We've been following an important case for the past few years about whether or not the US can issue a warrant to an American company for data stored overseas. In this case, Microsoft refused to comply with the warrant for some information hosted in Ireland -- and two years ago a district court ruled against Microsoft
and in favor of the US government. Thankfully, the 2nd Circuit appeals court today reversed that ruling and properly noted that US government warrants do not apply to overseas data
. This is a hugely important case
concerning the privacy and security of our data.
The key issue here is that the US government was basically on a fishing expedition for information hosted on Microsoft Outlook.com email servers. And there are a few really key issues, concerning jurisdiction, privacy and the all important difference between a subpoena and a warrant (something that many people seem to think are the same thing). Microsoft's own response to the lawsuit did a really good job explaining the issues
and how the government wanted to pretend a warrant was a subpoena, and what that meant for the 4th Amendment:
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.
The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
It was unfortunate that two judges at the district court level basically ignored this argument, so it's good to see the appeals court shoot it down completely.
For the reasons that follow, we think that Microsoft has the better of the
argument. When, in 1986, Congress passed the Stored Communications Act as part of
the broader Electronic Communications Privacy Act, its aim was to protect user privacy
in the context of new technology that required a user’s interaction with a service
provider. Neither explicitly nor implicitly does the statute envision the application of
its warrant provisions overseas. Three decades ago, international boundaries were not
so routinely crossed as they are today, when service providers rely on worldwide
networks of hardware to satisfy users’ 21st–century demands for access and speed and
their related, evolving expectations of privacy.
Rather, in keeping with the pressing needs of the day, Congress focused on
providing basic safeguards for the privacy of domestic users. Accordingly, we think it
employed the term “warrant” in the Act to require pre‐disclosure scrutiny of the
requested search and seizure by a neutral third party, and thereby to afford heightened
privacy protection in the United States. It did not abandon the instrument’s territorial
limitations and other constitutional requirements. The application of the Act that the
government proposes ― interpreting “warrant” to require a service provider to retrieve
material from beyond the borders of the United States ―would require us to disregard
the presumption against extraterritoriality that the Supreme Court re‐stated and
emphasized in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) and, just
recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. __, 2016 WL 3369423 (June 20,
2016). We are not at liberty to do so.
In the full discussion, the court points out where the lower court went wrong, thinking that thanks to the PATRIOT Act, a warrant could apply to the location of the service provider
rather than the location of the server. But the court says that's clearly wrong, and the Congressional record makes it pretty clear that it was looking to apply the law just to the United States. As for the idea that the warrant was really a subpoena in disguise, the court says that's not how it works:
Warrants and subpoenas are, and have long been, distinct legal instruments.
Section 2703 of the SCA recognizes this distinction and, unsurprisingly, uses the
“warrant” requirement to signal (and to provide) a greater level of protection to priority
stored communications, and “subpoenas” to signal (and provide) a lesser level. 18
U.S.C. § 2703(a), (b)(1)(A). Section 2703 does not use the terms interchangeably. Id.
Nor does it use the word “hybrid” to describe an SCA warrant. Indeed, § 2703 places
priority stored communications entirely outside the reach of an SCA subpoena, absent
compliance with the notice provisions. Id. The term “subpoena,” therefore, stands
separately in the statute, as in ordinary usage, from the term “warrant.” We see no
reasonable basis in the statute from which to infer that Congress used “warrant” to
[....] We see no reason to believe that Congress intended to jettison the centuries
of law requiring the issuance and performance of warrants in specified, domestic
locations, or to replace the traditional warrant with a novel instrument of international
There is, of course, the further issue of Microsoft being a US company, but the court says that doesn't magically make its overseas data subject to these kinds of warrants, because the intent of the law is to protect the privacy of users' communications, not to make it easier for the government to snoop.
The reader will recall the SCA’s provisions regarding the production of
electronic communication content: In sum, for priority stored communications, “a
governmental entity may require the disclosure . . . of the contents of a wire or
electronic communication . . . only pursuant to a warrant issued using the rules
described in the Federal Rules of Criminal Procedure,” except (in certain cases) if notice
is given to the user....
In our view, the most natural reading of this language in the context of the Act
suggests a legislative focus on the privacy of stored communications. Warrants under
§ 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is
undergirded by the Constitution’s protections of citizens’ privacy against unlawful
searches and seizures. And more generally, § 2703’s warrant language appears in a
statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key
The overall effect is the embodiment of an expectation of privacy in those
communications, notwithstanding the role of service providers in their transmission
and storage, and the imposition of procedural restrictions on the government’s (and
other third party) access to priority stored communications. The circumstances in
which the communications have been stored serve as a proxy for the intensity of the
user’s privacy interests, dictating the stringency of the procedural protection they
receive—in particular whether the Act’s warrant provisions, subpoena provisions, or its
§ 2703(d) court order provisions govern a disclosure desired by the government.
Accordingly, we think it fair to conclude based on the plain meaning of the text that the
privacy of the stored communications is the “object of the statute’s solicitude,” and the
focus of its provisions.
The court goes on at length arguing that the Stored Communications Act's default is that communication privacy must be protected, and the exceptions are narrow.
All three judges on the panel agreed, but one -- Judge Gerard Lynch -- wrote a concurrence that tries to undercut the strong 4th Amendment/privacy arguments in the overall opinion, basically noting that he believes the decision doesn't come down to 4th Amendment issues or privacy protection, but merely how Congress drew up the law in the Stored Communications Act -- and basically argues that if Congress doesn't like this result, it can just rewrite the law.
It's also important to note that Rule 41
is the underpinning of much of this case, and that's the rule that the courts recently agreed to change
to allow the DOJ more power to simply hack
overseas servers. That shouldn't directly impact this particular case or similar situations, but does show how the DOJ is looking for ways to create endruns around limitations on domestic laws to try to get international data.
Still, for now, this ruling is a surprisingly good one, reinforcing privacy protections in overseas data. Kudos to Microsoft for going to court over this when it would have been quite easy for it to just give in and hand over the data. I assume that the US government will seek to get this ruling overturned, either via an en banc hearing on the 2nd Circuit or going to the Supreme Court, so the case isn't over yet. But, as for right now, it's in a good position.