The Parties in U.S. v. Microsoft Are Misinterpreting the Stored Communications Act’s Warrant Authority

United States v. Microsoft comes to the court in stark terms. The case involves a search warrant demanding that Microsoft turn over stored emails from a server in Ireland. That is, the warrant was directed to a company in the United States but demanded emails stored outside the United States. The government argues that the warrant is domestic: Microsoft is here. Microsoft argues that the warrant is extraterritorial: the data is abroad.

The first problem with this framing is that the Supreme Court’s distinction between domestic and extraterritorial laws is an impediment to understanding. The terms are just empty labels for the conclusion that particular conduct either had or lacked the appropriate connections to the United States. Territoriality arguments may be well-intentioned, but they have the effect of shutting down reasoned analysis by drowning out attempts to determine what the relevant connections actually are. In Internet cases, people with ties to different jurisdictions affect each other in complicated ways: reducing a complex spectrum of cases to a single factor like the location of one party or the location of a server is a recipe for disaster. When I realized that the Supreme Court had granted certiorari in an electronic evidence case that turned on extraterritoriality, I buried my head in my hands.

There is also a conceptual problem lurking behind the rhetorical one. The case hinges on the Stored Communications Act (SCA), which generally bars the disclosure of stored electronic communications like the emails here, but allows government entities to require their disclosure with a search warrant. The parties generally agree in treating the SCA as creating a new warrant authority on more or less a blank slate; they disagree sharply on whether that authority is domestic or extraterritorial.

To see why this framing is misleading, it helps to look more closely at the structure of this supposedly new warrant authority. If the SCA did not exist, Microsoft would win because no other federal law authorizes the warrant the government used. Federal search warrants ordinarily issue under Rule 41 of the Federal Rules of Criminal Procedure (FRCrP), and the venue provisions in Rule 41(b) do not give magistrate judges authority to issue warrants for data stored outside their districts on the facts here.

The crucial phrase from the SCA as amended, which appears in 18 U.S.C. § 2703(a), is that the government may demand stored electronic communications,

only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a state court, issued using state warrant procedures) by a court of competent jurisdiction

According to the government, this phrase creates an entirely new warrant authority, one that may borrow some “procedures” from the FRCrP but overall more closely resembles subpoena practice in compelling parties subject to a court’s jurisdiction to retrieve evidence from outside the jurisdiction. According to Microsoft, the phrase creates a new warrant authority and borrows some “procedures” from the FRCrP, but overall adheres to traditional but uncodified limits on search warrants, including territoriality. Unsurprisingly, the government’s briefing has extensive discussion of the historic expansiveness of subpoenas, and Microsoft’s briefing has extensive discussion of historic limits on warrant authority. The debate over the best analogy to the SCA warrant authority is as open-ended and inconclusive as the debate over territoriality.

I think it is also unnecessary. The parties’ shared premise — that the SCA now displaces Rule 41 and creates an essentially independent warrant authority — strikes me as clearly wrong. The most notable feature of section 2703(a) is that it uses the FRCrP as a starting point for everything else it does. Indeed, until 2001, section 2703(a) allowed for required disclosure

only pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant.

This language was unambiguous: section 2703(a) channeled its disclosure procedures through the existing warrant procedures in the FRCrP, and Rule 41 in particular. It has changed only twice since then. In 2001, the USA PATRIOT Act did a global search-and-replace on section 2703, cutting the phrase “under the Federal Rules of Criminal Procedure” and pasting “using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation.”  Then in 2009, the Foreign Evidence Request Efficiency Act (FEREA) modified the relevant language in section 2703(a) to its current form.

FEREA also gave a new and more explicit definition for the phrase “court of competent jurisdiction” in 18 U.S.C. § 2711(3). It now includes a federal court with jurisdiction over the offense, over the provider, or over the location of storage, or any state court of general jurisdiction authorized by state law to issue search warrants.

Congress did not write on a blank slate to create a new kind of “warrant.” Acting as though it did is why Microsoft and the DOJ can give such radically different interpretations of what a “section 2703 warrant” entails. If all you have to go on is traditional warrant practice and Rule 41 is just an example of one kind of warrant, then the problem is open-ended, it is possible to see almost anything in the inkblot, and one is naturally tempted to lean on conclusory canons like the broad-brush presumption against extraterritoriality. But if one reads section 2703(a) as written — incorporating Rule 41 and state warrant procedures except insofar as it allows any “court of competent jurisdiction” to issue one — then one faces a more straightforward problem of statutory interpretation. Which portions of the FRCrP did the 2001 and 2009 amendments to the SCA displace when defining the scope of the 2703(a) warrant authority?

I don’t know the answer to that question and I do not propose to answer it here. But it seems to me to be a better question to ask. Starting from the FRCrP provides a way to avoid the extraterritoriality trap. Arguments about extraterritoriality have an all-or-nothing flavor: they tend to make one or a few localizing factors outcome-determinative. Reading the SCA as a calibrated adjustment to a field already primarily occupied by the FRCrP and state warrant procedures is a way of putting the necessary nuance back in.

The recently-introduced CLOUD Act gets this point right. It lists eight factors courts must consider when deciding whether to quash a demand for stored data that might set up a conflict between United States and foreign law, including the customer’s location and nationality, the provider’s ties to the United States, and the availability of alternative means. But it specifically rejects any distinction between data stored in the United States and data stored abroad. Whether you think the CLOUD Act’s framework is a good or bad one, or whether you think courts will appropriately balance the factors, this is a much better way of coming at the problem. It asks about the interests of everyone who matters — providers, customers, and governments — rather than about the metaphysical location of a metaphysical abstraction. Data doesn’t care whether it’s domestic or extraterritorial.

(Justin Sullivan/Getty Images)


About the Author(s)

James Grimmelmann

Professor of Law at Cornell Law School and Cornell Tech. Follow him on Twitter (@grimmelm).