The cloud makes just about everything better, whether it’s email, online storage, or eDiscovery. That is, unless you’re a government lawyer trying to subpoena private user data, in which case the cloud can quickly turn an investigation into an international affair. Google, for one, operates data centers in eight countries on four continents, while Microsoft operates one million servers in more than 100 data centers across the globe.
One case involving a Microsoft-hosted email account, however, could serve as a test of whether the benefits in the cloud will be a bane to the government’s ability to reach data about criminal suspects stored abroad. Last July, in Microsoft v. U.S., a three-judge panel for the Second Circuit decided that the government was prohibited from accessing data stored on Microsoft’s international servers. Now the government is seeking relief in the Supreme Court. If the Court agrees to hear the government’s recently-filed petition for a writ of certiorari on this issue, we could move one step closer towards clarifying whether cloud data stored on international servers will be fair game for criminal investigations.
Subpoenas and other requests for email data hosted by providers such as Google and Microsoft are currently governed by the Stored Communications Act, which sets guidelines for when a user’s data may be turned over by subpoena. The SCA institutes certain privacy protections for electronic communications while setting out procedures for the government to acquire this information within the context of criminal cases and investigations.
Although the SCA was enacted in the 1980s—well before the internet became what it is today—its framework still governs subpoena activities involving contemporary electronic communications services, which include email providers. For example, 18 U.S.C. § 2703(a) gives the government authority to access subscriber data stored by an electronic communications service—which has been held to include email providers—upon receiving a “warrant issued using the procedures described in the Federal Rules of Criminal Procedure… by a court of competent jurisdiction.” By using the word “warrant,” however, Congress failed to clarify whether a so-called “SCA warrant” could only be enforced domestically, as other warrants typically are.
This legal wrinkle came into play in Microsoft v. U.S., which involved a criminal investigation into the contents of a MSN.com email account. Although the government obtained and served an SCA warrant on Microsoft at its Washington office for the contents of the email account, most of the data the government requested was being stored at Microsoft’s data center in Dublin, Ireland. Although Microsoft’s cloud data systems did keep basic email account information on file in Microsoft’s U.S. data centers—which Microsoft turned over—Microsoft would have also needed to retrieve and turn over the Ireland-based files to comply with the warrant. Microsoft, therefore, refused to comply, arguing that the SCA’s language in § 2703(a), which provided the basis for the government’s warrant, evinced congressional intent to limit the warrant’s power to only data stored domestically. It then moved for a motion to quash the warrant.
At trial in federal district court, Microsoft’s motion to quash was denied, and Microsoft was subsequently held in contempt. The Second Circuit, however, reversed this, vacated the finding of civil contempt, and remanded the case down to federal district court with instructions to grant the motion to quash.
In its majority opinion, the Second Circuit panel relied heavily on the statutory construction principle established in Morrison v. National Australian Bank, Ltd., that all congressional legislation is presumed to only apply within U.S. borders—the so-called presumption against extraterritoriality. Circuit Judge Susan Carney surmised that Congress’s intent in passing the SCA was to protect users’ privacy and determined that the legislation did not explicitly expand SCA warrant coverage to data stored internationally.
In its cert petition, the government contests this view, arguing that the Second Circuit misinterpreted the SCA and, in turn, opened the door for a number of legal loopholes that could complicate eDiscovery in criminal cases.
The Second Circuit’s decision in Microsoft v. U.S. was immediately controversial. Although the Second Circuit did deny the government an en banc rehearing of the case, this was due to a 4-4 deadlock. Each of the four judges who would have reheard the case dissented individual. Each offered separate written opinions debating whether the actual invasion of privacy took place in Ireland, where Microsoft obtained the user’s confidential data as an agent of the government, or in Washington, where Microsoft would have downloaded the user data and turned it over to federal authorities.
Judge Dennis Jacobs, for example, argued that "no extraterritorial reach is needed to require delivery in the United States of the information sought, which is easily accessible in the United States at a computer terminal." Judge Jose A. Cabranes described the panel opinion as an unprecedented restriction on law enforcement, which “does not serve any serious, legitimate, or substantial privacy interest.”
One legal professor and Washington Post columnist even went so far as to question whether the parties were even litigating over the right issues.
Even if the Second Circuit decision stands, however, it could be rendered irrelevant based on a curious assumption the Second Circuit made about how cloud computing works. As the writ describes, Microsoft’s mail programs allow users to create accounts, and then migrates account data to a data center closest to the country he or she selects as home. Although some basic data from the account would be retrievable from Microsoft’s U.S.-based servers, any more complex content, such as emails and other correspondence, could only be retrieved from the data center the data was migrated to.
Therein lies the rub; not all cloud computing systems migrate user data to single, specified locations, but rather simultaneously store data on different servers at once. Google found this out the hard way after trying to rely on Microsoft in defending against several federal SCA warrants, only to have the warrants granted in a Pennsylvania federal district court.
Google, unlike Microsoft, relies on a dynamic server network infrastructure that constantly changes the location of user data, allowing the data to be present in a multitude of countries and data centers at any given time. As the Pennsylvania district court pointed out in a footnote, this results in the fact that the servers at issue are unknown and unidentifiable. Since any information requested on Google could be stored anywhere, applying the principles of Microsoft to Google’s server framework would lead to the absurd result of making the data itself immune to discovery.
Needless to say, the magistrate judge in Google’s case was unsatisfied with this unsettling hypo, holding that the electronic transfer of data from an international server to a domestic server is not a “seizure” because the actual invasion of the user’s privacy would occur the moment Google hands over the users’ data to the FBI—which would occur on U.S. soil— and thus would be within the purview of an SCA warrant. A similar case against Google from the Northern District of California also reached a similar conclusion, requiring Google to comply with an SCA warrant for user data stored abroad. Therefore, as cloud computing evolves, Microsoft could devolve into poor precedent based on its unique fact pattern.
Nonetheless, the stakes in Microsoft could prove significant. Not only is the decision currently binding in one of the largest legal and corporate markets in the United States, but the Second Circuit’s interpretation of the metes and bounds of SCA warrants could give criminal suspects a much-needed loophole to protect any incriminating email correspondence and cloud data from discovery. The Supreme Court’s input on the Second Circuit’s decision in Microsoft v. U.S., should it grant cert, could clarify the muddied legal issues surrounding the discoverability of foreign-stored cloud data.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.