Court: Microsoft Can’t Be Forced To Turn Over User Emails Stored Outside Of U.S.

Image courtesy of JeepersMedia

When law enforcement officials serve a tech company with a warrant for information on a specific user, does the fact that the company could easily access that information online negate the concern that the sought-after data is stored wholly outside the U.S.? A federal appeals court — in a case involving a Microsoft email user — says that the location of the information does matter.

In Dec. 2013, a federal magistrate judge signed off on a “Search and Seizure Warrant” to be served on Microsoft. The warrant sought all available information — including contents of all stored emails, any records that might be used to identify the account-holder’s real name, the account’s contacts list, and any photos or other files stored on the account — for a specific @msn.com email address related to a narcotics investigation.

Microsoft responded by providing the available non-content information about this account, but contended that the warrant was not sufficient to compel it to turn over the remaining data on this user, as it was all stored on servers located outside the U.S.

The magistrate judge — and later a U.S. District Court judge — denied Microsoft’s motion to quash the warrant, citing the Stored Communications Act — a 1986 law that, among other things, spells out when and how tech companies can be compelled to turn over data to law enforcement.

The lower court concluded that the warrant served on Microsoft was no different than an SCA subpoena, in that it “does not involve government agents entering the premises of the ISP to search its servers and seize the e‐mail account in question.”

In the magistrate judge’s opinion, what mattered wasn’t where the material was being sourced from, but where it would ultimately be reviewed. Since Microsoft controlled the sought-after data, its current location shouldn’t be an issue.

Thus, Microsoft was directed to “produce information in its possession, custody, or control regardless of the location of that information.”

While Microsoft appealed the lower courts’ decisions, it was held in civil contempt for failing to comply — though it should be noted that the tech giant agreed to be held in contempt, as that would guarantee that the Second Circuit Court of Appeals had jurisdiction over the matter.

In its opinion [PDF] regarding the warrant, the three-judge appeals panel looked at the context in which the SCA was drafted by Congress three decades, noting that “a globally‐connected Internet available to the general public for routine e‐mail and other uses was still years in the future when Congress first took action to protect user privacy.”

Section 2703 of the SCA establishes what the court labels a “pyramidal structure” regarding what sort of documentation is needed for law enforcement to obtain various types of stored data.

On the lowest level, the government can issue an administrative subpoena — a document from a government agency seeking information; it does not require the demonstration of any probable cause. However, the law puts specific limits on the data that can be obtained in this way. While names, addresses, and payment methods associated with the account may be turned over, the subpoena can not compel the disclosure of any content.

Higher up the pyramid are court orders, for which the government must show “reasonable grounds to believe that the contents or records… are relevant and material to an ongoing criminal investigation.” However, if the government wants any content-related information from a court order, it would have to disclose this search to the account holder.

Obtaining the good stuff — or as the court puts it, “priority stored communications” — a proper warrant must be obtained, requiring a demonstration of probable cause.

In its appeal, Microsoft argued that the court had unlawfully applied the SCA by trying to compel the production of content-related data stored outside the geographical scope of the warrant.

The appeals panel sided with the tech giant, finding that there was nothing on the record that allows the SCA to be applied to data stored outside of U.S. borders.

“Although electronic data may be more mobile, and may seem less concrete, than many materials ordinarily subject to warrants, no party disputes that the electronic data subject to this Warrant were in fact located in Ireland when the Warrant was served,” writes the court. “None disputes that Microsoft would have to collect the data from Ireland to provide it to the government in the United States.”

While the government argued that nothing in the language of the SCA specifically limits the use of warrants to the U.S., the court was not convinced, pointing out that when Congress intends a law to apply extraterritorially, it gives an “affirmative indication” of that intent.

Additionally, the appeals court held that the term “warrant” is not some malleable word that could refer to something more subpoena-like depending on the case.

“The term is endowed with a legal lineage that is centuries old,” writes the court. “The importance of the warrant as an instrument by which the power of government is exercised and constrained is reflected by its prominent appearance in the Fourth Amendment to the United States Constitution.”

The court concludes that for a warrant to comply with the Fourth Amendment, it must identify “discrete objects and places, and restrict the government’s ability to act beyond the warrant’s
purview.”

Additionally, the legislative history of the SCA shows that it has been amended over the last 30 years to clarify the reach of warrants, but that none of those amendments have added any sort of extraterritorial authority to SCA warrants.

Finally, the appeals court questions why the government would seek to frame SCA warrants as equivalent to subpoenas or some sort of hybrid of a warrant and a subpoena.

The SCA “places priority stored communications entirely outside the reach of an SCA subpoena,” so if the government successfully argued that the warrant is indeed a subpoena, then it would not be able to access the very data it seeks.