The Washington PostDemocracy Dies in Darkness

Verizon responds to my blog posts on the foreign e-mail case

I have blogged twice about a fascinating case, currently pending in federal court in New York, on whether the federal government can use a warrant to compel Microsoft to disclose the contents of e-mail that Microsoft has stored on a server outside the U.S. The case has drawn a surprising amount of press attention, including a New York Times editorial that discusses one of my earlier posts.

I was also approached by Michael Vatis of Steptoe & Johnson, counsel in the case for amicus Verizon Communications, who asked me to post Verizon’s reaction to my blog posts. In the spirit of fostering debate on this important case, I agreed to post Verizon’s letter, authored by Michael, together with my reply. For those wanting to read Verizon’s letter without my reaction, I have posted it here. For those who prefer a more interactive version, here’s Verizon’s argument step-by-step, in italics, together with my reply in main text.

Verizon’s argument begins:

There is a well established doctrine called the “presumption against extraterritoriality,” which holds that “legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.” Morrison v. Nat’l Austl. Bank Ltd., 561 U.S. 247, 248 (2010). Thus, a statute is presumed not to have extraterritorial application unless Congress has “clearly expressed” its “affirmative intention…to give [the] statute extraterritorial effect.” Id. Orin’s acknowledgment that the SCA does not address the extraterritoriality issue should be the end of the story. As the Supreme Court said in Morrison: “When a statute gives no indication of an extraterritorial application, it has none.” Id.
Orin doesn’t discuss the presumption against extraterritoriality. But it is at the core of the Microsoft case.

To be clear, I agree that the statute does not apply extraterritorially. But I think this conclusion only raises the hard question: At bottom, does this case involve regulation of providers that are inside the U.S. or data that is outside the U.S.? When a U.S. provider stores data outside the U.S., does the Stored Communications Act apply because the provider is domestic, or does it not apply because the data is extraterritorial? Perhaps I’m just looking at the case in an idiosyncratic way, but that strikes me as the key question.

The letter continues:

The government has sought to sidestep the presumption against extraterritoriality by arguing that the statute would not actually be applying outside the United States in this case, even though the e-mails it seeks are in Ireland, because the warrant was served on Microsoft in the United States and because the e-mails wouldn’t actually be seized or searched until they were in the government’s hands in the United States. The government cites no cases supporting this novel argument. Regardless, the government ignores two key facts—Microsoft’s computers would be searched when Microsoft—acting at the behest, and as an agent, of the government— looks for the responsive e-mails in Ireland. Moreover, those e-mails would be seized in Ireland when they are copied. On this point, Orin agrees that “the seizure would be occurring outside the United States.” As a result, it seems undeniable that at least a seizure would be occurring in Ireland, meaning that the search warrant would indeed be applying extraterritorially.

I agree until the last sentence, which I think has two problems. First, we don’t actually know if a Fourth Amendment seizure would be occurring in Ireland. That depends on whether the target is a U.S. person with Fourth Amendment rights or a foreign national who very likely lacks those rights. Second, and more importantly, I don’t know what it means to say that the warrant would “apply” abroad.

This latter point may seem like an overly technical point about language. And if you think that, feel free to skip the remainder of this paragraph. But Microsoft’s argument hinges in part on a similar technical point about language, so it seems worth exploring the difficulty.

Here’s my thinking. Under Second Circuit law, there is no warrant requirement for extraterritorial searches and seizures outside the United States. So we all agree that U.S. government doesn’t need a warrant to conduct searches or seizures abroad. Given that, I don’t know why the government getting more process than it needs — that is, obtaining a warrant when the Fourth Amendment doesn’t require it — means that the warrant is now “applying” abroad in a way that becomes legally problematic. The warrant is not actually making anyone outside the U.S. do anything. As I understand things, Microsoft will comply with the warrant (if it ever does) by having someone in the U.S. go on to Microsoft’s network and gather the e-mails remotely. Granted, the warrant relates to e-mails stored abroad, and it requires those inside the U.S. to comply with it. But I’m not sure it makes sense to say that the warrant is “applying” abroad.

