Surveillance & Privacy

The Microsoft Ireland Case: A Brief Summary

Nora Ellingsen
Friday, July 15, 2016, 10:34 AM

Yesterday, the Second Circuit Court of Appeals ruled against the United States Government in the case Microsoft v. United States, stating that the government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States. Here's a brief summary of the opinion.

Published by The Lawfare Institute
in Cooperation With

Yesterday, the Second Circuit Court of Appeals ruled against the United States Government in the case Microsoft v. United States, stating that the government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States. Here's a brief summary of the opinion.

The case hinged on the question of whether Section 2703(a) of the Stored Communications Act (SCA), the provision under which the government sought and received a search warrant for the email account, applies extraterritorially. The court, reversing the federal district court in the Southern District of New York, ultimately ruled that it does not.

Back in December 2013, federal law enforcement was conducting a criminal narcotics investigation. During the course of this investigation, the government sought a search warrant, pursuant to Section 2703(a) of the SCA, to seize the contents of an email account belonging to a Microsoft customer. Microsoft complied with the warrant to an extent, turning over any account information that was being stored in the United States. However, the actual emails, and their contents, were stored overseas in Dublin, Ireland. Microsoft balked at turning over the overseas content, and the district court held the corporation in civil contempt for its failure to comply with the warrant.

Flash-forward three years later, and the Second Circuit reversed the district court, holding that “§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.”

The court’s opinion begins with background on Microsoft, as well as the SCA. Microsoft, according to the court, stores the contents of its users’ emails on 100 discrete data-centers worldwide. Each user’s data is stored based largely on the user’s unverifiable “country code,” presumably geographically proximate to that user's actual location. Once transferred overseas, the data, for the most part, is deleted from servers in the United States. Microsoft can later use a program, accessible from U.S. offices, to bring the data stored overseas back to the U.S.

The statute at hand is the SCA, enacted as Title II of the Electronic Communications Privacy Act (ECPA). Passed back in 1986, the ECPA was envisioned to update the Federal Wiretap Act of 1968 to include computer communications. It was, however, designed with now-dated technology in mind, years before the Internet became available to the public. The purpose of the Act, as emphasized throughout the Second Circuit’s opinion, was to “extend electronic records privacy protections analogous to those provided by the Fourth Amendment.” The Act was implemented to protect users of electronic communication services or remote computing services and provided general obligations of non-disclosure on service providers. But the Act also create exceptions to those obligations, including the current warrant provision, under which the government may require a service provider to disclose the contents of stored communications. In itself, the warrant provision is hardly noteworthy—any warrant obtained under the SCA is required to be issued using the procedures described in the Federal Rules of Criminal Procedure.

The question presented in Microsoft v. United States was whether the SCA’s warrant provision applies extraterritorially. The government argued that when the SCA used the word “warrant,” the statute was actually referring not to a traditional warrant, but to legal process or “compelled disclosure” more akin to a subpoena. A warrant, according to the Second Circuit, and conceded by the government, has domestic boundaries. The purpose of the Fourth Amendment, according to the court, was to restrict searches and seizures that would be conducted in the U.S. on domestic matters. Subpoenas on the other hand, can require the production of communications stored overseas, and are restrained by fewer territorial restrictions.

Ultimately, the Second Circuit found the government’s argument to be unpersuasive. Citing the presumption against extraterritoriality, the court looked to whether the SCA’s warrant provision contemplated extraterritorial application. The plain meaning of the SCA has no indications that Congress envisioned an extraterritorial use for the statute. Given a long history of warrants and subpoenas being completely distinct legal instruments, the court found no reason to infer that Congress used “warrant” to mean “subpoena.” Instead, the court ruled that Congress used the term “warrant” to provide a greater level of protection to users. Furthermore, the Second Circuit was not swayed by the government’s attempt to import law developed in the subpoena context into the SCA’s warrant provision—a previous decision that a grand jury subpoena issued in a tax evasion investigation could reach an overseas Swiss business was not applicable in the current case, where Microsoft was merely a caretaker of the information. Likewise, the court brushed aside the government’s argument that banks have been required to comply with subpoenas, relying on the Supreme Court’s decision that bank depositors have no protectable privacy interests in a bank’s records regarding their accounts.

After concluding that Congress did not intend the SCA’s warrant provisions to apply extraterritorially, the court turned to the “focus” of the SCA’s warrant provisions. Relying heavily on Morrison v. National Australian Bank Ltd., the court looked at whether the domestic contacts were secondary to the statutory “focus,” thereby precluding an extraterritorial application of the warrant provision. In order to do so, the court reverted to common tools of statutory interpretation, including the plain meaning of the statute, as well its legislative history. The court determined that the main focus of the SCA was to protect user content. Providing methods for law enforcement to access that content remained a secondary objective—thereby excluding an extraterritorial application.

At the end of the opinion, the court addresses several secondary concerns. The government had argued that the actual conduct in question occurs in the U.S. —to comply with the warrant, the service provider only has to act within the United States. However, the court finds that the conduct actually falls outside the U.S., given that the subject of the warrant is located in, and would be seized from, Dublin.

The court also addresses the government’s pleas that a ruling for Microsoft would place a “substantial” burden on the government, requiring it to go through the cumbersome Mutual Legal Assistance Treaty (MLAT) process in order to conduct searches abroad. However, the Second Circuit indicates, even in light of these practical considerations, that it cannot ignore the text of the statute and its intent to only reach data stored within the United States

Judge Gerard Lynch’s concurrence agrees with the holding that the execution of the warrant would constitute an unlawful extraterritorial application of the Act. However, his concurrence begins by explaining what this case is not about: your privacy. Microsoft, in this case, does not dispute the fact that the SCA’s warrant provision would be adequate to obtain emails stored on a server within the United States: “Microsoft’s argument is not that the government does not have sufficiently solid information, and sufficiently important interests, to justify invading the privacy of the customer whose emails are sought and acquiring records of the contents of those emails.” In this case, according to the concurrence, a user’s privacy is at the mercy of a private corporation, which at any time can send the data back to the U.S.

The courts, the concurrence argues, have a role to play in the protection of privacy and a responsibility to ensure that there are constitutional restraints on searches and seizures. However, the question of whether an American law applies overseas is solely in Congress’s lane. It is clear that the drafters of the SCA did not contemplate the extraterritorial application of their statue, primarily because the statute was enacted in the 1980s when the idea of “cloud” storage was unfathomable. The concurrence urges Congress to weigh the costs and benefits of applying the statue to conduct overseas and update a perhaps antiquated law.

Nora Ellingsen is a third-year student at Harvard Law School. Prior to graduate school, she spent five years working for the FBI's Counterterrorism Division. She graduated cum laude from Northwestern University with a B.A. in Psychology and Political Science.

Subscribe to Lawfare