United States: United States V. Microsoft: 'Global Chaos,' Outdated Legislation And A Judge's Plea To Congress

Last Updated: October 14 2015
Article by Craig A. Newman

The Second Circuit's challenge in considering the validity of a U.S. Stored Communications Act warrant to Microsoft for e-mails located on servers in Ireland involves interpreting the SCA, which was enacted nearly three decades ago, long before today's Internet, cloud storage and huge amounts of data stored around the world, the author writes.

United States v. Microsoft: 'Global Chaos,' Outdated Legislation And a Judge's Plea to Congress

When the U.S. Court of Appeals for the Second Circuit heard oral argument in September in a case concerning Microsoft Corp.'s refusal to comply with a government search warrant and handover the contents of customer e-mails stored on a server in Ireland, Judge Gerald E. Lynch ended the almost 90- minute argument with an unusual plea: ''I do think the one thing that probably everyone agrees on is that, as so often, it would be helpful if Congress would engage in that kind of nuanced regulation, and we'll all be holding our breaths for when they do.''1

Judge Lynch's closing observation illustrates the challenge facing the Second Circuit in interpreting the Stored Communications Act (SCA), a statute enacted into law nearly three decades ago, long before today's Internet, long before cloud storage and long before huge amounts of data was stored in servers around the world.

And, as more and more digital information is stockpiled, it will be increasingly critical for global businesses to understand the rules of the road and precisely when, under what circumstances, and how governments in the U.S. and abroad can lawfully access that data, wherever collected and stored. As the court itself acknowledged during oral argument, the ''implications.

. . [of its ruling] are obviously broad.''2 That's es pecially so as our digital universe expands. By one estimate, the digital universe – meaning the data we create and copy – will reach 44 zettabytes or 44 trillion gigabytes by 2020. That means within the next five years there will be as many digital bites as stars in the universe.3

The three-judge panel included Judge Lynch,4 a former Columbia Law School professor and U.S. District Judge; Susan L. Carney, former Deputy General Counsel of Yale University; and Victor A. Bolden, a U.S. District Judge for the District of Connecticut, who was sitting by designation.

The Facts: Microsoft, DOJ and the SCA

At issue on the appeal is whether a U.S. warrant issued under the SCA can reach data stored on a server in Europe. Microsoft has fought the case for the past two years, starting in December 2013 when, in connection with a drug-trafficking investigation, U.S. law enforcement officials served a warrant on Microsoft at its headquarters in Redmond, Wash.. The warrant sought e-mail traffic including e-mail content associated with an unnamed user's msn.com account. It's not known whether the account belongs to a U.S. or European citizen.5

When Microsoft received the SCA warrant, its Global Criminal Compliance team determined that it would comply by producing the account information stored on servers located within the U.S., but would move to vacate the warrant to the extent it sought customer information stored outside the U.S. Because of sophisticated computer technology, Microsoft in the U.S. is able to access information stored on its servers from around the world.6

Section 2703(a) of the SCA, enacted in 1986 as part of the Electronic Communications Privacy Act, says: A government entity may require the disclosure by a provider of electronic communications service of the contents of a wire or electronic communications, that is in electronic storage in an electronic communications systems for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure . . . by a court of competent jurisdiction[.]7

Throughout the case, Microsoft has read the statute as prohibiting the application of an SCA warrant beyond U.S. soil. Its position is based, in part, on the statutory language that the warrant must be issued ''using the procedures described in the Federal Rules of Criminal Procedure.'' Rule 41 of the Federal Rules of Criminal Procedure states that ''[f]ederal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States . . . .''8

But Magistrate Judge James Francis disagreed and denied Microsoft's motion to vacate the warrant in April 2014 (13 PVLR 796, 5/5/14). In his ruling, Magistrate Francis concluded that the SCA itself was ambiguous and looked to its legislative history. In so doing, he concluded that an SCA warrant ''is a hybrid: part search warrant and part subpoena.''9 An SCA warrant is obtained by demonstrating probable cause to a magistrate.

But, once the SCA warrant is issued, it functions more like a subpoena because it is merely served on an Internet Service Provider (ISP)—with the onus shifting to the recipient to look for responsive materials and produce them. The SCA warrant does not require the government to enter a company's premises and conduct a physical search and seizure that would be governed by Fourth Amendment protections. With a traditional subpoena, the physical location of the documents sought isn't relevant but what matters is whether the documents sought are within the possession, custody or control of the recipient.10

Magistrate Francis also concluded that, while the legislative history wasn't a model of clarity, it suggested that the SCA warrant did not call for extra-territorial application. He cited a House Report accompanying a 2001 amendment to the SCA that looked to the operation of Rule 41. The report compared ''where the property is located'' with the location of the ISP, not the location of any server.''11

