The Washington PostDemocracy Dies in Darkness

What legal protections apply to e-mail stored outside the U.S.?

A federal magistrate judge in New York recently handed down an opinion on an important and novel question:  If the government serves a warrant for a customer’s e-mails on a U.S.-based Internet provider, but the e-mails happen to be located on a server outside the U.S., does the provider have to comply with the warrant?  The magistrate judge held that the answer is “yes.”

The provider, Microsoft, recently filed objections to the magistrate’s decision in the District Court. A slew of major Internet providers filed amicus briefs in support of Microsoft: Apple/Cisco’s is here, AT&T’s is here, and Verizon’s is here. EFF filed a brief in support of Microsoft, too.  The case is now pending before Chief Judge Loretta Preska of the Southern District of New York.

In this post, I wanted to run through the complicated legal issues raised by the challenges. As I emphasized in a recent article, the Stored Communications Act just wasn’t drafted with the problem of territoriality in mind. It assumed a U.S. Internet with U.S. servers and U.S. users. However the Microsoft challenges goes, Congress needs to amend the statute to deal expressly with the complex problems raised by the global Internet.

In this post, though, I’ll take the current statute as a given, and I’ll run through the constitutional and statutory issues raised by access to e-mail located abroad under current law. My bottom line: I don’t think Microsoft can challenge the warrant on Fourth Amendment grounds, and I think it’s a close call on whether the warrant is valid on statutory grounds. If Microsoft wins, though, I think the DOJ may be able to get foreign e-mails with a U.S. subpoena, which wouldn’t be much of a victory for privacy or sovereignty.

I.  The Territorial Problem

We need to start with a basic understanding of how the two major sources of e-mail privacy law, the Fourth Amendment and the Stored Communications Act, apply around the globe.  In the usual case of a domestic investigation, both the Fourth Amendment and the Stored Communications Act generally protect the contents of remotely stored e-mails with a warrant requirement.  When you add in a global perspective, however, those protections can change in two ways based on two variables: The location of the search/seizure and whether the person at issue has significant contacts with the U.S.

The details of how location and contacts matter are somewhat complicated. (If you want to know the details, see this article on the Fourth Amendment and this article on the SCA.)  Here’s the gist of it.  If a person lacks significant contacts with the U.S., that person has no Fourth Amendment rights but retains all of his statutory rights. On the other hand, if the search is occurring outside the United States, the Fourth Amendment warrant protection does not apply. The constitutionality of the search is determined by whether the search is reasonable, which calls for a balancing test instead of a warrant requirement. At the same time, the Stored Communications Act is generally thought to only apply inside the United States.

I’ll summarize this legal framework with the following chart, using the shorthand of a “U.S. person” to indicate a person with significant contacts with the U.S.:

Fourth Amendment Stored Communications Act
Search inside U.S. of e-mails belonging to U.S. person Warrant Warrant
Search outside U.S. of e-mails belonging to U.S. person Reasonableness requirement instead of warrant No protection
Search inside U.S. of e-mails belonging to non-U.S. Person No protection Warrant
Search outside U.S. of e-mails belonging to non-U.S. Person No protection No protection

II.  The Facts

In this case, the government obtained a search warrant to obtain the e-mail of a target of a criminal case.  The government served the warrant on Microsoft, but Microsoft responded that the e-mails are stored on a server in Ireland instead of in the United States.  Microsoft has moved to quash the warrant, at least insofar it seeks data outside the U.S.

Why is the data outside the U.S.? Well, it turns out that Microsoft has designed its network so that it often maintains the e-mails of individuals who signed up for accounts using foreign country codes on servers in Ireland instead of in the U.S. When the target of this investigation set up a Microsoft e-mail account, he entered in a country code outside the U.S. that led Microsoft to store the data in Ireland. Interestingly, Microsoft stores some non-content metadata inside the U.S. and I believe it has turned over that information already; it’s the stuff that Microsoft placed on a server in Ireland that is at issue here.

As far as I can tell, we don’t know whether the target in this case is a U.S. person or a foreigner. It’s likely that the target is a non-U.S. person located overseas.  But it could be a U.S. person in the U.S., or a non-U.S. person in the U.S., or a U.S. person abroad. We just don’t know.

So that brings us to the legal question: Should Microsoft’s motion to quash the warrant be granted?

