Published by The Lawfare Institute
in Cooperation With
Yesterday, a three-judge panel of the United States Court of Appeals for the Second Circuit heard oral argument in a high-profile dispute between the United States and Microsoft. Styled In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, the case stems from the company’s widely-noted refusal to comply with a December 2013 search warrant, which would have required Microsoft to hand over the contents of emails stored on a foreign computer.
The facts in brief: The litigation arose in the course of a criminal narcotics investigation; during it, federal law enforcement had sought and received a warrant to seize the contents of an email account belonging to a Microsoft customer whose information was stored in Dublin, in a data center maintained by one of Microsoft’s subsidiaries. The government had applied for the warrant pursuant to Section 2703(a) of the Stored Communications Act (SCA), itself enacted as part of the 1986 Electronic Communications Privacy Act (ECPA). The pertinent part of that statute says:
A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure ... by a court of competent jurisdiction[.]
Microsoft moved to vacate, arguing that the warrant would be executed extraterritorially and was thus invalid. In order to access customer emails and records stored in Ireland, Microsoft argued, the government instead would have to pursue traditional bilateral law enforcement and diplomatic channels, and collaborate with the relevant Irish and EU authorities. But a magistrate judge batted away Microsoft’s motion, and Chief Judge Loretta Preska, of the United States District Court for the Southern District of New York, affirmed that ruling. When Microsoft refused to produce materials sought by the warrant, the District Court held Microsoft in contempt. The company appealed.
Below, I offer observations about three broad themes raised during yesterday’s session—which was heard by Circuit Judges Gerard Lynch (who asked most of the day’s questions from the bench) and Susan Carney; along with District Judge Victor Bolden of the United States District Court for the District of Connecticut. Joshua Rosenkranz argued the case for Microsoft; Justin Anderson represented the United States.
1) Interpretation of the Electronic Privacy Communications Act
Judging by the exchanges between court and counsel, the case’s resolution will turn largely on a narrow issue of statutory interpretation.
Consistent with the company’s position in the District Court below, Rosenkranz claimed that the SCA does not authorize warrants for the collection of customer data stored overseas. While both sides had acknowledged the statute’s silence on the question, Microsoft’s attorney thought this essentially called the game in his side’s favor. The presumption against the extraterritorial application ought to bar application of the SCA to emails stored on a Microsoft-controlled server in Ireland, said Rosenkranz; moreover, Congress’s intent in passing the provision here was to protect information stored by US service providers inside the United States rather than abroad. Because Congress neither expressed a clear desire for the ECPA to apply extraterritorially, nor expressed any intention for the ECPA to displace Mutual Legal Assistance Treaties and other more traditional mechanisms of international cooperation among law enforcement entities, the District Court’s conclusions were erroneous. Judge Carney pressed Rosenkranz on this point: “What in the statute speaks to extraterritoriality?” Beyond the text, she also grilled counsel for both sides on whether there was anything in the legislative history that spoke to the issue.
A related disagreement aired yesterday—and much appears to hang on this – was whether the location of the sought data is the appropriate starting point for ECPA analysis, or whether the issue really is the disclosure of information, including where such disclosure takes place. Rosenkranz argued that the relevant consideration was the physical location in which the information was stored prior to its disclosure. Judge Carney appeared to agree, saying at one point that “it’s about storage -- it is the Stored Communications Act.”
Speaking for the government, Anderson took the opposite view and insisted that “the SCA is all about disclosure, not storage.” Because the information would be disclosed to US authorities inside the United States, he said, extraterritoriality principles were not implicated to begin with. Judge Lynch appeared to lean toward embracing this reading of the statute, which was, in his view, about “things that are stored, and under what circumstances they can be disclosed to law enforcement” (emphasis added). Anderson also emphasized that the inherent safeguards that accompany judicial oversight of the issuance of warrants under Federal Rule of Criminal Procedure 41 were sufficient in this case to guard against abuse.
