1970s Second Circuit cases, the government says this distinction between a company’s own records and that of its customers is wrong; in one of the cases the government relies on a subpoena to compel production of documents stored in a safe deposit box (albeit a safe deposit box that was located within the United States). But while these cases undercut Microsoft’s argument, they also need to be put in context. They were decided before the rise of the Internet and the development of the cloud. We now live in a world in which most of us trust just about all of our private communications and other documents to third parties for transit or storage. The implication that all such data could be obtained by administrative subpoena as the government suggests — is troubling, to say the least.

Fourth, the government turns to the presumption against extraterritorial application of statutory law. Contrary to the government’s claim, however the presumption clearly cuts in Microsoft’s favor; the key question is whether the facts even trigger the application of the presumption. Is this a territorial action, because it is directed to Microsoft; or is it an extraterritorial action, because it compels the production of data located outside the United States? By analogy to data’s more tangible analogs, it seems increasingly clear that this ought to be understand as an extraterritorial action based on the location of the data being collected, and thus the presumption applies.

Fifth, the government argues that Microsoft’s concerns about international comity — and the risks of violating Irish law — are more rhetorical than real. On this point, and as applied to this particular case, the government is correct. But what the government fails to acknowledge is the potential for much more significant conflict of laws if it wins — and ISPs can unilaterally compel the production of data wherever located, without consideration of the data protection laws in the jurisdiction where data is stored. (It does, however, concede that in certain cases, an extreme and direct conflict of laws might justify the quashing of a warrant.)

More importantly, the government fails to acknowledge that even if there is not a direct conflict of laws, its approach violates the long-standing presumption against unilateral law enforcement actions in another state’s territory. Of particular concern, it opens the door for other nations compelling ISPs to turn over data located in the United States, including that of US citizens, possibly for nefarious purposes, and without regard to the dictates of the SCA. As the government notes, the UK has already passed such legislation and others will undoubtedly follow suit.

Sixth, the government turns to the policy reasons in its favor (the issues that I ultimately think matter most). Here, the government makes a number of compelling arguments. Why should the government’s ability to access data depend on where it is located at any given moment? What if the data is constantly moving and the government doesn’t even know where to make the request? And what is to prevent individuals from evading US process by seeking out data storage centers in the many nations that have failed to enact a Mutual Legal Assistance Treaty (MLAT) with the United States or are otherwise unwilling to cooperate with US law enforcement? The government also notes that even when an MLAT system is in place, there is often a long time lag between the date of initial request and the date when the information is eventually turned over.

All of these concerns point to the need to re-think the way law enforcement accesses data, particularly given its highly mobile and transitory nature. One possible approach is the development of new multi-lateral agreements that explicitly permit law enforcement agents to unilaterally compel ISPs to turn over data located in the signatories’ jurisdiction, without resort to the more formal and laborious MLAT system. Another option would retain the territorial limits on the the courts’ warrant authority, but permit such limitations to be bypassed based on a joint Attorney General and Secretary of State certification. This has the advantage of shifting the decision-making from the 500-plus magistrates and hundreds-more state court judges authorized to issue SCA warrants around the country and ensuring executive-branch consideration of the broader diplomatic and economic considerations. Yet another possibility is that proposed by Senators Orrin Hatch (R-Utah), Chris Coons (D-Del.), and Dean Heller (R-Nev.), which would authorize the issuance of warrants with extraterritorial reach, but only when the target is a US person, defined as a US citizen or legal permanent resident. The so-called LEADS Act has the advantage of allowing law enforcement to compel the extraterritorial production of US person data, while also respecting the sovereign interests of other nations’ in controlling access to their own citizens’ data located within their territory.

This leads me back the point I started with: these decisions should be made by the legislators, not the courts. In the interim, the presumption against extraterritoriality coupled with the non-trivial concerns about compliance with international law, means a victory for Microsoft. But that should not be the end of the matter. Congress and the executive branch need to engage — now.

Tags: , , ,


About the Author

is a professor at American University Washington College of Law. You can follow her on Twitter (@jendaskal).