Huge Win: Court Says Microsoft Does Not Need To Respond To US Warrant For Overseas Data

from the big-news dept

We've been following an important case for the past few years about whether or not the US can issue a warrant to an American company for data stored overseas. In this case, Microsoft refused to comply with the warrant for some information hosted in Ireland -- and two years ago a district court ruled against Microsoft and in favor of the US government. Thankfully, the 2nd Circuit appeals court today reversed that ruling and properly noted that US government warrants do not apply to overseas data. This is a hugely important case concerning the privacy and security of our data.

The key issue here is that the US government was basically on a fishing expedition for information hosted on Microsoft Outlook.com email servers. And there are a few really key issues, concerning jurisdiction, privacy and the all important difference between a subpoena and a warrant (something that many people seem to think are the same thing). Microsoft's own response to the lawsuit did a really good job explaining the issues and how the government wanted to pretend a warrant was a subpoena, and what that meant for the 4th Amendment:
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
It was unfortunate that two judges at the district court level basically ignored this argument, so it's good to see the appeals court shoot it down completely.
For the reasons that follow, we think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.

Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term “warrant” in the Act to require pre‐disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument’s territorial limitations and other constitutional requirements. The application of the Act that the government proposes ― interpreting “warrant” to require a service provider to retrieve material from beyond the borders of the United States ―would require us to disregard the presumption against extraterritoriality that the Supreme Court re‐stated and emphasized in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) and, just recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. __, 2016 WL 3369423 (June 20, 2016). We are not at liberty to do so.
In the full discussion, the court points out where the lower court went wrong, thinking that thanks to the PATRIOT Act, a warrant could apply to the location of the service provider rather than the location of the server. But the court says that's clearly wrong, and the Congressional record makes it pretty clear that it was looking to apply the law just to the United States. As for the idea that the warrant was really a subpoena in disguise, the court says that's not how it works:
Warrants and subpoenas are, and have long been, distinct legal instruments. Section 2703 of the SCA recognizes this distinction and, unsurprisingly, uses the “warrant” requirement to signal (and to provide) a greater level of protection to priority stored communications, and “subpoenas” to signal (and provide) a lesser level. 18 U.S.C. § 2703(a), (b)(1)(A). Section 2703 does not use the terms interchangeably. Id. Nor does it use the word “hybrid” to describe an SCA warrant. Indeed, § 2703 places priority stored communications entirely outside the reach of an SCA subpoena, absent compliance with the notice provisions. Id. The term “subpoena,” therefore, stands separately in the statute, as in ordinary usage, from the term “warrant.” We see no reasonable basis in the statute from which to infer that Congress used “warrant” to mean “subpoena.”

[....] We see no reason to believe that Congress intended to jettison the centuries of law requiring the issuance and performance of warrants in specified, domestic locations, or to replace the traditional warrant with a novel instrument of international application.
There is, of course, the further issue of Microsoft being a US company, but the court says that doesn't magically make its overseas data subject to these kinds of warrants, because the intent of the law is to protect the privacy of users' communications, not to make it easier for the government to snoop.
The reader will recall the SCA’s provisions regarding the production of electronic communication content: In sum, for priority stored communications, “a governmental entity may require the disclosure . . . of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure,” except (in certain cases) if notice is given to the user....

In our view, the most natural reading of this language in the context of the Act suggests a legislative focus on the privacy of stored communications. Warrants under § 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is undergirded by the Constitution’s protections of citizens’ privacy against unlawful searches and seizures. And more generally, § 2703’s warrant language appears in a statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key concern.

The overall effect is the embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government’s (and other third party) access to priority stored communications. The circumstances in which the communications have been stored serve as a proxy for the intensity of the user’s privacy interests, dictating the stringency of the procedural protection they receive—in particular whether the Act’s warrant provisions, subpoena provisions, or its § 2703(d) court order provisions govern a disclosure desired by the government. Accordingly, we think it fair to conclude based on the plain meaning of the text that the privacy of the stored communications is the “object[] of the statute’s solicitude,” and the focus of its provisions.
The court goes on at length arguing that the Stored Communications Act's default is that communication privacy must be protected, and the exceptions are narrow.