All this built on the government’s widely reported contention, made below and reaffirmed at at oral argument, that so long as a US-based company exercises custody and control of information subject to a court-issued warrant, the physical location where the information is stored and the nationality of any person associated with the information are both immaterial: Law enforcement can compel production of the data. On that point, Judge Lynch observed that in this instance, the Court did not actually know whether the sought emails belonged to an American or an Irish citizen, or a citizen of some other country. Anderson answered by reiterating that the nationality, even identity, of the user was irrelevant, because the statute did not require that the communications sought be sent by an American citizen. Rather, the key statutory criterion was that an entity subject to federal court jurisdiction exercised “custody and control” over the communications—as Microsoft plainly did.
2) Foreign Policy Considerations
Seeking to bolster his reading of the statute, counsel for Microsoft forecasted a parade of foreign policy horribles that would result if it were read otherwise. Rosenkranz told the judges that affirmation of the District Court’s ruling could lead to an “international firestorm;” other countries would get a green light to enact their own ECPA-like statutes, with which to require companies with US-based operations to surrender consumer data, including that associated with their American customers. The hypothetical reaction of the United States government to such an effort by a foreign law enforcement had figured prominently in Microsoft’s pre-argument briefs. “If the Government prevails here,” wrote the company’s lawyers, “the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country.”
Driving that same point home, Rosenkranz argued yesterday that “we [the United States] would go crazy if China did this to us,” adding that the case was fundamentally “about sovereignty.” Of course Congress could enact changes to the ECPA. But until it does so, the lawyer went on, “the Courts should adopt the interpretation of the ECPA that creates the least international discord.” To hold otherwise would be a dangerous extension in the overseas reach of US law enforcement, since, according to Rosenkranz’s presentation to the Court, “neither subpoenas nor warrants have ever been seen as affecting sovereign subjects of other states” not physically present in the United States. Judge Carney asked if Rosenkranz was encouraging the Court to make use of the Charming Betsy canon—whereby federal statutes are to be interpreted so as not to conflict with international law. Rosenkranz replied that this was part of the issue, but his concern seemed to have more to do with political ramifications than tension with sovereignty doctrines. “The court has an obligation,” he said, “to adopt an interpretation of the SCA that creates the least international discord.”
While recognizing this concern, Judge Lynch questioned whether the ultimate ramifications of allowing for production of data stored abroad were a matter better suited for Congress and the executive to sort out. “We don’t do foreign relations,” he said, further suggesting a kind of stuck-with-a-dumb-law viewpoint: If Congress passes a law and the executive implements it in such a way that it generates international blowback, then that’s the political branches’ problem.
3) A Need for Updated Statutory Authority?
A final, recurrent theme in both parties’ presentations and the panel’s questions: recognition that the ECPA is an anachronistic statute, one ill-suited to contemporary law enforcement and global electronic communications. Naturally, this common starting place lead the parties to quite different outcomes.
The appellant argued that Congress could not have foreseen that the statute would, some three decades later, be applied to data stored in foreign countries by U.S. service providers. Recognizing this, the Court ought to interpret the statute in a way that does minimum damage to foreign relations, presume its strictly domestic reach, and therefore reverse the District Court’s opinion. “If the Government wants the unprecedented power it claims here,” Microsoft wrote in its brief, “it should plead its case to Congress.”
Not so for Anderson and company. The fact that ECPA had been enacted several decades ago and had yet to be amended in any way was not proof of obsolescence. This was instead evidence that Congress intended for the statute to endure through whatever technological changes might ensue in the years ahead. Congressional silence should simply be read as suggesting that the statute is a sufficiently clear and robust tool for law enforcement. Along the way, Anderson also once more stressed that, in any event, because the disclosure here was made to US authorities within the United States, there was no extraterritoriality problem for the legislature to address.
Both Judge Carney and Judge Lynch challenged the parties to point to specific materials from the legislative history which indicated that Congress had considered whether materials stored abroad and disclosed to US authorities were considered as part of the statutory scheme. Neither party appeared to have much of an answer—so Judge Lynch hinted towards one of his own. Towards the hearing’s end, he observed that it “would be helpful if Congress would engage” in a serious discussion to reform and clarify existing law. The judge nevertheless appeared to recognize that speed was not Congress’s greatest virtue.