Microsoft was in court again this week waging its ongoing battle against a Department of Justice warrant for data stored on the company's servers in Ireland. Microsoft denounced the U.S. government's "incursion into a foreign sovereign country" and contended it "threatens the privacy of U.S. citizens." How important is the case?
Microsoft has rallied a long list of tech and media companies to its cause -- Apple and Cisco filed an amicus brief, as did Verizon, HP, Salesforce, and eBay, as well as Amazon and Accenture, AT&T and Rackspace, and the Irish government. In one especially odd set of bedfellows, ABC, CNN, NPR, Fox News, the Guardian, and 25 other media groups filed in support of Microsoft.
It has been widely reported that the outcome could determine the direction of the cloud for years. For two years the tech giant has been refusing to comply with a U.S. warrant, related to a drug-trafficking case, and hand over emails from a Hotmail account hosted in Ireland. At stake is the question of whether, when a U.S. provider stores data outside the United States, the Stored Communications Act (SCA) of 1986 applies because the provider is domestic.
Microsoft stated melodramatically in court papers last summer that "the government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility."
Perhaps not. But can the government require a Microsoft employee in Redmond, Wash., to go on Microsoft's network and remotely access the emails?
Two previous judges have ruled that it can. What matters, they say, is whether providers have control over data, not where the data happens to be located.
Microsoft argues that the emails should be subject to Irish laws and obtained by using the Mutual Legal Assistance Treaty, which is an agreement for law enforcement agencies to assist their counterparts abroad in obtaining evidence for criminal investigations.
The Justice Department considers that process too slow and wants to deal directly with the U.S.-based company. It argues that the SCA and various court rulings compel Microsoft to comply with its search warrant.
Microsoft counters that SCA couldn't have anticipated cloud storage, so the courts' rulings represent judicial speculation far outside the act's bounds. "No one describes air travel as ground transportation just because it involves taxiing to and from the runway," the company said in a brief.
The DOJ contends in court papers that Microsoft's system of storing data where customers say they are based is open to abuse, as "a criminal user can easily manipulate such a policy to evade the reach of U.S. law enforcement by the simple expedient of giving false residence."
But in the post-Edward Snowden age, fears of U.S. government surveillance overreach run rampant -- particularly in Europe, which has strong data protection and privacy laws -- and U.S. tech companies fear a potentially catastrophic effect of this case on their cloud businesses. The Information Technology and Innovation Foundation warns:
If the court supports the use of search warrants to obtain data stored abroad, it will feed the perception that the best way to protect data from the prying eyes of the U.S. government is to store it overseas with a non-U.S. provider.... those fears will likely cost U.S. tech companies well over $35 billion by 2016.
Media companies and others predict a U.S. government victory would also set a bad precedent, providing authoritarian governments like China and Russia a way to get access to files on computer servers located in the United States and essentially making everyone's data fair game.
"The U.S. government cannot expect to have one model that it follows without anticipating that the rest of the world will follow that model," Brad Smith, Microsoft's general counsel, told the Guardian last year. "And this is a model that encourages governments to reach into other territories. That does not seem like a sound approach to international stability or mutual respect in the 21st century."
The government points out that U.S. courts have already said that banks' business records held overseas can be seized. But Microsoft says bank records and email are not the same. "A bank can be compelled to produce the transaction records from a foreign branch, but not the contents of a customer's safe-deposit box kept there. A customer's emails are similarly private and secure and not subject to importation," Microsoft said.
Orin Kerr, Fred C. Stevenson Research Professor at the George Washington University Law School, says the government probably has the better argument in the case as currently framed. (Although he also believes that Microsoft could argue -- independently of the SCA -- that the warrant as written doesn't actually authorize the retrieval of information from off site.)
Kerr dismisses Microsoft's claims that compliance with the warrant in the United States would effect a search and seizure overseas and make application of the warrant extraterritorial, pointing out that the warrant is not actually making anyone outside the states do anything. In addition, searches and seizures are Fourth Amendment concepts. While Microsoft did not state whether the email account owner is a foreign citizen located overseas, if that's the case, Kerr says, "the account holder has no Fourth Amendment rights …[and] compliance with the warrant doesn't implicate the Fourth Amendment or raise any questions of what is a search or seizure."
Whatever the outcome of Microsoft's latest appeal -- and a decision may not come for several months -- Kerr argues the case may not matter for two reasons. First, Microsoft could avoid the reach of similar U.S. warrants by reorganizing its networks. "Microsoft in the U.S. has access to all customer data from around the world. They can get all the emails with a push of a button. But Microsoft didn't have to set things up that way," Kerr says. "They could have designed their business so that if you sign up for an account from outside the U.S., your relationship is entirely with the company's foreign subsidiary and the data isn't directly accessible from inside the United States." Yahoo, for one, is set up this way.
Secondly, the reach of SCA will probably end up being decided in Congress. This case is currently in the courts because the Electronic Communications Privacy Act makes no distinction between U.S. government access to the emails of U.S. customers doing business with a U.S. email provider that places emails on a server overseas, and U.S. government access to foreign customers' emails stored on an overseas server by an email provider that is U.S.-based.
"The DOJ is really worried about the rules for the first scenario, as it could impact lots of their domestic cases involving email. And Microsoft is really worried about the rules for the second scenario, as it could impact its business competitiveness abroad," Kerr says. The conflict between them only exists because current statutes do not distinguish between the two scenarios.
That situation could soon change. The Law Enforcement Access to Data Stored Abroad (LEADS) Act, introduced by Senators Orrin Hatch (R-Utah), Chris Coons (D-Delaware), and Dean Heller (R-Nevada), is overwhelmingly supported by tech companies -- including Microsoft, which said in a blog post that LEADS "offers essential reforms that rectify outdated privacy laws. [It] safeguards U.S. electronic data stored abroad, and establishes a balanced process for how the government can obtain data while honoring the liberties of other countries and abiding by individual privacy rights."
Microsoft argues in its court brief that complying with the U.S. warrant is as much a political matter as a legal one. "Only Congress has the institutional competence and constitutional authority to balance law enforcement needs against our nation's sovereignty, the privacy of its citizens and the competitiveness of its industry."
This may also be the nicest thing anyone's said about the U.S. Congress in a while.