Pennsylvania Court Shrugs Off Microsoft Decision; Says Google Must Turn Over Emails Stored At Overseas Data Centers
from the redefining-'seizure' dept
Just south of the Second Circuit Court of Appeal’s district, a Pennsylvania (3rd Circuit) federal judge has come to (nearly) the opposite conclusion on law enforcement’s access to emails stored overseas. This case deals with two FBI SCA (Stored Communications Act) warrants seeking emails that Google says aren’t stored in the United States. Google, however, also says the sought emails could be at any of its data storage sites — which would include those in the US. It all depends on when it’s asked to retrieve the communications.
And there’s where this decision parts ways with the Second Circuit, which found that emails stored in an Irish data center weren’t subject to US-issued warrants. The court explains [PDF] Google’s process for handling user data, which is built for efficiency, rather than what’s central to the FBI’s demands: efficiency of retrieval in response to law enforcement requests.
Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google’s network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.
As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
Because of the way Google handles data, it theoretically could refuse every US law enforcement request for communications. (It could do the same to foreign requests as well.) This makes Google’s case distinguishable from Microsoft’s legal battle. Microsoft knew exactly where the stored communications were located. Google says the communications might be anywhere — in one place upon receipt of a warrant and in another when retrieval efforts begin. As the court sees it, the Second Circuit’s ruling would basically make Google completely immune to law enforcement requests.
[I]f the court were to adopt Google’s interpretation of the Microsoft decision and apply such a rationale to the case at bar, it would be impossible for the Government to obtain the sought-after user data through existing MLAT channels.
The “fix,” according the Pennsylvania court, is to have Google round up the sought communications in the US, putting them within reach of the FBI’s warrants.
In contrast, under this court’s interpretation, Google will gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.
Of course, this means compelling Google to do something with its data that it doesn’t normally do, which would make it a seizure. And since the data sought is constantly in transit, the court is giving the government the power to step in and alter Google’s data-handling. This would obviously be a seizure of data potentially stored (at least temporarily) in foreign countries. To get around the Fourth Amendment concerns this raises — not to mention the expansion of the US government’s power to compel the production of data from foreign servers — the court decides no seizure actually takes place until the government takes control of the data Google has been ordered to compile.
In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a “seizure” nor a “search” of the targets’ data in a foreign country. This court agrees with the Second Circuit’s reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit’s analysis regarding the location of the seizure and the invasion of privacy.
[…]
Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner’s control over his information, this interference is de minimis and temporary.
This is a really weird — and wrong — interpretation of the word “seizure.” While it’s true the FBI won’t actually have taken possession of the emails until after Google has gathered them in a California datacenter to make them more Fourth Amendment-compliant (or whatever), the fact that Google has to interrupt its normal flow of data at the government’s request would appear to make that initial interruption a “seizure” — de minimis or not.
In essence, the court is saying the Fourth Amendment doesn’t apply to data in transit. The government can compel the collection of overseas data and have the Fourth Amendment applied to it after it’s already been gathered and stored locally. The decision makes a mess of the Fourth Amendment cart-horse configuration, but figures this is more acceptable than informing the FBI that its warrants might be useless.
The better conclusion to reach would be the one the Second Circuit reached: if the concern is that the 30-year-old SCA limits law enforcement’s ability to demand data from overseas data centers run by US companies, the solution lies with the entity that created it (Congress), rather than the courts. This decision will be appealed and it’s safe to assume the Third Circuit Court of Appeals will arrive at the same conclusion.
Even if Congress doesn’t “fix” the SCA to make US companies with foreign data centers more responsive to law enforcement demands, cases going forward may start applying the Rule 41 changes that went into effect at the beginning of this year, which greatly expand the jurisdictional reach of US court-issued warrants. As for Google, its system isn’t built with law enforcement’s needs in mind, nor should it be. It does what works best for it, which is what we expect from private companies. This ruling gives law enforcement a workaround for dealing with the SCA’s limits, so some forum shopping should be expected until this decision is (hopefully) overturned.