Back to Verizon’s argument:

Orin raises an argument different from the government’s, asserting that “recent amendments to [Federal] Rule [of Criminal Procedure] 41…expressly allow extraterritorial warrants.” But these amendments permit (in certain limited circumstances, such as terrorism investigations) only searches of property outside of the issuing court’s district. They say nothing about searches or seizures of property located outside of the country. Not surprisingly, then, courts have uniformly held that Rule 41 does not authorize searches or seizures outside of the territory of the United States. See, e.g., U.S. v. Odeh, 552 F.3d 157, 169 (2d Cir. 2008). Moreover, the Supreme Court rejected a proposed amendment to Rule 41 that would have allowed warrants for searches and seizures of property located outside the United States. See Fed. R. Crim. Proc. 41, Notes of Advisory Committee on Rules—1990 Amendment. Not surprisingly, then, the U.S. government has not advanced the argument that Rule 41 authorizes a search warrant for e-mails (or other property) located outside the United States.
There is one narrow exception—Rule 41 authorizes warrants for searches conducted in United States territories, diplomatic missions, and residences owned by the U.S. and used by diplomatic personal outside the U.S. But this is not what Orin seems to be talking about, and it is not what the Microsoft case is about. Moreover, this exception shows that Congress knows how to make a warrant apply outside of the U.S. when it wants to, which just underscores that it did not do so for any other circumstances in Rule 41.
Thus, neither the SCA nor Rule 41 authorizes warrants for searches or seizures of e-mails (or anything else) outside of the United States. The presumption of extraterritoriality therefore comes into play, and Microsoft wins. Case closed.

This passage misunderstands my argument, and I think I can make some headway in explaining it. In the passage of mine quoted above, I was considering whether the Constitution allows Congress to authorize warrants for searches abroad. I think the answer to that is “yes.” The Verizon letter is instead considering whether the current version of Rule 41 authorizes warrants for searches abroad, at least in the routine case such as this. I agree with Verizon that the answer is “no.” But I don’t think that’s relevant, as caselaw makes clear that the jurisdictional scope of 2703(a) warrants are defined by 2703(a) instead of Rule 41. See United States v. Berkos, 543 F.3d 392, 398 n. 6 (7th Cir. 2008); United States v. Kernell, Crim. No. 08–142, 2010 WL 1408437, at *2–3 (E.D.Tenn. Apr. 2, 2010); In the Matter of the Search of Yahoo, Inc., Crim. No. 07–3194, 2007 WL 1539971, at *7 (D.Ariz. May 21, 2007). So while Rule 41’s jurisdictional provision wouldn’t allow this under current law, that doesn’t matter to the extraterritorial scope of 2703(a).

More from the letter:

A second, two-hundred-and-ten-year old doctrine holds that “an act of Congress ought never to be construed to violate the law of nations if any other possible construction remains.” Murray v. Schooner Charming Betsy, 6 U.S. (2 Cranch) 64, 118 (1804). The Supreme Court has repeatedly re-affirmed this principle, stating that U.S. laws should be interpreted “to avoid unreasonable interference with the sovereign authority of other nations.” F. Hoffman-La Roche Ltd. v. Empagran S.A., 542 U.S. 155, 164 (2004). Orin doesn’t discuss this Charming Betsy doctrine, but it provides another, independent reason that the SCA should not be construed as authorizing warrants for e-mails located abroad. For if it were construed in this manner, it could easily lead to conflicts with the laws of the nations where the e-mails are stored.
That is clearly the case here. For example, EU officials such as Viviane Reding, the Vice-President of the European Commission, have stated that if Microsoft disclosed the e-mails in Ireland, it would run afoul of the EU Data Protection Directive. It would also run counter to the Mutual Legal Assistance Treaty (MLAT) between the U.S. and Ireland, which presupposes that the U.S. will request assistance from the Irish government when it wants to get its hands on evidence located in Ireland.