All three judges on the panel agreed, but one -- Judge Gerard Lynch -- wrote a concurrence that tries to undercut the strong 4th Amendment/privacy arguments in the overall opinion, basically noting that he believes the decision doesn't come down to 4th Amendment issues or privacy protection, but merely how Congress drew up the law in the Stored Communications Act -- and basically argues that if Congress doesn't like this result, it can just rewrite the law.

It's also important to note that Rule 41 is the underpinning of much of this case, and that's the rule that the courts recently agreed to change to allow the DOJ more power to simply hack overseas servers. That shouldn't directly impact this particular case or similar situations, but does show how the DOJ is looking for ways to create endruns around limitations on domestic laws to try to get international data.

Still, for now, this ruling is a surprisingly good one, reinforcing privacy protections in overseas data. Kudos to Microsoft for going to court over this when it would have been quite easy for it to just give in and hand over the data. I assume that the US government will seek to get this ruling overturned, either via an en banc hearing on the 2nd Circuit or going to the Supreme Court, so the case isn't over yet. But, as for right now, it's in a good position.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 14 Jul 2016 @ 10:56am

    Doesn't this just mean that they can't do it with warrants, so they'd better leave it to the CIA, who can do it without them?

    reply to this | link to this | view in chronology ]

  • identicon
    DigDug, 14 Jul 2016 @ 11:20am

    Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.

    Since the Constitution and Bill of rights do not lay out any kind of "exemptions" to their wording, Congress cannot pass any law that contradicts them, period.

    The only way to change the amendments is with another amendment that would have to be voted on by a Continental Congress from all 50 states made up from the general population, not professional politicians (oxymoron if I've ever heard one).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 11:36am

      Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.

      Not quite. There are two methods of amending the US constitution and you've named one of them. In fact, a Constitutional convention has been done only once when the original constitution was written. All other amendments were done by having congress propose an amendment and then having the proposed amendment ratified by a super majority of the states. To be perfectly honest, I would be extremely worried about a constitutional convention being held in modern times. Why? Simply take a look at the precedent that the original constitutional convention set and think about what might happen today. The original constitutional convention had the mandate to simply correct the flaws in the articles of confederation and whatever they came up with would require unanimous ratification by all the states. What they actually did was totally throw out the articles of confederation and instead propose the constitution as we know it. They also knew that there was no way that the result would be unanimously ratified so they eased the ratification requirement to a simple super majority. Definitely NOT what they were originally charged to do. And to be perfectly honest, given what I see today, it would be extremely worrisome for a constitutional convention to be held today given how dishonest and self serving today's politicians are.

      reply to this | link to this | view in chronology ]

      • identicon
        FTFY, 15 Jul 2016 @ 9:02am

        Re: Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.

        Are you forgetting the ratification of the 16th amendment? It was voted on by six members of congress present and Presidednt Wodrow Wilson Christmas Eve 1912 and ratified Feb 3, 1913. They snuck in and fucked the American people. Before the ratification a corporation's privilidge could be taxed, but not an individual's right to earn a living.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 11:51am

      Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.

      Sure they can, see: Espionage Acts, Sedition Acts, and USA PATRIOT Act.

      It's the responsibility of the courts to point out and invalidate those laws when that happens. Unfortunately, too many judges see their role as helping the government get around those pesky rules to "get the bad guys." In actuality, 'those pesky rules' were specifically placed in the Bill of Rights because the people feared that a Federal government as described in the Constitution would abuse it's power without such strictures.

      reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 14 Jul 2016 @ 11:37am

    The cynic in me wonders how the government will retaliate against microsoft for this spiteful refusal to play ball.

    reply to this | link to this | view in chronology ]

  • identicon
    Skeeter, 14 Jul 2016 @ 11:46am

    Hiding in Plain Sight

    While everyone can cheer this 'little guy fights government and wins' ideology, in reality, what has just happened is more concrete-actions to ensure if you are big, and rich, you can refuse to cooperate with the law, anytime you like.

    You see, a corporation is a quasi-person in legal terms. Like a person, it is responsible to the law, and can face many various penalties if it ignores the law. If you are an American person, just because you are in Ireland, does NOT mean you can't be arrested and returned to the U.S., nor does it mean you can't be searched with indictable material being returned to the U.S. for proof. Even if the material does not violate Ireland's laws, doesn't mean that illegally holding classified material feloniously acquired won't leave you in federal prison in the end.