III. The Fourth Amendment Question

Let’s start with the Fourth Amendment issues, which I need to break down into two different questions. First, what protection does the Fourth Amendment extend to the contents of the e-mail account stored overseas? And second, if the search warrant is insufficient to satisfy the Fourth Amendment, can Microsoft assert the rights of its customers now so it can successfully quash the warrant?

The answer to the first question, what protection does the Fourth Amendment extend, is probably “none.” U.S. persons have Fourth Amendment rights in the contents of their communications stored in the cloud. But remember, it’s more likely than not that the individual account holder here is not a U.S. person. That means that the account holder probably has no Fourth Amendment rights at all, and that the privacy rights at stake here can only be statutory rather than constitutional.

The picture is murkier if it turns out that the account holder is a U.S. person. In that case, the person has Fourth Amendment rights. If the government is ordering Microsoft to run off a copy of the e-mails and give them to the Government, then a Fourth Amendment seizure occurs when the copy is made (for reasons I explain here). Microsoft would then hand over the files to the government, which would then look through the files in the U.S., then constituting a search (for reasons I explain here).

Importantly, however, the seizure would be occurring outside the United States, where the warrant protection doesn’t apply. As a result, the Fourth Amendment standard of the seizure would be just reasonableness, not a warrant. (And although the search would later occur in the U.S., I think the reasonableness standard that applies to the seizure abroad would also apply unchanged to the subsequent search in the U.S.; you can find my argument for that here at pages 44-46.)

In the Second Circuit, the reasonableness standard for the extraterritorial application of the Fourth Amendment is a “totality of the circumstances” balance that considers, “on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests.” There isn’t a lot in the way of caselaw to say how that should apply here, but it seems likely to me that a search would end up being reasonable under this balancing test when the government actually has a valid warrant for it. After all, a probable cause search warrant is generally considered the gold standard for Fourth Amendment protection. It would be rather odd if the cause and particularity needed to obtain a warrant in the domestic setting were insufficient to satisfy the reasonableness standard for a seizure abroad.

However that issue works out, though, I don’t think Microsoft can raise that challenge now. In my view, litigation over the reasonableness of the search is not yet ripe. We can’t be sure how the Fourth Amendment will apply to the resulting search yet, so the case is not yet ripe. We don’t know if the target has Fourth Amendment rights, or how agents might search through the e-mails when they are obtained. Given that, I think the issue has to be litigated ex post, not ex ante. See United States v. Warshak, 532 F.3d 521 (6th Cir. 2008) (en banc) (Sutton, J.). And even if the targets can litigate it ex ante, there remains the separate question of whether Microsoft can assert the rights of its customers. For related thoughts, see this long post on the recently-filed Facebook appeal.

In their briefs, the providers mostly rely on language from caselaw saying that federal law does not authorize warrants overseas, and they then argue that this means that the SCA can’t authorize warrants for data located abroad. I don’t find this persuasive for two reasons.

First, the statements in caselaw were mostly just describing the usual practice under Rule 41 at the time. The fact that federal law generally hasn’t authorized warrants for searches abroad doesn’t mean that such warrants are not permitted if Congress authorizes them. Several recent amendments to Rule 41 — and one presently pending amendment — expressly allow extraterritorial warrants. True, there’s some language in the caselaw questioning whether Congress could authorize warrants to be executed abroad, but they’re unexplained and strike me as unpersuasive, as apparently they struck the relevant legal actors in amending Rule 41 to allow extraterritorial warrants. It’s fair to wonder what the legal effect is of an extraterritorial warrant overseas where the U.S. is not sovereign. In the case of a physical search where the agents would execute the warrant in person, a U.S. warrant is just a nice piece of paper to the foreign legal authorities. But I don’t think there is a constitutional prohibition on issuing the paper if authorized by statute, which I would think is binding within the U.S. — presumably all that is needed in the case of a remote search for data.

Second, I think you have to read the warrant authority in 2703(a) as an exception to the territoriality limits otherwise found in Rule 41. As amended by Section 220 of the Patriot Act, Section 2703(a) allows warrants outside the home district that are not otherwise permitted by Rule 41(b). So whether 2703(a) also allows warrants for data physically located abroad because a statutory question, not a question about constitutional law or the essential nature of warrants.

Putting all of the Fourth Amendment pieces together, my sense is that the Fourth Amendment issues shouldn’t be the focus at this stage. The motion should stand or fall on statutory grounds, not constitutional ones.

