Microsoft, one of the world’s largest e-mail providers, is resisting a government search warrant to compel the firm to turn over customer data held in a server located overseas.
In what could be a landmark case, the Redmond, Wash., company is arguing that such a warrant is not justified by law or the Constitution. Microsoft and other tech firms also fear that if the government prevails and can reach across borders, foreign individuals and businesses will flee to their non-U.S. competitors.
The materials sought by the government are e-mails held in a Microsoft data center in Ireland and connected to a drug-trafficking investigation.
The battle, which began in December when a magistrate judge in New York issued the warrant, also raises significant economic and diplomatic issues for U.S. companies that store mounds of data for others as part of the burgeoning cloud computing industry, which has been battered in the wake of revelations about its cooperation with U.S. spy agencies conducting broad surveillance.
“If the government’s position prevails, it would have huge detrimental impacts on American cloud companies that do business abroad,’’ said Michael Vatis, a lawyer who co-authored a friend-of-the-court brief for Verizon, which operates data centers overseas and which filed its brief Tuesday in support of Microsoft.
Microsoft’s efforts to push back against the government in this and other cases, company officials say, predate the disclosures by former National Security Agency contractor Edward Snowden about the reach of U.S. surveillance. But the revelations, which began a year ago, “certainly put a premium on demonstrating to people that we are fighting,” said one Microsoft official who spoke on the condition of anonymity because he was not authorized to speak for the company.
The legal issues are novel — a classic example of how technology has lapped the law. Only a few years ago, U.S. e-mail providers held their data in the United States, so there was no issue of whether a court had jurisdiction to issue a warrant for the data.
But as more and more U.S. companies host massive amounts of data from customers around the world, they have begun to store much of that information overseas. That is both to ensure that clients abroad get their videos and e-mails without delay and to give European clients, for instance, confidence that their records will be subject to European laws.
Microsoft argues that for data held overseas, the U.S. government should abide by its mutual legal assistance treaties, or MLATs. Those are agreements between the United States and foreign countries that typically require the requesting government to be in compliance with the other government’s laws. Irish law requires authorization from an Irish district court judge to obtain e-mail content from a provider.
Microsoft opened its data center in Ireland in 2010. The company has about 100 such facilities in 40 countries.
“Congress has not authorized the issuance of warrants that reach outside U.S. territory,” Microsoft lawyers wrote in a brief filed Friday. “The government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft’s Dublin facility.”
In a speech last week in New York, Microsoft general counsel Brad Smith likened the warrant it received to a “general warrant” issued by the British in the Colonial days. “It, in fact, tells Microsoft to go from building to building to building and go from country to country to country throughout the cloud of Microsoft data centers . . . to find and turn over the information that the government seeks,” he said in a speech at the Personal Democracy Forum, a conference on technology and democracy. “It is, in a sense, the broadest possible warrant that one literally can imagine in the 21st century.”
The government argues that the location of the records is irrelevant under the Electronic Communications Privacy Act, the 1986 law on which the court relied to issue the warrant. Rather, it is the company that is the subject of the warrant, prosecutors say. Moreover, they say, imposing limits sought by Microsoft would “lead to absurd results and severely undercut criminal investigations.”
A criminal could “easily reduce the risk of detection” by lying about his residence, causing Microsoft to store his records outside the United States “and beyond law enforcement’s ability to obtain the records in a timely manner, if at all,” Preet Bharara, U.S. attorney for the Southern District of New York, wrote in a brief opposing Microsoft’s motion to vacate the warrant.
In ruling against Microsoft in April, U.S. Magistrate Judge James C. Francis IV agreed with the government’s position, saying that the warrant was more of a hybrid — part search warrant and part subpoena. It is obtained like a warrant, with a judge finding probable cause that the data seized would turn up evidence of a crime. But it is executed like a subpoena, Francis said, in that it is served on the company and does not involve federal agents searching the company’s servers.
“It has long been the law that a subpoena requires the recipient to produce information in its possession . . . regardless of the location of that information,” Francis wrote.
One of the key unresolved issues that the case raises is the lack of clarity on what constitutes a search and a seizure and where they take place in the digital world — where data can be sent by a user in Paris, stored in Dublin and then retrieved by a company in Redmond, Wash.
The judge opined that the search would take place only when the e-mails were opened and read — and that would be in the United States. Microsoft argues that the search and seizure take place when the government compels technicians to search for and retrieve data that resides on the Dublin servers.
A privacy group, the Electronic Frontier Foundation, is planning to file a friend-of-the-court brief this week that will argue in part that if Microsoft were to copy the data in Dublin so it could be retrieved by employees in Redmond, that act of copying would amount to a seizure under the Fourth Amendment, which the judge, the group says, does not have jurisdiction to order.
The government’s reply is expected in July, several weeks before oral arguments begin.
“The scope of the privacy laws around the world is now a very important question, and this is the beginning of what may be a lot of litigation on the question,” said Orin S. Kerr, a George Washington University law professor and surveillance-law scholar. “So it’s a big case to watch.”
Verizon in its brief argued that the magistrate’s ruling, if left standing, “could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.”
The ruling, Verizon argued, would mean that foreign customers’ stored data would be available to “hundreds or thousands of federal, state and local law enforcement agencies, regardless of the laws of the countries where the data is held.”
Microsoft is doing the prudent thing by fighting the government, said Christopher Soghoian, principal technologist at the American Civil Liberties Union. “They're really, really scared about losing their foreign customers,” he said. “They’re doing everything they can to signal to their foreign corporate and government customers that their data remains safe in the cloud.”