Filed Under: 4th amendment, ecpa, emails, pennsylvania, stored communications act, subpoena, third circuit, warrant
Companies: google, microsoft
Comments on “Pennsylvania Court Shrugs Off Microsoft Decision; Says Google Must Turn Over Emails Stored At Overseas Data Centers”
Wait a sec. Did a District Court judge in Eastern Pennsylvania (where I live) just come out and essentially say, as a key part of an official ruling, that copying is not theft because making a copy doesn’t interfere with the owner’s use of the original?
The wide-ranging implications are staggering!
Re: Re:
Isn’t there a difference between copying and moving? I think I understand that a ‘copy’ may be made in RAM during the move process, but it is fleeting. Isn’t it?
A better question might be made about when. Did the move take place before or after notice of a subpoena? Another might be, is Google purposefully storing email in a country other than recipients/creators places of residence, in order to prevent government snooping? This might or might not be to Google’s advantage as it would (in the long run) teach governments to not try to get at email.
Re: Re: Re:
The semantics around this are staggering… is simple concatenation of fragmented (separately stored) parts “copying”? And when “seizure” is considered a poisoned term, start using “disclosed” and avoid the fuss… I can’t imagine all or even many of the terms bandied about actually have any standing in these contexts.
Re: Re: Re:
Doesn’t matter. MAI Systems v. Peak Computer, 991 F.2d 511 (US 9th Cir. 1993). Admittedly the court got it embarrassingly wrong, but that happens and you get to live with it.
(and who came up with the dumb idea to use this “use markdown” cruft anyway?)
Microsoft case concerned a non-US person. This case is about a US person.
What’s the issue with providing information about a US person subject to a warrant?
Re: Filing Cabinets
The best way to think about this is if Microsoft and Google were letter carriers that store copies in filing cabinets.
Microsoft keeps their letters all in one place per client. Meanwhile, Google says shipping is cheap and puts the letters wherever they have free space. The court order is telling google to ship the letters to the US so the FBI can then seize it.
If the filing cabinets are in the US, then the US can easily get to them. If they’re in a foreign country, then you need a foreign country’s permission to get to their filing cabinets. Countries don’t take it lightly when foreigners raid their businesses. It’s that whole sovereign nation thing.
The only time this analogy breaks down is in the US you don’t actually need a warrant to get old E-Mails. As far as US law is concerned, if those E-Mails have been sitting in the filing cabinets for long enough they’re considered "abandoned." Microsoft and Google aren’t exactly going to say that the US can do this though. In addition to the business loss, widely publicizing this government over reach jeopardizes multiple treaties these companies rely on.
Re: Re: Filing Cabinets
You, and Mike, are missing a huge point about this whole case: Google doesn’t know where the data resides. If Google knew that the data resided in, let’s say, Ireland, then retrieving that data in the US would be an illegal foreign search so the government would need to go through the MLAT process to affect a search. However, Google doesn’t know where the data is located and have effectively told the court that the data could be in the USA, Canada, China, Mexico, Ireland, Poland, Sweden, eh we don’t really know and have no way to find out.
Because Google has no way of knowing where the data is and even admit that the data might be in the USA or maybe it’s not, they’re not sure, the judge rightfully is ordering them to produce all data which may or may not be in the USA to the government. They had a chance to argue that the data isn’t in the USA, but they failed to argue such a case because they themselves do not know the location of the data.
So really, I have no problem with this ruling and it doesn’t conflict with the ruling in Washington at all. In fact, it’s pretty much just reiterating that compelling Google to move data known to be outside of the country into the country constitutes a foreign search.
Re: Re: Re: Filing Cabinets
See my post about distributed filing systems for more information. My analogy was just that, and isn’t perfect.
The problem with this ruling is it’s forcing Google to make huge technical changes to their infrastructure. I’m talking Billions of dollars worth here. At best, Google can spend a couple million to put in hacks and treat the person under investigation as a special snowflake. Except, if those hacks do involve moving data out of say the EU, then Google just broke EU law. Especially since, everyone but this judge believes ordering Google to move things so the Feds can get it is a seizure.
Even ignoring the dubious international legality, the US really doesn’t want to be known for having courts that can force company’s to completely restructure their internal organization on a whim. The cost to implement the court order means this will be fought as long as possible. If Google loses, then this is additional (not codified) regulation international companies will be wary of when dealing with US markets.
Re: Re: Re:2 Filing Cabinets
Re: Re: Re:3 Filing Cabinets
Calling it up is not the same as knowing where it is at any given time over the next months to years.