IV. The Stored Communications Act Question

That brings us to the SCA, and specifically 18 U.S.C. 2703. On one hand, I agree that 2703 is territorial. The SCA is a close cousin of the Wiretap Act; it is integrated into the Wiretap Act and uses several similar concepts. We know that the Wiretap Act only applies inside the territory of the U.S., so it makes sense that the SCA does, as well. At the same time, that conclusion is only the beginning, not the end. It prompts two important questions: First, how does the territoriality concept apply when the provider is in the U.S. and it has placed data on a server abroad? And second, if 2703 doesn’t apply, what legal regime does?

As for the first question, I don’t think there are clear answers about how the territoriality concept applies. The SCA acts as both a shield and a sword. On one hand, it has a provision forbidding providers to divulge communications unless an exception applies, 18 U.S.C. 2702 (the shield). On the other hand, one of the exceptions is a provision requiring providers to comply with the appropriate legal process, 18 U.S.C. 2703 (the sword). But it’s not clear what the “where” is that these provisions regulate. The text states that the SCA regulates “the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system.” So what determines the territoriality of the statute? As I wrote recently in this article:

[W]hat does it mean for [the SCA] to apply only inside the territory of the United States? In today’s networked environment, company headquarters can be located in one country; employees with access to the data can be located in a second country; the data can reside in a third country; and the party seeking access to the company’s data could be located in a fourth country. Of course, all of the data could be easily sent electronically from any place in the world to any other place. So what determines territoriality? The location of the data? The company? The employee?

As a matter of doctrine, I think the answer is unclear. Consider the two major options in this case. If territoriality is defined by where the provider is, then the government’s act is territorial, as the government is obtaining data from a U.S. company operating in the U.S., Microsoft. It makes no functional difference where the data is, after all. The provider will just go to a computer and obtain it remotely either way. So the territoriality that matters is the company. Further, because ECPA warrants are hybrids between warrants and subpoenas — more on this in a minute — it make sense that the territoriality of 2703(a) warrants would resemble that of subpoenas. That was the basic argument of Magistrate Judge Francis. I think it’s plausible.

On the other hand, if territoriality is defined by where the communication is, then the government’s act is extraterritorial. After all, the point of the statute is to provide privacy protections in the cloud. If the statute only applies territoriality, then it only applies to data stored in the cloud on servers in the United States. It doesn’t matter whether a 2703 warrant is a hybrid subpoena: It’s a creature of statute and has the territoriality limits of the statute that enacted it. So it’s the data location that matters, not the corporate entity. I think this is plausible, too.

I’m not going to pick a side between these two plausible perspectives. I think it’s a close call.

With that said, I did want to weigh in on one issue that Judge Francis focused on in his opinion and that Microsoft takes issue with in its brief: The idea that 2703(a) warrants are “hybrids” between a warrant and a subpoena. I think Magistrate Judge Francis is right on this, and I thought I would explain why. I explained the basics back in 2002, in the course of explaining the unusual hybrid nature of 2703(a) warrants:

From 1986 until 2001, the required order [under 2703(a)] was called “a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant.” 18 U.S.C. 2703(a) (1994). In October of 2001, as part of the USA Patriot Act, Congress amended the language so that now it requires “a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant.” 18 U.S.C. § 2703(a) (2002). The change apparently reflects an attempt to clarify that the order is not a traditional Rule 41 search warrant, but rather merely a hybrid order issued using the procedures of Rule 41.

I was at DOJ when DOJ first formulated this amendment, and my recollection is that the switch to the phrase “using the procedures described” was in part a response to then-pending litigation in which defendants argued that a 2703(a) warrant was unlawful because the agents had failed to comply with 18 U.S.C. 3105, which required an officer to be present when a warrant was executed. The point of adding the “using the procedures described” language was to indicate that 2703(a) warrants did not incorporate every aspect of traditional Rule 41 search warrants, including the officer presence requirement. That was the thinking, at least.

Whatever one makes of the “hybrid” question, I don’t think it answers the territorial application of the SCA in this case. It doesn’t matter whether you label the order a warrant, a hybrid warrant, or something else: The question is whether the statute focuses on the entity that receives the order or the location of the information. As I said, I think there are plausible arguments for both sides.