I don’t know much about the Charming Betsy doctrine, but I don’t see how it applies here. As I understand Charming Betsy, it applies to interpretations of U.S. laws that might violate international law or U.S. treaties. But that doesn’t seem to be the case here. First, I don’t think the EU’s adoption of a legal approach makes that approach “international law” for purposes of Charming Betsy. (This is assuming that complying with the warrant violates the EU Data Protection Directive; Reding’s letter suggests this without stating it clearly.)

Second, I don’t see the conflict with the US/Ireland Mutual Legal Assistance Treaty. That treaty does not purport to provide the exclusive means by which authorities in one country can collect evidence located in the other. For example, if Irish authorities obtain an Irish court order to obtain non-content records from a U.S. Internet provider about a U.S. citizen’s Internet use, federal law allows the U.S. provider to disclose the U.S. records to the Irish authorities with or without the court order. See 18 U.S.C. 2702(c)(6). It’s evidence collection outside the MLAT, but that’s fine because the MLAT is not the exclusive means of obtaining evidence.

The argument continues:

Orin goes on to argue that if Microsoft wins, the government could just turn around and use a subpoena to get the same data, which might result in less privacy protection for e-mails than a probable-cause based warrant. There are two problems with this argument.
First, it strikes me as doubtful that the government would actually try to use a subpoena to obtain the content of e-mails located abroad. After all, the Justice Department has now given up using anything but warrants to get communications content in general, following the decisions of the Sixth Circuit (in U.S. v. Warshak, 631 F.3d 266 (6th Cir. 2010)) and other courts holding that the Fourth Amendment requires the government to use a warrant to get any communications content. The Attorney General and other Justice Department officials have also said the Department favors amending ECPA to require a warrant to obtain any communications content as part of a criminal investigation. Thus, even if the Fourth Amendment’s warrant requirement doesn’t apply to property located outside the U.S., it seems doubtful to me that the government would try to use a subpoena to obtain e-mail content because of the privacy ramifications (Fourth Amendment aside). Moreover, using a subpoena, based on a mere relevance standard, would only worsen the international uproar caused by the government’s attempt to unilaterally obtain communications stored abroad. And it would be sure to generate intense opposition from U.S. communications and cloud service providers.

I can’t speculate about what the U.S. communications and cloud service providers would do if they won the case, and the effect, ironically, was to lower privacy protections. Their litigation strategy creates a risk that might happen. But that was their call.

As for DOJ’s likely reaction, I see this a bit differently. First, my understanding is that DOJ disagrees with Warshak. And even if DOJ now agrees with Warshak, the cases we’re talking are largely about non-U.S. persons who have no Fourth Amendment rights in the first place. In that case, Warshak is irrelevant.

Second, even if DOJ loses on the statutory issue, there are ways to get the information other than through the MLAT. One possible government strategy would be to use a combined subpoena and warrant. Instead of serving only a warrant, law enforcement would send the provider (1) a grand jury subpoena ordering the provider to transport a copy of the e-mails to the grand jury inside the U.S. together with (2) a warrant ordering the provider to disclose the e-mails to investigators. The subpoena would apply to the extra-territorial part of the picture, and the warrant would apply to the domestic disclosure to the government under the SCA.

Also, I’m curious: If Verizon is right that the MLAT must be followed exclusively, what happens if Microsoft or another provider simply stores the e-mail on a server in a country without an MLAT with the U.S.? Does that mean that the U.S. is simply prohibited from accessing the data under any circumstances? That seems like a puzzling result.

