Published by The Lawfare Institute
in Cooperation With
The Second Circuit heard oral argument Wednesday in Microsoft’s dispute with the Department of Justice over access to emails stored in Ireland. (Background on the case is here, and there is an enlightening exchange between Orin Kerr and Jen Daskal here and here.) Much of the scholarly commentary so far has been narrowly focused on statutory interpretation questions regarding the Stored Communications Act, which is part of the Electronic Communications Privacy Act (ECPA). I want to take up another aspect of the case: the prevailing sense that stakes are sky high if Microsoft loses. Microsoft General Counsel Brad Smith captured this view well when he noted that hanging in the balance are: “the future of the Internet, privacy, respect for borders, and public safety.” That is a big claim, and the media has largely embraced it. But is it true?
I don’t think so. Indeed, I think there is a powerful case to be made that a victory for Microsoft would do more harm to the future of the Internet, privacy, and public safety than would a loss. My arguments (like Smith’s) depend on unknowns, but since the prevailing view is so one-sided, I think it is worthwhile to present the contrary case.
Let’s start with the argument that it would violate Irish sovereignty for the U.S. to compel Microsoft to produce data that is stored in Ireland. This is not the way that sovereignty has been understood in analogous contexts. As the Restatement of the Foreign Relations Law of the U.S. notes, U.S. courts have long supported a broad conception of “enforcement jurisdiction” – the state’s ability to seize persons and property on its territory in order to enforce its laws. That includes asking a defendant to bring extraterritorial evidence back into the U.S., even if the FBI could not have sent agents abroad to get it. (As Judge Lynch noted in oral argument yesterday, this is precisely what happened in the prosecutions he personally won against Marc Rich in the 1980s.) Yet the media has largely treated this case as if the U.S. government were sending black helicopters to Ireland to snatch the data. The normally-levelheaded Economist starts a recent article about the Microsoft case with this lede: “Suppose FBI agents were to break into the postbox of an American company in Dublin to seize letters which might help them convict an international drug dealer. There would be general uproar, if not a transatlantic crisis.” This is misleading. In this case, no U.S. law enforcement agents travel overseas or break into anything. Rather, the DOJ is asking the court to do what it has done in dozens of offshore banking cases: compel a company doing business in the U.S. to produce evidence stored offshore. Why should data be any different? Microsoft is a U.S. company that has evidence connected to a U.S. crime, and a U.S. judge has determined that the government has probable cause to seek that evidence. If the U.S. can get personal jurisdiction over Microsoft, there is no domestic or international jurisdictional principle that prohibits a U.S. court from compelling a U.S. firm like Microsoft to produce evidence under its control but stored abroad. (Of course, there might be domestic statutory reasons not to allow this production, or scope-of-the-warrant issues, as others have noted, but these are separate questions.)
Second, let’s consider the claim that if Microsoft loses, as the Guardian puts it, the case will “set a dangerous global precedent,” encouraging other countries to do what the U.S. is doing: demand data directly from technology companies. This would not be a novel precedent as a matter of fact nor is it ultimately such a bad idea. As it stands right now, law enforcement agents around the world struggle to get the data they seek in connection with legitimate law enforcement operations, and as a result they sometimes resort to extreme measures. Cops in Brazil, India, and the U.K. are tired of American technology companies telling them they will not comply with a local judge’s warrant to compel data – something those companies are often barred from doing under ECPA. This is why many states are starting to get serious about the idea of forced data localization – compelling technology companies that operate on their soil to store data there too. As Anupam Chander and Uyen Le have noted, forced data localization would impose enormous costs on technology companies and lower privacy protections for users around the world. Forced localization is, from an engineering and privacy perspective, a serious threat to the global Internet as we know it. What is the single best alternative to forced data localization? Allowing companies to comply with legitimate foreign government requests for data, wherever it happens to be stored, as long as the request is preceded by a warrant from a neutral magistrate.
Of course, this would require ECPA reform. A number of commentators have argued that whatever happens in the case, Congress should reform ECPA. This is absolutely right, but as I argued earlier in the week over at ACSBlog, ECPA reform is heading in the wrong direction. The existing reform proposals are all aimed at domestic disclosure rules or reforms to the mutual legal assistance process. These are necessary reforms – and largely consistent with the recommendations I made in my report on the need for mutual legal assistance reform – but they do not go far enough. Most importantly, none of these reforms stop ECPA from acting as a blocking statute that prevents American technology firms from complying with foreign law enforcement requests for data. It’s not that Google and Microsoft should comply with every request they get from foreign governments for user data. But the U.S. should not prohibit them from complying – as it does now, under ECPA – because that is one of the main fuels driving the data localization engine. Companies can always decide on their own whether they want to comply with a particular state’s request for user data, and if doing business in that state is deemed too dangerous or too costly to privacy, companies will face a difficult decision – as Google did in China – about whether to stay or go. Every global business must decide how to play by local rules in different markets, all the while living up to high expectations of corporate citizenship back home; why should technology firms be any different?
Part of the concern with giving states the ability to compel technology companies to produce extraterritorial data is that some states do not have very high standards of due process. To take an easy target, if Zimbabwe were to demand that Google hand over data stored in the U.S. on the theory that the data was connected to a crime in Zimbabwe, you can imagine the outcry from civil society groups and Internet users worried about due process. And rightly so. We should absolutely be worried about insufficient due process when governments seek access to data. But if anything, this is an argument against Microsoft, not for it. If Microsoft wins this case, the U.S. government will go to Ireland hat-in-hand and ask them to hand over the data in accordance with our Mutual Legal Assistance Treaty. The relevant legal standard for the data’s production will be Ireland’s. If the data had been in Zimbabwe, the relevant standard would be Zimbabwe’s. If you think the Fourth Amendment due process requirements are robust, you may not be eager to embrace a standard that changes depending on the storage location of the data.
Finally, let’s consider the claim that if the U.S. wins this case, it will be able to access the world’s data. (The Guardian’s headline about the case Wednesday read: “DOJ says it can demand every email from any US-based provider.”) This is plainly wrong. The DOJ has not claimed that it can access any email in any corner of the world; rather, the agency claims that it can search an email if and only if a U.S. judge finds probable cause to search the emails in connection with a U.S. crime. Again, the offshore banking cases are illuminating. There is no media uproar when U.S. judges issue warrants to seize the Caymanian accounts of suspected drug runners and terrorists. So why the histrionics when the thing being seized is data located abroad in connection with a crime? Part of the explanation is that the NSA’s bulk surveillance programs have given the world little reason to trust the U.S. government. That is perhaps the best argument that data is somehow different from other extraterritorial forms of evidence. But in this particular case, we are talking about something even the staunchest privacy advocates can get behind: forcing law enforcement agents to prove to a federal judge that they meet the Fourth Amendment’s stringent requirements before granting them access to the data. While there is undoubtedly reason to be worried about expanding U.S. government access to data generally, this particular case highlights exactly the kind of lawful access privacy advocates should embrace: access held to a high constitutional standard, and reviewed in public by a federal judge.
To be sure, the Microsoft Ireland case raises a host of interesting questions, and the outcome of the case will have implications for ECPA and for congressional efforts to reform ECPA. But whether Microsoft wins or loses, the sky will not fall. This analysis is not meant as an argument one way or the other on the outcome of case – I have said nothing about the potentially determinative statutory interpretation and scope-of-warrant issues. Rather the point is simply that it would be a mistake to see the case as an up-or-down vote on some of the the most important questions of Internet governance.