    Sadly, this is EXACTLY what the courts just let Microsoft, a U.S. corporation, do. They KNOWINGLY parked data servers in Europe, refused to abide by U.S. court orders, and then the pansy 2nd Circuit Appeals court said, 'no problem'.

    Tell you what, try doing this yourself, and see where it gets you. You'll find out that corporations are no longer 'quasi-humans', they are 'super-humans', doing things you'll do time for - and protected by the laws that would burn you alive.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 11:53am

      Re: Hiding in Plain Sight

      The only difference between Microsoft and you: they can afford decent lawyers.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 12:10pm

      Re: Hiding in Plain Sight

      Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad

      If the US government succeeded in this request, what would stop other governments going to their Microsft sunsidiary and demqanding data belonging to US citizens?

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 14 Jul 2016 @ 10:57pm

      Re: Hiding in Plain Sight

      They KNOWINGLY parked data servers in Europe, refused to abide by U.S. court orders, and then the pansy 2nd Circuit Appeals court said, 'no problem'.

      You are aware that there are more than two countries on the planet right? It's not just 'The Grand US of A' and 'Everywhere else', and there are actual people and governments other than the US?

      There are perfectly logical and legal reasons to set up data servers in other countries that have nothing to do with attempting to avoid US jurisdiction or whatever you want to call it.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2016 @ 11:59am

    International Warrants

    "US government warrants do not apply to overseas data"

    Hmmmm... What about the US warrants against Megaupload?

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 14 Jul 2016 @ 1:20pm

      Re: International Warrants

      US warrants against Megaupload are different. That is about copyright. Therefore silly notions of due process, evidence, laws, or the constitution do not apply.

      Megaupload was simply Hollywood's temper tantrum the day after the internet went dark, exposing SOPA. As the bright light of news coverage shone on SOPA, its supporters distanced themselves, slinking back into the shadows.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2016 @ 3:24pm

    So does this mean we are at war with Ireland now?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 4:14pm

      Re:

      America is at war with everyone, including America

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2016 @ 12:16am

        Re: Re:

        Exactly this. America has hostile designs on my information, my privacy as a citizen of a foreign nation. My government might not acknowledge that fact, but it is nonetheless true. As a nation that actively tries to harm me, what else am I to call it but an enemy? And this goes for everyone not a citizen of the U.S. of A.

        And as for those citizens? I don't know, I don't live there. But from the tenor of a few American websites and their comments, a lot of Americans feel the behaviour and goals of their government and their courts is just as hostile to them as it is to us foreigners.

        From back here, the USA looks like a rogue nation, cut loose from it's allies and it's own population, just a drifting malignancy of lobbyists, politicians and murdercops, looking for someone to prey on.

        reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 14 Jul 2016 @ 7:46pm

    Wow, this and the theoretical operations of Privacy Shield. Good, or just more lipstick on the pig?

    reply to this | link to this | view in chronology ]

  • identicon
    Junk Collector, 15 Jul 2016 @ 8:48am

    Hmm, Let's see if we got that right

    Thankfully, the 2nd Circuit appeals court today reversed that ruling and properly noted that US government warrants do not apply to overseas data. This is a hugely important case concerning the privacy and security of our data.

    Now that monster with all our data can now SELL our data back to the government who will pay with US tax dollars that we, the data owners will pay for, not the tax avoiding monster. That's just delicious.

    reply to this | link to this | view in chronology ]

  • identicon
    nygrump, 15 Jul 2016 @ 12:03pm

    MS has probably already provided access anyway

    Ever since microsoft locked me out of my hotmail account after 15 years because I would not provide them with my phone number, I wouldn't trust them as far as I can shake my dandruff. I'm on their blacklist.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2016 @ 6:04am

    Wait, how this data ended up there? Where did it originate? If they put server on Mir station, they can screw every laws?

    reply to this | link to this | view in chronology ]

  • icon
    RonKaminsky (profile), 19 Jul 2016 @ 12:21pm

    Possibly not so easy to comply

    > when it would have been quite easy for it to just
    > give in and hand over the data

    It seems to me that this could have violated the European data privacy laws, no? (Assuming the servers were in Europe.)

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.