On September 9th, the Second Circuit will hear Microsoft’s challenge to a search warrant seeking contents of an e-mail account held by Microsoft on a server in Ireland. I blogged about the merits of the case here, here, and here when it was before the district court. This post considers a different question: How much does the outcome of the case actually matter?
Based on all the press coverage about the case, you might think the outcome is tremendously important. Microsoft General Counsel Brad Smith has commented extensively about the case. Microsoft is even sponsoring an event about the case this week in New York City hosted by Above the Law — just the kind of event that Second Circuit law clerks working on their bench memos might see.
Why is the case viewed as so important? For Microsoft, it is thought that lots of European business may hinge on the outcome. In the post-Snowden world, many Europeans are very concerned about the risk of U.S. spying on foreign communications. U.S. government access to foreign e-mail accounts is a sensitive question. For example, last year the German Federal Ministry of the Interior announced that to bid on government contracts, a provider must make a “no spy” guarantee that the provider won’t give up data to non-German governments. If the e-mail accounts of European customers can be obtained by warrants signed by U.S. judges, then companies like Microsoft may not be able to make the “no spy guarantee” and might lose the business.
So that’s apparently why the case matters so much to Microsoft. And it’s easy to see why it matters to Justice Department. A U.S. provider can easily put the e-mail of U.S. customers on a server abroad. If doing so would place the e-mail outside the reach of a U.S. warrant, then U.S. providers could readily thwart U.S. search warrants in domestic cases by putting their servers in places where alternative legal process would be spotty or unworkable. Most providers wouldn’t do that. But some would, and it could be a major problem for U.S. investigations.
Having explained why the case is considered so important, let me offer two reasons why I think the outcome is much less important than it seems. The first reason is that an internal rearrangement at Microsoft might reverse the impact of a ruling against the company. The second reason is the likelihood of a legislative fix no matter which side wins.
The first reason focuses on how Microsoft has decided to handle its global e-mail business. If I’m reading the Magistrate Judge’s opinion correctly, you’re always interacting with Microsoft in the United States when you set up a Microsoft e-mail account. That’s true regardless of whether you live in New London, Connecticut or London, England. If you’re abroad, Microsoft might decide to place your e-mail on a server abroad to make it quicker for you to access your e-mail. But Microsoft in the United States maintains control of the account and maintains some records on United States servers. When a government comes to Microsoft seeking records pursuant to legal process, Microsoft activates its Global Criminal Compliance (“GCC”) team from inside the United States to gather the records. The GCC team members in the U.S. gather the records from around the world, pulling them from servers wherever they are located.
Microsoft’s decision to base everything in the U.S. might be very significant for the privacy implications of Microsoft e-mail accounts. If the U.S. government serves a warrant on Microsoft in the U.S. for the records, Microsoft in the U.S. has access to all customer data from around the world. They can get all the e-mails with a push of a button.
But Microsoft didn’t have to set things up that way. They could have designed their business so that if you sign up for an account from outside the U.S., your relationship is entirely with the company’s foreign subsidiary and the data isn’t directly accessible from inside the United States. For example, when you sign up for a Yahoo account from Europe using Yahoo.uk, Yahoo.fr, or a similar European-based service, your legal relationship is with Yahoo EMEA Limited in Dublin instead of Yahoo in the United States. My understanding is that Yahoo keeps its accounts local, apparently at least in part to limit the laws under which it can be accessed.
This difference creates the prospect that a Microsoft loss in the Second Circuit could be addressed, entirely or at least in part, by Microsoft rearranging its network. If the same case involved a Yahoo account instead of a Microsoft account, and the account was created by a person in Europe, U.S. authorities could not just go to Yahoo in California. They would have to get the information from Yahoo EMEA Limited in Dublin instead. Perhaps Yahoo in California would have a way of getting the information from Yahoo EMEA Limited in Dublin — I don’t know their precise relationship — but it becomes a pretty different legal question at that point.
The second reason the outcome of the case may not matter is that the odds of a legislative fix seem relatively high no matter who wins. The Second Circuit decision may just be a pit stop on the way to Congress. And the legislative fix might look the same regardless of who wins in the Second Circuit.
Here’s why. This case is in court because ECPA draws no distinction between two different scenarios: (a) U.S. government access to the e-mails of a U.S. customer doing business with a U.S. e-mail provider that happens to have place the e-mails on a server overseas, and (b) U.S. government access to the e-mails of a foreign customer stored on a server overseas by an e-mail provider that happens to be U.S.-based. DOJ is really worried about the rules for the first scenario, as it could impact lots of their domestic cases involving e-mail. And Microsoft is really worried about the rules for the second scenario, as it could impact its business competitiveness abroad.
Each of their concerns is legitimate. But there’s no necessary conflict between them. There’s a conflict under the current statute only because the current text offers no way to distinguish these two scenario. They have to be treated by the same rule.
The ready solution is a statutory fix that treats these two scenarios differently. U.S. companies should have to comply with U.S. warrants for U.S. persons even when they put data on servers abroad. At the same time, U.S. warrants should not be used to access foreign-stored files of foreign users even when held by U.S.-based companies. That’s the basic approach taken by the LEADS Act, which Microsoft supports. And I would guess that DOJ doesn’t have a problem with that approach, either, as it preserves the power that criminal investigators need in the overwhelming majority of cases that will involve U.S.-based users.
Normally, pointing to the option of a legislative fix in this Congress isn’t very helpful. Very little gets through Congress these days, making legislation seem only a theoretical possibility. But that’s not the case here. Both sides have a lot of influence on the Hill. If DOJ wins in the Second Circuit, you’ll have some major tech companies urgently pushing for legislation to fix the law — and perhaps all of them, if it looks like the internal structure approach (argument 1 above) doesn’t work. If they demand the fix and DOJ doesn’t object, there’s a decent chance it will go through.
Similarly, if Microsoft wins in the Second Circuit, you’ll have federal law enforcement urgently pushing for legislation to fix the law. I doubt federal law enforcement has quite as much political influence these days as the major tech companies have. But they still have a lot, and they’ll have a pretty compelling argument that a fix is needed just to restore the warrant authority for routine U.S.-based criminal investigations.
Given that neither side has a particular beef with the core concern of the other, I would think that a statutory fix is relatively likely either way. And because there’s a natural common ground between the two sides, it may be the same fix regardless of the starting point. So we may end up in the same place regardless of which way the Second Circuit rules.
I have some thoughts on the details of how a statutory fix might work. But this post is long enough, so I’ll save them for another time.