V. What Happens if the Providers Are Right? What Are the Legal Alternatives?

Now, finally, let’s look at the important question of alternatives. If the SCA applies and the warrant is proper, then Microsoft has to comply and DOJ can get warrants in similar cases. But if the providers are right and the SCA does not apply, so that the warrant is improper, what then? Here things get more difficult. The providers and Magistrate Judge Francis mostly assume that if the SCA doesn’t apply, then the government has to go through the Mutual Legal Assistance Treaty with Ireland and get a court order from an Irish judge. I gather that’s why the case matters so much to the providers. In a post-Snowden age, foreign Internet users don’t trust the U.S. legal system, so U.S. providers want to keep foreign customers on board by promising them that foreign judges will be there to fend off the American executive branch.

As a matter of law, though, I don’t think the picture is so simple. Here’s why. The SCA is a privacy law. It imposes the privacy protection of a search warrant by statute, even if no warrant must be obtained as a matter of constitutional law. If the SCA does not apply because the e-mails are extraterritorial, then that necessarily means that the privacy protections of the SCA don’t apply. There is no longer a warrant requirement imposed by U.S. law.

Why does that matter? It matters because with the SCA out of the picture, the government could just subpoena the e-mails stored on the foreign server. Under circuit caselaw, the government can issue a subpoena on a company that does business in the U.S. for property it controls that is located outside the U.S. See, e.g., In re Grand Jury Subpoena Directed to Marc Rich, 707 F.2d 663 (2d Cir. 1983). A subpoena requires no cause, process or judicial review. As a result, the stakes in this case are not just U.S. warrant versus MLAT. They’re U.S. warrant versus MLAT vs. U.S. subpoena.

Or rather, a subpoena with one added protection. When a U.S. subpoena for materials located abroad is challenged, courts often apply a balancing test drawn from Restatement (Second) of Foreign Relations Law of the United States § 40 (1965) to say whether the subpoena should be enforced in light of the international norms of comity. The factors include:

(1) the competing interests of the nations whose laws are in conflict, (2) the hardship of compliance on the party or witness from whom discovery is sought, (3) the importance to the litigation of the information and documents requested, and (4) the good faith of the party resisting discovery.

Minpeco, S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517, 523 (S.D.N.Y. 1987).

If the SCA doens’t apply, then, alternative procedure might run like this: the government could issue a grand jury subpoena; the provider could then provide notice to the customer, and either with the customer or (perhaps) on its own move to quash the subpoena; and then a court would have to apply the Restatement factors to say if the subpoena should be allowed in that case.

How would such a balancing work out? I’m not sure, as we’ve veered into international law rather than criminal procedure. But it’s not at all clear to me that this is more privacy protective than a probable cause warrant would be.

VI. Why Does DOJ Favor a Warrant Requirement?

At this point, the two readers still following along are probably wondering, “But wait, why would DOJ be arguing for a warrant rule if they could otherwise get the information with a subpoena?” I suspect one answer is speed and certainty. If the government can get e-mail with a domestic SCA warrant, it will get the e-mails quickly. If it has to subpoena the e-mails and face litigation under the Restatement, who knows what will happen and how long it will take.

I gather that is the same reason why DOJ doesn’t want to go through the alternative of Mutual Legal Assistance. It’s not that Irish law is more privacy protective. My understanding is that in Ireland, where the e-mails are stored, e-mails are disclosed to law enforcement when the e-mails will “likely . . . be of substantial value to the investigation” and “it must be in the public interest that they be produced, having regard to the likely benefit to the investigation and the circumstances under which the person in possession of the documents holds them.” Some folks who work in this area have suggested to me that this is actually somewhat lower than the U.S. probable cause standard. I gather the problem from DOJ’s perspective is that mutual legal assistance takes a really long time — from what I hear, on the order of several months — and it often gives the foreign governments various discretionary calls as to whether they will go agree to hand over the data. Given that time is often critical in criminal investigations, that kind of delay and uncertainty presumably is a big problem from the government’s perspective.

VI. Conclusion

This is a hard case, and the legal issues are complicated. Even this very long blog post only scratched the surface. But however the court rules, I think the ultimate solution should come from Congress. The statute just wasn’t drafted with this problem in mind, and Congressional action to create explicit rules for how the statute applies abroad would be very very welcome. In a perfect world, I think the statute would distinguish between people in the U.S. who use U.S. providers that just happen to store their contents on servers abroad (those e-mails should be obtainable with a U.S. warrant) and people abroad whose providers store e-mails abroad but also have an office in the U.S. (those e-mails should be obtained through MLATs). The current statute doesn’t draw that line. But I think it should.

Full disclosure: In the past, I have done legal work for Microsoft in areas unrelated to the Fourth Amendment or the SCA. This commentary represents my own personal and independent views.