Re: Re: Re:4 Filing Cabinets
What are you arguing? The court is demanding production of data not the physical location of bits.
Re: Re: Re:5 Filing Cabinets
The court is demanding the data be in the US so they can demand the production of data, thus they are demanding Google alter the physical location of bits.
Re: Re: Re: Filing Cabinets
So basically, Google is playing a shell game, where the pea can be where Google wants it, and even change it once the FBI selects a shell.
This seems odd. But consider this – Google is a Search Company. They are in the business of knowing where things are. For them to say they don’t know where it’s at is laughable, since somehow they obviously know where an index is located where it can be requested from where ever it is.
Re: Re: Re:2 Filing Cabinets
So basically, Google is playing a shell game, where the pea can be where Google wants it, and even change it once the FBI selects a shell.
In a shell game a scammer purposefully and deceptively hides the pea. You accusation that Google is doing the same without evidence to support it is dishonest.
Re: Re: Re:3 Filing Cabinets
Sorry, but Google is pretty much telling us that. They actually say you can search a server, but the data may or may not be there from the time you request the data till the time you search it. They’ve hidden the pea, and they are telling you they can’t find it. When every indication that if the owner of the pea asks for it, I absolutely assure you that Google will present it to them.
Re: Re: Re:4 Filing Cabinets
Re: Re:
This also seems to involve actual warrants, if the language is reliable, instead of the best of both worlds hybrid warrant-subpoena animal the FBI tried to play on Microsoft.
But another issue is that they seem to want to serve warrants to third parties as much as possible, instead of serving, you know, the actual person under investigation. Try serving warrants to large corporations for their own internal information, and see how long that can take. The only time they fight like hell for the information they want is when attempting to get third-party information and set legal precedents and the general climate. I can see why Google, or anyone else, would want this thoroughly examined. They can flip the win here back on cases like the Microsoft case. Collect the data so it is here, then hand it over.
Re: Re: Re:
That is because it makes it difficult to Impossible for the actual target to defend their rights.
Re: Re: Re: Re:
Maybe if people stopped giving their rights to third parties there would be something to debate.
I seriously doubt Google is breaking up a single file in multiple parts, and storing those parts on different servers in different countries.
Re: Distributed File Systems
I wouldn’t be so sure of that.
Google is a major contributor to distributed file system development. These are things that look like one “disk” to anyone accessing it, but are based on man hard drives running on many different computers.
These systems are “intelligent”. So if I were in Japan, it would see that and slowly move my data over to an Asian data center. Because, that way I’m not waiting for signals to travel halfway across the world and back again every time I want to read an E-mail.
Here’s a more likely example: Someone in Japan sends me (in the US) an E-mail. Google recieves that E-mail at their Asian data center, but knows I’m in the US. So, whenever I read that E-mail, or if the US data center has extra space and Google have spare bandwidth, Google will transfer it over to the US.
Managing such a system has to be a huge effort. To find where a specific file is, they have to: find all the data blocks, map those blocks to actual disks/machines, and find out where those machines are. The best part is there are multiple copies of each block, so if a machine dies it doesn’t take data with it. Then, 5 minutes later the system could shift and move all that data overseas.
The tools just aren’t designed to say that this file must be on this machine. The way Google dealt with China was just setting up an entirely separate network. That is why orders like this, or the possibility of the EU requiring all data to be stored within it’s borders scares Google so much. They’d go from one distributed fault tolerant network, to a bunch of small vulnerable networks.
Re: Re: Distributed File Systems
Let’s talk about data blocks. Consider plaintext data block A.
B = random data block
C = A XOR B
Now delete A. A can be reproduced with C XOR B. But neither B nor C are plaintext. Now store B and C in different countries, on purpose. (Note you could XOR with multiple random blocks so that there are three or more parts that must be recombined to reproduce block A.)
Now to reproduce block A, at least one block is required from a foreign country.
Blocks could be stored in multiple countries such that if some number of countries are inaccessible, all necessary blocks can still be retrieved to reproduce the original data.
This helps make data big-brother proof.
Note that you don’t need quite as many random blocks as you think. Block B could be used again on some other customer’s data block somewhere. Just don’t use it too often. It still needs to be a drop in the ocean of random data blocks.
