Published by The Lawfare Institute
in Cooperation With
In our interconnected world, the electronic data that we create may be stored far away from us, without regard for national boundaries. If our data become relevant to legitimate law enforcement investigations, the borderless nature of digital data can create obstacles for government investigators and the tech companies who receive government requests for their customers’ electronic data. Yet, efforts to overcome these barriers must address the tension between the needs of law enforcement and the rights of individuals. How can the law facilitate government requests for digital data without sacrificing privacy and human rights?
On Feb. 27, the Supreme Court will hear oral argument in United States v. Microsoft (or, the Microsoft-Ireland case). The case involves the U.S. government’s efforts to obtain electronic communications stored by Microsoft on a server in Ireland. The court must decide whether a warrant issued under Section 2703(a) of the Stored Communications Act to compel production of electronic communications can apply outside the United States. An amicus brief—filed by New America’s Open Technology Institute (OTI) and a broad coalition of rights organizations and trade associations—supports Microsoft and suggests that the answer is no. However, the case also implicates broad and complex policy questions that should be addressed through multi-stakeholder engagement in Congress.
The Microsoft-Ireland case is a statutory interpretation case. Section 2703(a) authorizes the government to require disclosure of the contents of emails that are older than 180 days “only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a state court, issued using state warrant procedures).” By the terms of the statute, the applicable standards are solely based on U.S. domestic law and U.S. federal or state rules of procedure. Since Congress did not specify that this provision enables the government to obtain data held beyond the United States’ boundaries, the canon against extraterritorial application of federal statutes set forth in a line of cases including Morrison v. National Australia Bank Ltd. and Kiobel v. Royal Dutch Petroleum Co., requires a finding that Section 2703(a) applies only within the United States.
The government recognizes this presumption against extraterritorial application, but argues it would not be violated because the disclosure to the government would be made inside the United States. It asserts that the wording of the statute focuses on disclosure. Furthermore, it urges that even if the court agrees with Microsoft’s position that the statute actually focuses on user privacy, there is no privacy invasion when Microsoft transfers data from Ireland to the United States. Rather, the government contends that privacy interests are not implicated until the email contents are turned over to the government inside the United States. However, as the Second Circuit found below, the government’s argument “stands the presumption against extraterritoriality on its head,” and the statute’s “privacy focus is unmistakable.” It is true that, as Judge Lynch pointed out in concurrence, the individual user’s privacy is protected in this case because the government obtained a probable cause warrant. Yet, because Microsoft would only be collecting the data from Ireland on behalf of the government, the seizure—the moment of privacy invasion—necessarily occurs in Ireland.
Further, the United States, as a signatory to the Convention on Cybercrime, has committed to the international norm that a country seeking data stored in another nation must obtain the assistance of the host country in order to seize that information. This principle of international cooperation is critical. Were the United States’ position in the Microsoft-Ireland case to prevail, it would invite other countries to make unilateral demands for data stored within the United States. Other countries have already begun to consider such assertions of jurisdiction, including arresting and jailing company executives in order to obtain access to data held outside their borders. Thus, while the individual user involved in the Microsoft-Ireland case would be protected by the U.S. probable cause standard, a decision in favor of the U.S. government would exacerbate this dynamic and threaten the privacy of users in numerous countries. It would also undermine customer confidence in the security of their data stored in the cloud. As OTI has noted in the context of encryption technology, robust safeguards for data security are therefore necessary for our economic security as well.
Despite the breadth of issues raised by this case, its facts simply involve the government’s effort to obtain electronic data that is stored in a single known location outside the United States: at Microsoft’s data center in Ireland. It therefore does not directly implicate difficult questions concerning government access to data that is “sharded” into multiple storage locations or where the provider does not know the location of the data. As our coalition amicus brief urges, the court should decide this question narrowly based on the particular facts presented in this case. There are, of course, many varieties of network architecture and numerous ways in which tech companies store data. Crafting rules that account for different approaches to data storage is a matter for Congress to undertake in a comprehensive manner that considers the interests of all stakeholders. Judicial doctrines on extraterritoriality may not apply neatly to fact patterns involving more complex systems architecture, and the interests of the United States and foreign governments may vary depending on their relationships to the service provider, the user, and the underlying investigation. These broader issues involve many competing interests and are not implicated in this case; therefore they are better suited to Congress.
Beyond the facts presented, this dispute raises many complex questions regarding how to ensure appropriate privacy safeguards in the digital age. U.S. law concerning government access to electronic data is severely outdated; when the Stored Communications Act was enacted in 1986, cloud storage did not yet exist. And in recent years, the pressure to facilitate law enforcement requests for electronic data held in another country has been growing at the same time that use of the internet and electronic communications has exploded. But the Microsoft Ireland case does not provide an opportunity to resolve these important policy issues.
Rather, it is the task of Congress to enact legislation that provides a rights-protective solution to the cross-border data problem, and ensures that Fourth Amendment standards protect digital data. Congress has begun to consider the broader questions of when and how the government should be able to obtain electronic data stored in a foreign country, through bills such as the International Communications Privacy Act (ICPA), the Law Enforcement Access to Data Stored Abroad Act (LEADS), and most recently, the Clarifying Lawful Overseas Use of Data Act (CLOUD), which OTI has opposed due to our concern that it fails to incorporate adequate safeguards for privacy and human rights. The specifics of this debate are outside of the scope of this piece but I have addressed them in detail here. OTI remains ready and eager to engage in a broad stakeholder process seeking a solution that also protects the privacy and human rights of users.
The full debate over cross-border access to data will not end with the resolution of the Microsoft Ireland case. These issues still pose important challenges for Congress. It is critical that in refining proposals to resolve these issues, the government and tech companies consider the interests of all stakeholders, and that legislation to address cross-border access to data includes robust safeguards for individual rights.