Tuesday, August 5, 2014

S.D.N.Y. Affirms Order To Microsoft To Hand Over Data Stored Overseas Pursuant To A Stored Communications Act Warrant

Written by Keenan W. Ng

On Thursday, July 31, 2014, Microsoft lost a challenge to an April 25, 2014 order denying its motion to quash a subpoena issued by the federal government pursuant to the Stored Communications Act (“SCA”) for email communications located on Microsoft servers in the Ireland.  Issuing her ruling from the bench, U.S. District Judge Loretta Preska stated that “Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States … As [Magistrate Judge James Francis IV] found, it is a question of control, not a question of the location of that information.”

Luckily for Microsoft, Judge Preska stayed the implementation of her ruling so that Microsoft could appeal to the Second Circuit.  While we wait for that to occur, it might be worthwhile to go back and examine what Judge Francis’ April 25, 2014 Order said.

The April 25, 2014 Order Denying Microsoft’s Motion to Quash
          Background
On December 4, 2013, Judge Francis issued a warrant pursuant to section 2703(a) of the SCA.  The SCA authorizes the search and seizure of information associated with a specific web based e-mail account.

In response to this warrant, Microsoft’s Global Criminal Compliance (“GCC”) team took action.  When the GCC receives a warrant, it determines where the data for the account target is stored.  The GCC can retrieve this information remotely no matter where the data is located.  

Microsoft stores emails sent and received by its users in its datacenters, stored at various locations in the United States and abroad.  Because of “network latency” (the concept that the closer the user is to where their data is stored, the more quickly the user can access that data) where a user’s information is stored is based upon the “country code” the user enters at registration.

Upon review of the court’s December 4 warrant, the GCC determined that some information associated with the target account was located in Ireland.  Because this information was stored outside of the United States, Microsoft filed a motion to quash, arguing that federal courts do not have authority to issue warrants for the search and seizure of property outside the United States.

In reviewing Microsoft’s motion, the court considered whether United States law enforcement agents could obtain digital information from Microsoft that is stored abroad.  After analyzing (1) the statutory language of the SCA; (2) the structure of the SCA; and (3) the legislative history of the SCA, the court denied Microsoft’s motion.  

          Statutory Language
The relevant part of the SCA states:

A governmental entity may require the disclosure by a provider of
electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant
issued using the procedures described in the Federal Rules of Criminal
Procedure … by a court of competent jurisdiction. (Emphasis added.)

The key ambiguous language of this statute are the words “using the procedures described in the Federal Rules of Criminal Procedure,” referring to Fed. R. Crim. P. 41.  Microsoft argued that all aspects of Rule 41 are incorporated by reference into the SCA, including limitations on the territorial reach of SCA warrants.  The court did not believe this interpretation was so clean cut, suggesting that while procedural aspects of the application process are to be drawn from Rule 41, more substantive rules were derived from other sources.  As such, the court found that statutory language was not helpful to its analysis.

          Structure of the SCA
The court next looked at the structure of the SCA.  Through the SCA, Congress placed limitations on a service providers’ ability to disclose information.  This not only addressed the fact that there were no constitutional limits on an ISP’s disclosure of its customer’s data (thus typing up a loophole in the Fourth Amendment), but also created a higher standard of showing for the government to obtain the information as a subpoena, as opposed to a warrant, does not require a showing of probable cause.

Curiously, a warrant issued pursuant to the SCA is a hybrid warrant-subpoena: it is obtained like a search warrant upon a showing of probable cause, however it is executed like a subpoena in that it is served on the ISP but does not involve government agents entering the premises of the service provider to search its servers and seize the target e-mails.

Because the warrant’s execution, the court found that the principles of extraterritoriality did not apply to SCA warrant which should be treated like subpoena.  In particular, the court noted that a subpoena required the recipient to produce information in its possession, custody, or control regardless of where that information is located in the United States or not.  As such, Microsoft was required to produce the data stored in Ireland because the information was in their control.

In addition, the court cited Professor Orin S. Kerr, who stated that in the context of digital information, a “search” occurs when the information is viewed on a computer screen as opposed to when it is copied to a hard drive or processed by computer.  In the instance of an SCA warrant, the federal agents’ “search” of Microsoft emails would take place in the United States, and therefore no extraterritorial search would occur.

          Legislative History
With respect to (“scant”) legislative history, the court determined that “Congress anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.”  This further supported the proposition that Microsoft could not avoid producing information stored internationally.

          Practical Considerations
In addition, the court also reviewed a few practical considerations for why territorial restrictions on conventional warrants should not apply to SCA warrants.  First, because an ISP is not obligated to verify the information provided by its users, a party intending to engage in criminal activity could simply state to his internet service provider that he is a resident outside of the United States and then evade an SCA warrant.

Second, if an SCA warrant were treated like a conventional search warrant, it would have to be executed abroad pursuant only to the Mutual Legal Assistance Treaty (“MLAT”).  However, given that the MLAT does not apply to countries that are not part of the treaty, and that for member countries, adherence to the MLAT is optional, reliance on the MLAT to implement the SCA could prove burdensome.

In light of the above factors, the court denied Microsoft’s motion to quash and ordered the company to comply with the government’s SCA warrant.

Going Forward
If the Second Circuit affirms Judge Preska’s ruling, it could have troubling effects for technology firms as well as companies that store information on the cloud.  This interpretation of the power of the SCA is a way for the government to circumvent channels that the principles of extraterritoriality previously denied.  In addition, what would such a ruling mean for foreign citizens who use Gmail, Amazon, DropBox, and other such cloud-based applications?  Although not normally subject to an American court’s jurisdiction normally, a foreign person’s data might now be fair game because of an SCA warrant.

Of course, there is an easy way for firms to protect their user’s data in the face of an SCA warrant: client-side encryption.  Because the user has the keys to decrypt their data, it prevents ISPs from handing over usable data with out the permission of the user.  While this may protect foreign users, users in the United States can be compelled to decrypt their data.  In any event, while the S.D.N.Y.’s ruling may conjure troubling implications, practically speaking, it seems that industry has already developed a hack around the SCA to guard against their revealing user data.  

No comments:

Post a Comment