Southern District of New York Magistrate Judge Francis has determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. The decision is likely to get widespread attention and be the subject of future court review, as it expands the reach of a government criminal warrant beyond the borders of the United States to allow for the collection of evidence abroad.
The obligation of an Internet Service Provider (“ISP”) like Microsoft to disclose to the U.S. Government customer information or records is governed by the Stored Communications Act (“SCA”), which was passed as part of the Electronic Communications Privacy Act of 1986 and codified at 18 U.S.C. §§ 2701-2712. The warrant in this case, obtained under SCA Section 2703(a) after a showing of probable cause as required by the Federal Rules of Criminal Procedure (see Fed. R. Crim. P. 41(d)(1)), authorized the search and seizure of information associated with a specified web-based e-mail account that is “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation.” Microsoft complied with the search warrant by producing certain non-content information about the customer’s account that was stored on its servers in the United States. However, after the company determined that the target account was hosted in Dublin, it moved to quash the government warrant to the extent that it directs the production of email content and other information stored abroad. Microsoft argued that because Federal courts are without authority under the Federal Rules of Criminal Procedure to issue warrants for the search and seizure of property outside the territorial limits of the United States, the SCA warrant also must be limited to electronic information “located” in the United States, not abroad.
Finding the warrant language of the SCA “ambiguous” on the point of its extraterritorial application, Judge Francis examined the “statutory structure, relevant legislative history, [and] congressional purposes” of the SCA. First, the Court noted the “unique structure” of the SCA that allows for the court to issue something of a “hybrid” between a subpoena and a warrant. Noting that it has “long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information,” the SCA’s warrant provision should not be read to forbid the extraterritorial gathering of electronic information any more than a subpoena would forbid it. The “probable cause” requirement under the SCA is an added safeguard to a user’s privacy, not a territorial restriction on where data can be gathered. Second, the Court concluded that the legislative history of the SCA on the point was ambiguous, but noted that Congress at least had “anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control” regardless of where that information itself was located. Finally, the Court examined the practical considerations at stake if Microsoft’s position was correct, and held that gathering evidence under a multi-national treaty is slow and cumbersome and, in some cases, cannot even be done. Moreover, recent decisions of the United States Supreme Court that frown upon the extraterritorial reach of substantive federal statutes, such as certain securities laws, do not resolve the issue because “an SCA Warrant does not criminalize conduct taking place in a foreign country” but instead places obligations only on the service provider to act within the United States.
There are far-reaching implications of Judge Francis’ decision for both law enforcement and foreign users of U.S.-based ISP’s. Certainly the ability of the U.S. Government to gather key electronic evidence and pursue suspicious activity abroad is enhanced by the ruling. But certain privacy rights of citizens abroad are diminished in the process; and it remains to be seen whether the European Union and other countries that treat privacy as a fundamental right will regard the opinion as an unwelcome gateway through which the U.S. Government can gather the private emails of its citizens. As we have noted in previous posts, getting the security/privacy balance right can be extremely difficult in practice. The long-term business consequences to Microsoft or other U.S. internet service providers also is unclear, especially if foreign-based ISP’s can provide levels of privacy protection to their citizens that U.S. businesses are unable to ensure.