Finally, Magistrate Francis looked to the practical implications of not enforcing the SCA warrant. For technical and customer service reasons, data is stored on servers located close to a user's residence. Because an ISP isn't required to verify the residence of a user, wrongdoers could provide false information to an ISP, have their e-mail data reside abroad and escape the reach of U.S. law enforcement. Further, if the SCA warrant wasn't enforced, the government would be required to use the Mutual Legal Assistance Treaty (MLAT) process, which is sometimes considered unwieldly. Magistrate Francis also noted that the U.S. has MLAT treaties with only 60 countries, suggesting that some information would be beyond the reach of U.S. law enforcement. An MLAT is an agreement between the U.S. and a foreign government to facilitate cooperation between law enforcement authorities for search warrants and court orders.12

In July 2014, Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed Magistrate Francis's order from the bench, hold- ing that the key issue was one of control over the user's information and not its physical location.13

On appeal before the Second Circuit, Microsoft's argument was straightforward: the SCA warrant requires an extra-territorial search because the information sought resides on a data server outside U.S. borders. Because there is a presumption against extraterritoriality in U.S. law coupled with the fact that the SCA does not provide for extra-territorial reach, a warrant issued under that statute cannot reach data stored outside the U.S.14 Microsoft also argued that the proper method of seeking such material was through an MLAT. In fact, there is an MLAT in place between the U.S. and Ireland. In an amicus filing, the Government of Ireland noted that it ''would be pleased to consider, as expeditiously as possible, a request under the treaty, should one be made.''15

The government disputed that the SCA warrant implicates the presumption against extraterritoriality, arguing that Microsoft is a U.S. corporation, had access in the U.S. to the server in Ireland, and was therefore required to comply with the warrant.16 Further, the government argued that, as the custodian of Microsoft's corporate and business records, the user's e-mail was a Microsoft ''business record'' and therefore subject to disclosure.17 Microsoft took issue with the government's characterization of the e-mail as a business record, arguing that they were personal documents belonging to the account holder and not the company.

During argument, Microsoft's lawyer told the court that ''[t]his notion of the government's that private e-mails are Microsoft's business records is very scary.''18 The back-and-forth during oral argument focused on three key issues:

Textual Interpretation of the Stored Communications Act: Extraterritoriality, Disclosure or Storage?

Judges Lynch and Carney pressed counsel on both sides for textual indications in the SCA that speak to extraterritoriality. 19 Microsoft's position was that because neither the text of the SCA, nor any expression of Congressional intent suggested otherwise, the presumption against extraterritorial application of U.S. law applied with full force. Under the circumstances, Microsoft argued that the U.S. should stick to the traditional MLAT process – especially since such a treaty was already in place with Ireland – to seek the e-mail traffic.20

The government's argument was based on the proposition that, so long as a U.S. company maintains care, custody or control of information called for by a court order, the physical location of that information is not relevant: ''[T]he SCA is all about disclosure, not storage,'' argued the government's lawyer.21

International Relations and Foreign Policy Implications

The undercurrent of several questions from Judges Lynch and Carney focused on the MLAT process itself and the fact that such a mechanism between the U.S. and Ireland did in fact exist but wasn't used in this case. Indeed, in an amicus brief, the Irish government noted that it stood ready to promptly facilitate the MLAT process.22

Microsoft urged the court to interpret the SCA in a way that ''creates the least international discord[,]'' and that by affirming the lower court rulings, it risked setting off ''global chaos'' and encouraging other nations to enact SCA-type laws, which would open the door to requiring companies in the U.S. to turn over customer information including that belonging to American citizens.23

Microsoft urged the court to interpret the SCA in a way that ''creates the least international discord.''

Judge Carney pressed the government on this point, asking whether ''a German court requiring disclosure of a provider in Germany, regardless of where its servers are kept or who it's providing service to, can require the disclosure to happen there and U.S. customers or users can be effected but it should be of no concern to us. Is that right?'' The government conceded that it should be of ''some concern'' but that, under principles of international law, it was the ''norm.''24

Judge Lynch also pressed on the question of whether production of the e-mail would violate either Irish or European Union data privacy protections. In responding, Microsoft pointed to excerpts from two amicus briefs which indicated that U.S. and EU privacy protections were distinct in this respect and that the e-mail should only be produced through the MLAT process or by order of the Irish courts.25

Judge Lynch raised the broader issue of whether the political or international implications requiring production of material stored abroad was a question more appropriately addressed by other branches of government. ''We don't do foreign relations,'' he said, suggesting that if a law as enacted by Congress and implemented by the Executive branch stirs up international discord, that's not a question for the courts. Said Lynch, ''If Congress passes a law and the executive wields it like a blunderbuss in such a way as to cause international tensions, that's for them to worry about.''26

