Microsoft case underscores legal complications of cloud computing
In late 2013, federal law enforcement authorities served a warrant at Microsoft Corp.’s headquarters in Redmond, Washington, seeking information about an email account the government thought was being used to aid illegal drug activity, including making drugs for import into the United States.
The warrant sought the contents of all emails in the account as well as records that might identify its user. The warrant was issued under the Stored Communications Act of 1986—a federal statute already before the U.S. Supreme Court this term in another high-profile case on data privacy.
Now the statute is at issue in United States v. Microsoft, a major case about whether U.S. corporations must disclose data that they store abroad to federal authorities. The case underscores the growing impact and legal complications of cloud computing—when providers and their customers store data on servers rather than on a device such as a computer, tablet or cellphone.
Microsoft, responding to the 2013 warrant, disclosed certain account-identification records that it routinely stores in the United States. But the technology giant determined that the contents of the sought-after email account were stored at its data center in Dublin.
Microsoft manages more than 1 million server computers in over 100 data centers in 40-plus countries across the globe, based on 2014 figures cited in the case record. The company migrates customer emails daily from one data center to another for various business reasons but typically sends them to a center close to the customer’s location.
Microsoft refused the government’s request to retrieve the contents of the emails sought under the warrant and stored in the Dublin center. The company stresses that it generally doesn’t oppose legal requests for data and seeks to aid law enforcement.
But in this case, it asked a federal magistrate judge to quash the subpoena. The magistrate refused, setting the case on a path toward the Supreme Court, which will hear arguments on Feb. 27.
‘THIS UNBRIDLED POWER’
According to David M. Howard, corporate vice president and deputy general counsel at Microsoft, this case is about whether the U.S. government can “come to Microsoft and force Microsoft to effectively go into its Irish data center, collect that private or confidential information, copy that information and transmit that information to the United States, and turn it over to law enforcement without the cooperation and assistance of the Irish government—all without any consideration of whether the production of that information is consistent with Irish law.”
“Our view is this statute ought not to be interpreted to allow the government this unbridled power, but that Congress needs to consider under which circumstances a warrant ought to be allowed outside the United States,” says Howard, referring to the Stored Communications Act. “Using this outdated statute is not the right vehicle to do this.”
Solicitor General Noel J. Francisco, in the federal government’s merits brief, argued that under the Stored Communications Act, “the government may compel a U.S. service provider to disclose electronic communications within its control, regardless of whether the provider stores those communications in the United States or abroad.”
According to Francisco, the focus of the statute is on domestic conduct and does not violate the so-called presumption against extraterritoriality—the principle that acts of Congress are meant to apply only within the territorial jurisdiction of the United States unless Congress makes clear otherwise.
Because Microsoft’s U.S.-based security team is able to access emails stored in Dublin or any of its overseas data centers, it may copy and shift that information to the United States to comply with the warrant, the government argued.
“Because any disclosure to the government occurs in the United States, such disclosure involves a permissible domestic application of” the statute, Francisco said in the brief.
The federal government has appealed a unanimous decision by a three-judge panel of the 2nd U.S. Circuit Court of Appeals at New York City, which ruled for Microsoft and held that the SCA’s warrant provision does not apply outside the United States.
The panel went on to hold that much of the focus of the 1986 statute and later amendments is on protecting the privacy of consumers. And “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content” is stored—in this case at Microsoft’s Dublin data center.
A warrant that requires a provider to access its data abroad calls for the provider to seize the data from that site while acting as an agent of the U.S. government, the 2nd Circuit held.
An en banc panel of the 2nd Circuit split 4-4 on whether to rehear the case, which left the panel’s decision in force. Each judge who would have heard the case wrote a dissent, with one arguing that a Stored Communications Act warrant is more like a subpoena seeking information “within the grasp” of the U.S. provider.
This article was published in the February 2018 issue of the ABA Journal with the title "Data Reach: How far can law enforcement authorities go when seeking electronically stored information outside the United States?"