Yesterday, I moderated a panel on Microsoft’s federal court challenge to a warrant seeking email records that Microsoft stores at a data center in Ireland. Microsoft is contending that the governing statute, the stored communications provisions of the Electronic Communications Privacy Act (ECPA), does not apply outside the territory of the United States.
My take-away from the panel is that discussion of reforms to bring ECPA up-to-date with the way we use devices and cloud services in the 21st Century needs to take up the difficult questions presented by services and networks that flow freely across national borders. As I put it during the discussion, “what does extraterritoriality mean in a virtual world?”
The panel featured James Garland of Covington & Burling, who is arguing the case on behalf of Microsoft in the Federal District Court for the Southern District of New York this Thursday, along with other lawyers involved in the case. The case has been the deserving subject of wide attention, including a stern letter from the European Commission’s Justice Commissioner and a July 27 New York Times editorial. It involves a warrant issued last December for email records “owned, maintained, controlled or operated by Microsoft” for a particular email address. Microsoft produced records located in the United States that did not involve the content of the emails, but objected to producing the emails themselves because they are stored in a data center in Dublin, Ireland. They are there because the Dublin servers are closest to the country that the email customer identified in establishing the account, reducing latency in email transmission. Microsoft only recently established overseas data centers and, so far as anyone knows, this is the first time any Internet service provider has challenged the extraterritorial application of authorities for law enforcement access to Internet communications.
The Stored Communications Act
The issues center on the interpretation of Section 2703 (c)(A) of the Stored Communications Act in the decision by a federal magistrate in New York issued April 25. In some respects, the issues are narrow: for example, does the SCA contain language that overcomes the Supreme Court’s “presumption against extraterritorial application” of U.S. statutes; does the “warrant” required by the SCA to obtain most content of electronic communications incorporate requirements for a warrant under the Fourth Amendment?
But discussion of these issues quickly spilled over into questions about how the SCA or other law enforcement authorities should apply to services and networks that are global, whose customers may be located anywhere and that may transmit and store data in many different locations, even simultaneously. “Congress needs to decide these issues,” said Michael Vatis of Steptoe & Johnson (representing Verizon in the case), and Emery Simon of the Business Software Alliance explored numerous factors to be taken into account besides the nationality of the service provider or the location of the data – the location of the person the records belong to, the extent of the contacts with the countries involved, interests of the various governments that are implicated (here, for example, the U.S. law enforcement interest versus Ireland’s interest in its privacy laws), the availability of the information by other means such as mutual law enforcement assistance treaties and multilateral conventions. Hanni Fakhoury of the Electronic Frontier Foundation stressed a need to improve that treaty process so U.S. law enforcement can get effective access to records it needs abroad while respecting international comity and sovereignty.
ECPA was first enacted in 1986 and amended in 1994 and 2001. It was prescient at the time, but the online paradigm it reflects is America Online dial-up access, when service was slow and storage capacity was limited. Reform efforts have focused on changing this paradigm so that emails and other content stored on a “remote computing service” (which today includes a cloud service provider) that have been opened or stored more than 180 days are treated the same as other content that is subject the requirement of a warrant (did you know your years of Gmail and Flickr files are less protected?). A bill accomplishing that was reported unanimously out of the Senate Judiciary Committee in 2012 and re-introduced as the Leahy-Lee ECPA Amendments Act of 2013, but has not advanced because the Securities & Exchange Commission and other enforcement agencies without criminal warrant authority are pushing to retain the ability to obtain emails by subpoena.
Future of the Microsoft Lawsuit
Regardless of the outcome in federal district court, the issue will go on, because either Microsoft or the federal government will appeal to the Second Circuit. The stakes go far beyond this case. A decision upholding the government’s warrants will compound the global fears Microsoft and other U.S. tech companies face in the wake of the Snowden revelations that data of foreign citizens is not safe with their services or equipment because U.S. intelligence or law enforcement may get hold of it.
The broader issues – how to reconcile established and legitimate interests of territorial nation-states with a system that crosses many borders and presents challenges to interests that liberal democracies regard as illegitimate as well as legitimate ones – cut across many areas, from surveillance by the NSA and its counterparts in other countries, to Internet governance, to intellectual property protection among others. Addressing them will not be easy: the factors above that Emery Simon mentioned are familiar from other cross-border legal contexts such as jurisdiction, conflicts of laws, and comity of nations, but their complexity is multiplied exponentially by the number of overlapping jurisdictions. The current global tug-of-war over Internet governance demonstrates the challenge of creating structures for a useful global discussion of issues that cut across so many different borders, interests, and outlooks.
The United States set an example, though, by cutting through this Gordian knot. It can act to put reasonable limits on the application of its laws to electronic communications stored outside the United States or belonging to foreign citizens outside the United States. Microsoft’s extraterritoriality case shows the urgent need to take up this discussion.
This post originally appeared on ACS blog. There were minor alterations made to the title and headers.
President-elect Bolsonaro has embraced tough-on-crime measures that egregiously violate basic human rights and eviscerate the rule of law. Responding to Brazil’s 63,880 homicides in 2017, Bolsonaro calls for increasing protection for police officers who kill alleged criminals and arming citizens. He calls for further militarizing urban policing, reducing the age of criminal liability from 18 to 16, reinstating the death penalty, authorizing torture in interrogations and imprisoning more people... Brazil’s police are already notorious for being one of the world’s deadliest in the use of force. In many favelas, Brazil’s retired and current police officers operate illegal militias that extort and control local communities, murdering those who oppose them and engaging in warfare with Brazil’s highly-violent gangs and in social cleansing. Bolsonaro is simply threatening to turn the rest of the police into state-sanctioned thugs.