Back to the letter:

Second, it is not at all clear that the government could use a subpoena to obtain the content of e-mails that are in electronic storage for less than 180 days old. (The SCA allows certain other communications content to be obtained with a subpoena, but those are not at issue in this colloquy, so let’s set them aside.) Orin asserts that if the court agrees that the SCA doesn’t authorize an extraterritorial warrant, then the SCA’s legal protections—in particular, the statutory requirement to use a warrant to get e-mail content—“necessarily…don’t apply,” either. I don’t think that’s right. Neither Rule 41 nor the SCA expressly authorizes warrants to be used to get data abroad, so the presumption against extraterritoriality and the Charming Betsy doctrine kick in. But Section 2702 of the SCA does expressly say that an electronic communications service provider may not knowingly divulge communications content except as authorized by Section 2703 (and a few other provisions), and Section 2703 requires the government to get a warrant. Section 2702 may not apply to communications providers located outside the United States. But it clearly does apply to providers inside the United States. So the SCA legally prohibits Microsoft from divulging any communications content to the government without a warrant.

That can’t be right, I think. The SCA acts as a sword and a shield. It both prohibits disclosure without a warrant (the shield) and provides for a warrant authority to compel disclosure (the sword). Verizon wants the shield to apply but not the sword: It wants to say that the SCA’s ban on disclosure applies to providers in the U.S. while the SCA’s warrant authority does not apply because the data is outside the U.S. But I think the territoriality of the two parts of the SCA have to operate together. Either the SCA applies or it doesn’t. You can’t keep the parts of the statute you like and jettison the ones you don’t.

Moreover, the cases in which the government has been able to get information stored abroad by serving a company in the United States all involve the business records of that company or an affiliate under that company’s control. I’m not aware of any case in which a court has permitted the government to use a subpoena to a U.S. company to obtain property belonging to someone else or the content of another person’s communications. Thus, as Microsoft suggests in its reply brief, the government might be able to use a subpoena to a U.S. bank to obtain the business records of the bank’s subsidiary in Switzerland, but it could not use it to obtain the contents of a customer’s safe deposit box there. It might be able to use a subpoena to a U.S. hotel company to get the records in France concerning one of the company’s properties in Paris, but it could not use one to obtain the belongings of a hotel guest from his room in that Paris hotel. Similarly, the government might be able to use a subpoena to obtain an e-mail provider’s own business records stored in Dublin (if those records are under the U.S. provider’s custody, possession, or control and the balancing test set out in the Restatement (Second) of Foreign Relations Law of the United States weighs in favor of the government). But I don’t know of any authority that holds that a subpoena can be used to obtain the content of a subscriber’s e-mails stored abroad.

This argument rests on two assumptions that I find dubious. First, it assumes that the lack of cases involving a particular fact pattern proves that the government lacks the authority to obtain evidence in that fact pattern. I’m not sure why. The lack of cases could just indicate that it was done but never challenged or that it hasn’t been tried. Second, the argument assumes that there is a crucial statutory difference in ownership between contents and metadata, so that the subpoena power extends to one but not the other. But I don’t know the basis for the distinction. I’m not aware of any cases saying that the reach of a subpoena is statutorily limited based on the ownership of the data to which the subpoena relates.

Does this smack of the providers’ wanting to have it both ways–that is, the SCA doesn’t authorize warrants to obtain the content of e-mails abroad, but it forbids providers from disclosing e-mails in response to a subpoena, regardless of where the e-mails are located? It may seem that way. But all it really means is that Congress hasn’t addressed the extraterritoriality issue in the SCA. This leads us back to the point Orin and I agree on: if Congress wants search warrants to apply to data stored abroad, despite the negative impact that would have on the business of American e-mail and cloud providers and on the United States’ relationship with other countries, and despite the fact that the government can usually get the information it wants through assistance from foreign law enforcement, it needs to amend the statute to say so expressly. Balancing the negative effects on business and foreign relations against the needs of law enforcement is a quintessential policy decision that should be made by Congress, not by a prosecutor or judge in the Southern District of New York.

I’m glad we agree that Congress should deal with this issue rather than leave this to the courts. Unlike most litigation in this area, powerful interests are on both sides of the case. The losing side is likely to seek legislative change. In the meantime, judges faced with the issue have to do their best with the statute we have rather than the statute we want.

UPDATE: I fiddled with this post a bit, soon after posting it, to correct some typos and clarify some language.