The Microsoft Design Decisions That Caused this Mess

I need not spend much space on the merits of United States v. Microsoft, the case about the extraterritoriality of email search warrants that the Supreme Court will decide this term, because Judge Lynch of the Second Circuit, in his concurring opinion in the court below, said almost everything I would have said.  This is a far closer case than Microsoft or its many supporters claim particularly because everybody who has ever litigated the Stored Communications Act (“SCA”) understands that its warrants operate more like subpoenas than traditional search warrants. This supports the government’s arguments, because lower courts have enforced subpoenas ordering companies to produce documents in their “possession, custody, or control,” even if they are stored in another country.

Then again, like Judge Lynch, I recognize that even if the Court treats these warrants like subpoenas, it still might rule against the United States. The rule the Court has stated in the past (which it is free to change or abandon in this case) would look for the “focus” of the SCA, an antiquated and notoriously complex statute. Indeed, the Court would have more success looking for the “focus” of a pile of mulch. There is a high likelihood that, under this focus analysis, the United States will lose, and if so, Congress will need to respond, to preserve the ability for law enforcement to access email in many important criminal investigations.

I want to make two points about the broader context of this case. First, it’s important to highlight the technical design choices that Microsoft made and could have avoided that led directly to this roiling international conflict. Second, Microsoft’s actions can be read as a sub rosa declaration of independence from the rule of law, a declaration that enlists all of us as its unwitting revolutionaries.

Microsoft caused this mess

Like many others who have commented, what I ultimately think about this specific case turns almost entirely on facts that the judiciary has thus far ignored: the nationality and residence of the email account holder. If this is a case about a suspected American drug dealer, operating inside the territorial boundaries of the United States, being investigated by U.S. authorities, using email provided by an American corporation, then the fact that the account owner clicked a check box when he created his account should not elevate this case to the level of international incident. On the other hand, if this case involves an Irish national, sitting in Ireland, who clicked that check box honestly, then this becomes much trickier and more important.

I understand why the Courts have not insisted on knowing the answer to the question of nationality. The procedural posture of this case—an appeal of a contempt ruling resulting after a denial of a motion to quash—means that the proceedings are tentative, shrouded in necessary secrecy, and without the participation of the person whose nationality and residence we want to know, and who, after all, hasn’t yet been accused of any crime, and may never be.

The Supreme Court or Congress might feel differently. Either one could craft a new rule insisting that in cases like this one, the parties would be obligated to share their best guess about the country where the owner of an email account is located, perhaps as part of a multi-factor balancing test that tries to account for international comity interests.

I hope this happens, because it will shine a necessary light on the fact that Microsoft intentionally designed its service in a way that lets users decide where to store their records and led directly to this mess.

In tech law and policy debates, we tend too often to treat the current state of technology as fixed, static, and not up for debate by the polity. It is just the product of an intimate and secret conversation between corporations and the invisible hand — pillow talk for the Chicago School set. This attitude reflects in part, the hard work of libertarians who consistently browbeat the rest of us with the idea that we need to think of technology is “given unto” rather than “created by” ordinary human beings.

Microsoft could have taken some very small steps when it set up its first datacenter outside the United States that could have told us with much greater certainty the location of the target in this case. If it had, the company could have averted what is properly understood as a manufactured crisis of international relations. Most importantly, rather than letting users choose the datacenters in which to store their email messages, Microsoft could have answered that question by making an educated guess based on the user’s IP address, language settings, and measured network latency. After all, the company keeps trumpeting loudly that its only goal here was to decrease network latency. If that’s true, then why didn’t the company choose to place each user in the data center with the least network latency?

By not making this simple architectural choice, Microsoft made this case much more difficult than it could have been, even if that wasn’t its intent. If Microsoft had designed to make it difficult to sit in one part of the globe while storing communications in another, then a legal rule for access to email could have been crafted that would better balance the need to investigate crime with respect for user rights and international relations. Under such a rule, first, FBI agents would use a subpoena to learn from Microsoft the datacenter being used to store a particular account. If this returned an answer that the data were inside the United States, it would suggest a search warrant. If it returned an answer that the data were in Europe, a mutual legal assistance treaty (MLAT) request would be in order.

Declaring independence from Microsoft’s declaration of independence

There is another theme at work here. Today’s corporate globalists aren’t like yesterday’s. Oil barons and railroad tycoons trafficked in atoms rather than bits and, as a result, were forced to pay attention to national borders and local rules. This isn’t to say that they always respected those rules, but at least they had to attend to them. Uber—for all its fundamentally corrupt practices—seems more like the giants of iron in this respect, struggling with, and trampling, local rules wherever it expands. In contrast, Microsoft (and Facebook and Google) flout local rule and the rule of law in a much subtler but equally destructive fashion: they act as if the global telecommunications network means that the borders of the world simply don’t apply to them, and they design their services in ways that thwart local oversight and transparency. We know and can oppose what Uber is trying to do; it’s harder to understand what the purveyors of bits are doing. If we don’t start second-guessing the technological design choices of companies like Microsoft, as I have tried to do in this blog post, they just might get away with effacing the borderlines from our maps.

I think it’s also useful to think about Microsoft’s actions in this case in a different, even more pernicious light. Microsoft’s entire course of conduct—from setting up its remote datacenters in a way that permits users to select where to place their data to suing the federal government for seeking a warrant to investigate a drug crime—could be cast as a gambit that isn’t about respecting the rules of Ireland or the United States or the rights of the Irish or the Americans. It is perhaps part of a much more cynical and pernicious move to declare independence from the “weary giants of flesh and steel,” echoing the giant John Perry Barlow, who passed away the day I wrote these words. But the difference between Barlow and Microsoft is the person with the pen. Barlow wrote genuinely about a user’s revolution against terrestrial states. That’s a far different thing than being dragged into revolution by benevolent corporate governors. This seems more East India Company than Thomas Paine. Revolutions should not be declared by corporations, they should reflect the will of the people, in this case, the users. I am a user, just like all of you, and I don’t remember signing up for Microsoft’s revolution. I live in a (mostly) functioning democracy; I elect representatives and pay taxes in part to ensure that my wishes are reflected in my society. For me, one thing I need to safeguard is a law enforcement agency with the power to investigate crimes and protect the rule of law. Microsoft lives here too, and it could redesign its services to avoid thwarting local rule and inflaming international conflict. Maybe Congress should force it to do so. But we users, we citizens, should not misunderstand who is to blame for this mess.

(David Ramos/Getty Images)


About the Author(s)

Paul Ohm

Professor of Law at Georgetown University Law Center, Follow him on Twitter (@paulohm).