The Washington PostDemocracy Dies in Darkness

More on privacy rights in e-mail stored outside U.S.

A few weeks ago, I wrote a long post on a very interesting case, now pending before Chief Judge Preska in the Southern District of New York, on what privacy protection extends to e-mails stored by a U.S. provider on a server outside the U.S. The government has since filed its brief (available here) and Microsoft has filed its reply brief (available here). In this post, I thought I would offer some thoughts on both briefs.

In general, I found myself underwhelmed by both briefs. DOJ’s basic argument is that subpoenas traditionally require recipients to gather evidence abroad, and that the SCA is just an enhanced more protective subpoena. As such, it should have the same territorial scope. Microsoft responds that this case is really different because it’s not Microsoft’s records at stake: These records belong to the user, not Microsoft.

I find both arguments somewhat beside the point. Yes, subpoenas traditionally require recipients to gather evidence abroad. But why is that relevant? The SCA was designed to stand in as a sort of statutory version of the Fourth Amendment at a time when the Fourth Amendment protections in the cloud were very unclear. It replaced the pre-SCA law. Why should we just assume that the SCA adopted the same foreign-evidence principle for statutory warrants that exist with subpoenas? Similarly, I don’t see how it’s relevant that it’s not Microsoft’s contents. True, but why does it matter? I don’t see how that makes a difference to the legal issue.

DOJ’s brief opens with one interesting argument that I think is clever but ultimately wrong. DOJ argues that the SCA’s jurisdictional scope is defined by the statutory definition of “court of competent jurisdiction” in 18 U.S.C. § 2711(3):

the term “court of competent jurisdiction” includes—
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals that—
(i) has jurisdiction over the offense being investigated;
(ii) is in or for a district in which the provider of a wire or electronic communication service is located or in which the wire or electronic communications, records, or other information are stored; or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title; or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants

DOJ treats that definition as a jurisdictional principle, but I don’t think that’s right. I think that’s just a term that says what courts are allowed to issue the order. The Wiretap Act has an analogous concept, “judge of competent jurisdiction,” defined by 18 U.S.C. § 2510(9) as:

(a) a judge of a United States district court or a United States court of appeals; and
(b) a judge of any court of general criminal jurisdiction of a State who is authorized by a statute of that State to enter orders authorizing interceptions of wire, oral, or electronic communications;

That definition tells you what judges can issue wiretap orders — for example, Article III district and circuit judges but not magistrate judges — but it doesn’t tell you the jurisdictional reach of the Wiretap Act, which is only territorial, see United States v. Toscanino, 500 F.2d 267, 279 (2d Cir. 1974). Similarly, the definition of “court of competent jurisdiction” in the SCA tells you that magistrate judges can also issue SCA orders.

It’s true that “court of competent jurisdiction” in 2711(3)(A) talks about jurisdictional limits in (i), (ii), and (iii). But that language reflected a 2009 effort — albeit a rather inartful one — to answer in what jurisdictions U.S. courts can issue warrants for to help foreign governments. Before the Foreign Evidence Request Efficiency Act, Pub. L. 111-79 (2009), the SCA just said that courts with jurisdiction over the offense could issue warrants. But DOJ was worried that this created a puzzle when a foreign government needed evidence of crime and it wasn’t clear that a U.S. court had jurisdiction. So they took the “jurisdiction over the offense” from 2703 and put it in 2711(3)(A)(i), then adding (ii) and (iii). The language is inartful, and I’m not sure the change was actually necessary, but in any event it’s guidance on which U.S. courts can issue warrants. I’m not convinced that it weighs in one way or the other on whether whether statute’s territoriality is limited to U.S.-stored data.

Finally, I wasn’t persuaded by Microsoft’s assurances at the end of its brief that the MLAT procedure works so speedily. In its supporting materials, Microsoft included a declaration from Michael McDowell, a former Attorney General of Ireland, stating that in his view the Irish MLAT procedures are “efficient and well-functioning.” Microsoft treats that as a refutation of DOJ’s view that the MLAT procedure takes a really long time. But it’s worth noting that McDowell’s declaration does not provide any time estimates for how long the MLAT process typically takes. Nor does it explain why McDowell thinks the procedure is “efficient.” In the end, this may be a case of the blind men and the elephant. It may be that the procedure takes several months, and that this several-month process seems efficient to those processing the paper work and very slow to those waiting for it.

In the end, I think I still see this case the same way I did in my earlier post. To my mind, the important question is whether you see the statute’s domestic territoriality as resting on the location of the provider or the data. As I wrote in that post, I think it’s a close call.