Pennsylvania Court Shrugs Off Microsoft Decision; Says Google Must Turn Over Emails Stored At Overseas Data Centers
from the redefining-'seizure' dept
Just south of the Second Circuit Court of Appeal's district, a Pennsylvania (3rd Circuit) federal judge has come to (nearly) the opposite conclusion on law enforcement's access to emails stored overseas. This case deals with two FBI SCA (Stored Communications Act) warrants seeking emails that Google says aren't stored in the United States. Google, however, also says the sought emails could be at any of its data storage sites -- which would include those in the US. It all depends on when it's asked to retrieve the communications.
And there's where this decision parts ways with the Second Circuit, which found that emails stored in an Irish data center weren't subject to US-issued warrants. The court explains [PDF] Google's process for handling user data, which is built for efficiency, rather than what's central to the FBI's demands: efficiency of retrieval in response to law enforcement requests.
Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google's network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.
As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
Because of the way Google handles data, it theoretically could refuse every US law enforcement request for communications. (It could do the same to foreign requests as well.) This makes Google's case distinguishable from Microsoft's legal battle. Microsoft knew exactly where the stored communications were located. Google says the communications might be anywhere -- in one place upon receipt of a warrant and in another when retrieval efforts begin. As the court sees it, the Second Circuit's ruling would basically make Google completely immune to law enforcement requests.
[I]f the court were to adopt Google’s interpretation of the Microsoft decision and apply such a rationale to the case at bar, it would be impossible for the Government to obtain the sought-after user data through existing MLAT channels.
The "fix," according the Pennsylvania court, is to have Google round up the sought communications in the US, putting them within reach of the FBI's warrants.
In contrast, under this court’s interpretation, Google will gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.
Of course, this means compelling Google to do something with its data that it doesn't normally do, which would make it a seizure. And since the data sought is constantly in transit, the court is giving the government the power to step in and alter Google's data-handling. This would obviously be a seizure of data potentially stored (at least temporarily) in foreign countries. To get around the Fourth Amendment concerns this raises -- not to mention the expansion of the US government's power to compel the production of data from foreign servers -- the court decides no seizure actually takes place until the government takes control of the data Google has been ordered to compile.
In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a "seizure" nor a "search" of the targets' data in a foreign country. This court agrees with the Second Circuit's reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit's analysis regarding the location of the seizure and the invasion of privacy.
Electronically transferring data from a server in a foreign country to Google's data center in California does not amount to a "seizure" because there is no meaningful interference with the account holder's possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer's access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis and temporary.
This is a really weird -- and wrong -- interpretation of the word "seizure." While it's true the FBI won't actually have taken possession of the emails until after Google has gathered them in a California datacenter to make them more Fourth Amendment-compliant (or whatever), the fact that Google has to interrupt its normal flow of data at the government's request would appear to make that initial interruption a "seizure" -- de minimis or not.
In essence, the court is saying the Fourth Amendment doesn't apply to data in transit. The government can compel the collection of overseas data and have the Fourth Amendment applied to it after it's already been gathered and stored locally. The decision makes a mess of the Fourth Amendment cart-horse configuration, but figures this is more acceptable than informing the FBI that its warrants might be useless.
The better conclusion to reach would be the one the Second Circuit reached: if the concern is that the 30-year-old SCA limits law enforcement's ability to demand data from overseas data centers run by US companies, the solution lies with the entity that created it (Congress), rather than the courts. This decision will be appealed and it's safe to assume the Third Circuit Court of Appeals will arrive at the same conclusion.
Even if Congress doesn't "fix" the SCA to make US companies with foreign data centers more responsive to law enforcement demands, cases going forward may start applying the Rule 41 changes that went into effect at the beginning of this year, which greatly expand the jurisdictional reach of US court-issued warrants. As for Google, its system isn't built with law enforcement's needs in mind, nor should it be. It does what works best for it, which is what we expect from private companies. This ruling gives law enforcement a workaround for dealing with the SCA's limits, so some forum shopping should be expected until this decision is (hopefully) overturned.