Yesterday evening, the government filed its petition for rehearing or rehearing en banc in the Microsoft Ireland case. Throughout the brief, the government warns of both the crippling effect on law enforcement investigations and the sowing of chaos among service providers. And while such parade of horrible claims should always be viewed with a skeptical eye, this time I am convinced. Or at least convinced that the Second Circuit opinion creates a bigger problem than I had previously acknowledged or understood.

As anyone who is reading this undoubtedly knows, the Second Circuit’s opinion limits the government’s warrant authority under the Stored Communications Act (SCA) to data that is held within the United States. If a US-based service provider stores communications content outside the United States, the US government can no longer compel the production of that data directly from the provider. It instead must seek the data from the country where it resides—making a diplomatic request through the time-consuming and often laborious the Mutual Legal Assistance (MLA) process.

I had long assumed that this would limit the government’s ability to access data from a company like Microsoft, which tends to house its users data in particular, identifiable data centers. It can readily distinguish between, say, US-held and Irish-held data. Hence, the lawsuit.

But I had thought that a company like Google or Yahoo! would be relatively unaffected. Unlike Microsoft, they store their users’ content in a constantly-changing mix of facilities, both domestic and foreign, and do not tend to conceive of their customer’s data as located in any one given place. Moreover, in Google’s case, it accesses and controls all such data from the United States. When faced with foreign government requests for content, Google has long treated its customers’ data as U.S-held and thus subject to U.S. law with respect to disclosure. I had assumed that the data would similarly be treated as U.S.-based for purposes of delimiting the US’s warrant authority.

But the government’s brief tells me that this assumption is incorrect. According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.” (p.6)

Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.

This is obviously a problem, and one that needs a fix. It significantly impedes law enforcement ability to get sought-after data pursuant to lawful process, even in the investigation of U.S. citizens and residents for a US-based crime. In some cases they may not get it at all. And it places an enormous burden on providers to ascertain what is US-based and what is not.

The government’s brief makes several other good points:

  • It reiterates Judge Lynch’s point that the case really isn’t about protecting privacy. After all, the US warrant, pursuant to probable cause, is a higher standard than that which applies in most other parts of the world. By requiring law enforcement to go through foreign channels, and obtain evidence according to foreign government’s substantive and procedural rules, this may actually lower privacy protections for some. Of course, if law enforcement is unable to access the data at all, then there is arguably a privacy gain. But in my view that is not the kind of privacy we should be advancing.
  • That said, I think the government’s goes too far when it says that a warrant is a “recognized and constitutionally-prescribed means of overcoming any privacy interest.” Or as the government also puts it, “the limit of privacy is reached where the warrant begins.” (p.13) Yes, a warrant provides a constitutionally-approved means for accessing sought-after data, but that does not eradicate the user’s privacy interest in that data or how it is ultimately used.
  • The government points out the problems with making law enforcement access to data turn on the independent decisions of third-party providers as to where to house or move their data.   I fully agree. As I have written elsewhere, there is something very disconcerting about the idea that a government’s ability to access our data turns on the decisions of third-party providers, about which most of us have no control or even knowledge.
  • The government  urges the court to refocus its statutory interpretation on the particular provisions of 18 USC § 2703 that are at issue, rather than the SCA as a whole. The government emphasizes that these provisions are all about the rules governing compelled disclosure, not privacy—a fair point.   That said, these are arguably two sides of the same coin.

I continue to think—along with Judge Lynch—that this is an issue that belongs in the hands of Congress, and not the courts. The government makes a number of very compelling arguments. Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.

Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.

The government responds by noting that it is the “the executive branch of the federal Government—the branch primarily charged with conducting the nation’s foreign relations” (p. 20) making the request. Presumably, the executive branch will take into account these foreign government concerns. But the SCA also grants the authority to compel to state and local law enforcement officials. In other words, it won’t always be the executive branch making these decisions.

Congress should step in. It should fix the problems created by the Second Circuit ruling, but also set some limits. Specifically, it should clarify that the warrant authority covers all persons located in the United States and US citizens and legal permanent residents wherever located. This reflects the normative position that US law should govern residents, citizens, and legal permanent residents—all of whom have chosen to bind themselves in some way to the United States and are thus on notice as to the rules that apply.

That said, location and nationality won’t always be known.  In those cases, US law enforcement should not be out of luck, particularly when it has sufficient evidence to get a warrant based on probable cause.  The legislation also should grant the authority to compel when nationality and/or location is not reasonably knowable. And it should authorize compelled disclosure if there is no functioning government or applicable MLA treaty in place, or in the case of serious crime if the relevant government is either unable or unwilling to comply with the request in a timely manner. The bipartisan International Communications Privacy Act, co-sponsored by Senators Orrin Hatch (R-NV), Dean Heller (D-NV), and Chris Coons (D-DE), is a step in the right direction, albeit with some room for improvement.

Meanwhile, the litigation goes forward. I had previously written that I thought Microsoft had the better of the arguments.  I am no longer so sure.  What I can say with certainty is this: Congress should update the statute, and take the issue out of the binary world of the courts.