Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US
from the going-to-be-an-important-fight dept
Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn’t apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it’s true that traditional warrants only apply inside the US, this is different because it’s “digital.” He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft’s filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:
The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act (“ECPA”) that on its face, purports to authorize the Government to search any and all of Microsoft’s facilities worldwide. Microsoft moved to vacate the warrant because the private email communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and because Congress has not authorized the issuance of warrants that reach outside U.S. territory. The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft’s Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do — i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a “warrant” at all. They assert that Congress did not mean “warrant” when using that term, but instead meant some previously unheard of “hybrid” between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word “warrant” in ECPA to mean “warrant,” and not some super-powerful “hybrid subpoena.” And Congress used the term “warrant” expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.
The Government’s interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a “court order,” but required a warrant to obtain a person’s most sensitive and constitutionally protected information — the contents of emails less than 6 months old.
Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them — an increasingly important issue in light of the Snowden revelations.
The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.
The recent revelations about U.S. intelligence practices have heightened foreign sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications and cloud service providers. Studies have estimated that this distrust will result in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if left standing, will dramatically increase the harm to American businesses. It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.
If you hadn’t figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.