The ''Plea'' for Congressional Action

Not surprisingly, the parties had different views on the state of the SCA in a digital era. The government argued that, although enacted decades ago, the SCA remained intact which was the best evidence that Congress intended it to apply regardless of advances in technology. Microsoft responded by noting that the statute was arcane and clearly not meant to apply in a rapidly changing technology environment in which the very materials sought weren't even in existence when the SCA was put into law.27

Microsoft has called for Congress to pass the Law Enforcement Access to Data Stored Abroad (LEADS) Act, (S. 512) which as currently drafted, has both domestic and international aspects. In the U.S., similar to the SCA, LEADS would establish a warrant requirement before technology firms hand over stored communications. But U.S. law enforcement would unilaterally have the ability to obtain e-mail content located outside of the U.S. when the content belongs to an American citizen. Not so for non-U.S. residents. Under those circumstances, the U.S. would go through the international MLAT mechanism. It also calls for the Justice Department to make changes to the existing MLAT process including the creation of an online tracking systems for requests and publishing yearly statistics about the volume of MLAT requests.28

Second Circuit's Decision: A Pit Stop to Congress or the Supreme Court?

It's unlikely that the Second Circuit's ruling— regardless of how decided—will be the last word. With several proposals pending in Washington including the LEADS Act, Congress could step in and address the issue. Perhaps more likely is an appeal to the U.S. Supreme Court. Either way, as our digital universe expands, either a legislative or judicial outcome will have broad implications for businesses that store digital data globally.

Footnotes

1 Hearing Transcript, United States v. Microsoft, No. 14- 2985-CV, 9/9/15, at p. 99 (Hearing Transcript) (14 PVLR 1678, 9/14/15)

2 Id. at p. 74.

3 John Gantz and David Reinsel, The Digital Universe in 2020 (December 2012).

4 Judge Lynch was the author of a 97-page decision handed down by the Second Circuit in May 2015 which ruled the oncesecret National Security Agency (NSA) program that collected bulk phone records of U.S. citizens was illegal under a provision of the USA PATRIOT Act (14 PVLR 822, 5/11/15). The ruling was the first time a Federal appellate court had reviewed the NSA phone records program. Prior to Judge Lynch's ruling, the data collection was approved by judges serving on the Foreign Intelligence Surveillance Court, or FISA court, a secret court that oversees U.S. national security matters.

5 In re Warrant, 15 F. Supp. 3d 466, (No. 13-MJ-2814) , ECF No. 80.

6 Id. at 467-68.

7 18 U.S.C. § 2703.

8 Id. at 470 (quoting 18 U.S.C. § 2703(a)(2012). See also Hearing Transcript at p. 17.

9 Id. at 471-72.

10 Id.

11 Id. at 473-74 (quoting H.R. Rep. No. 99-647, at 32-33 (1986)). See also Orin Kerr, What Legal Protections Apply to e-mail Stored Outside the U.S.?, The Washington Post: Volokh Conspiracy (July 7, 2014).

12 In re Warrant, 15 F. Supp. 3d at 474-77.

13 Brief of Appellant Microsoft Corporation at p. 14 (Appellant's Brief) (13 PVLR 1416, 8/11/14).

14 Appellant's Brief at pp. 18-33; Hearing Transcript at pp. 34-35; 42-44.

15 Brief of Amicus Curiae Ireland at p. 4.

16 Brief of the United States of America at pp. 36-44.

17 Id. See also Hearing Transcript at p.81.

18 Id. at pp. 24-27; p. 98.

19 Id. at pp. 6-8; 14-15; 27-33; 69-70.

20 Id. At

21 Id. at 55-56; 71;

22 Id.

23 Id. at pp. 32-33; 39

24 Id. at 56-57.

25 Id. at pp. 91-95. See also p. 57-58 for the government's rebuttal to the point that U.S. and Irish data privacy laws conflict.

26 Id. at pp. 13-14.

27 Id. at pp. 72-73.

28 Id. at pp. 33-34; S. 2871 – Law Enforcement Access to Data Stored Abroad Act (2013-14) (https://www.congress.gov/ bill/113th-congress/senate-bill/2871); See also Should governments be able to look at your data when it is stored abroad, The Economist (Sept. 8, 2015) (http://www.economist.com/ news/business-and-finance/21663902-test-case-set-determinewhether- fbi-can-access-microsofts-foreign-data-should); Wayne Rash, Senate Holds Hearings on Updated ECPA Data Privacy, Storage Rules, eWeek (Sept. 9, 2015) (http:// www.eweek.com/storage/senate-holds-hearings-on-updatedecpa- , eWeek (Sept. 9, 2015) www.eweek.com/storage/senate-holds-hearings-on-updatedecpa-data-privacy-storage-rules.html); Patrick Maines, The LEADS Act and cloud computing, The Hill, (Mar. 30, 2015) ( http://thehill.com/blogs/pundits-blog/technology/237328-theleads- act-and-cloud-computing).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.