Re: Re: Re: Distributed File Systems
It reminds me of Wikileaks, who, from very early on, claimed to be routing every request through Sweden. Assange said they were doing it specifically because the Constitution of Sweden protected whistleblowers. This may be one of the earliest "practical" examples of such a legal hack, although cypherpunks talked about similar things earlier.
Re: Re: Distributed File Systems
Even if Google is using block storage, replication, and fault tolerance, it still should be easy to gather the data. Finding out where the data resides to follow international as well as local court precedents, is probably the sticking point. The EU/US privacy shield though I think only applies to citizens of either the US or EU respectively, so the US may have standing in retrieval from EU DCs as it’s not affecting an EU member citizen.
How that works in Hong Kong, Japan, et al is a totally different set of legal issues and could prove to be an violation of a country’s sovereignty. I would think it’s sort of like when Turkey tried to extradite Fethullah Gülen from his home in the US. They had to go through proper extradition procedures since there isn’t a treaty in place and the US court system found the evidence to be lacking.
Re: Re:
A design like that may have the unintended side effect of making data potentially inaccessible to all countries.
At the time of a law enforcement request, Google doesn’t know where the data is located. Therefore, it’s a crap shoot for law enforcement to try to get a foreign law enforcement agency to cooperate.
This is superior to Microsoft’s approach. Microsoft knew the data was in Ireland. Microsoft argued that Irish law enforcement could require Microsoft to produce the data.
With Google’s approach, law enforcement doesn’t know what jurisdiction to cooperate with to produce the data. This could get national jurisdictions into a pissing match.
The FBI could try to get all jurisdictions where Google data centers are located to all simultaneously serve a warrant for the sought after data. But that is a much higher bar to jump over.
Re: Re:
Distributed file systems and distributed files have been around for DECADES. To wit, CPF running on S/38 in 1981.
For all of this...
1. There is NO law that extends OVER a countries BORDERS…
2. For all the Information data exchange and the INTERNET…
There is NO PROTECTED PRIVACY
except the USPS..the USPS is covered..unless there is ALLOT of paper work, they CANT check your mail..
Re: USPS
The USPS can open your mail! Under certain circumstances at least. I haven’t been able to find too many articles discussing the issue, but here’s one: http://www.rstreet.org/2014/11/19/yes-the-government-can-open-your-mail-without-a-warrant/
I have a fix for this...
Google should provide this information. It should treat it like the FBI treats FOI requests. Say $.20/Bit?
What a bull shit Google defense. Fed have warrant for info, not doc. In any case, manipulation of judicial system should not be allowed.
It like panynj tried to say they not liable to subpoenas in 9/11 cases because they span two states.
Re: Re:
That’s just bad trolling right there. You are a bad person and should feel bad about yourself.
Re: Re:
In any case, manipulation of judicial system should not be allowed.
Like, oh I dunno, changing the law so you don’t actually have to get a warrant in the jurisdiction a crime is taking place, but can get it from any court, and use it on any system?
Talk about a bunch of losers. The court was correct in this case. When a company like Google can effectively circumvent any law in any country, it makes them untouchable by the courts.
This isn’t like Microsoft. Google is an entirely different circumstance and the courts really need to ensure that a company like Google isn’t circumventing the law in order to make it untouchable by any court in any country.
Re: Re:
Oh? Which law is Google circumventing?
Re: Re:
When a company like Google can effectively circumvent any law in any country, it makes them untouchable by the courts.
Damn right, that sort of thing is only acceptable when the Holy American Empire does it!
Who cares about such trivialities as ‘demanding a company provide information located outside US jurisdiction, and despite that fact that ordering a company to provide that information could very well put it in the position of ignoring a US court order or violating the law in another country’, US law always gets priority.
Only rights to PRIVACY
were given in the OLDER DAYS..Because they knew they WANTED privacy for a few reasons, ASK THE RICH..
TELEPHONES(NOT CELLPHONES, not pagers, NOTHING)
AND the MAIL…the OLD SNAIL MAIL..
these 2 have MORE protection than ANY OTHER..
And the FIGHT goes on, between those that WISH to monitor EVERYTHING, Those that just dont want warrants, Those that THINK it IS private, and those that JUST WANT TO HIDE STUFF..