Microsoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The US
from the going-to-be-an-important-fight dept
Back in April, we wrote about a magistrate judge ruling that Microsoft had to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA") that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and because Congress has not authorized the issuance of warrants that reach outside U.S. territory. The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.
The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.
The recent revelations about U.S. intelligence practices have heightened foreign sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications and cloud service providers. Studies have estimated that this distrust will result in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if left standing, will dramatically increase the harm to American businesses. It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, ecpa, email, international, james francis, magistrate judge, privacy, sca, subpoena, warrants
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
just like Comcast versus Prenda Law
[ link to this | view in thread ]
[ link to this | view in thread ]
Good on you Microsoft!
Even my grandma hated it!
[ link to this | view in thread ]
Re: Good on you Microsoft!
[ link to this | view in thread ]
And what about NSLs?
Forgive me for being a non-USian and thus not knowing all the details, but isn't that already the case due to NSLs? Can't a NSL already force a US-company to violate foreign laws?
[ link to this | view in thread ]
Re:
The Spirit of the Law only matters when the judge wants it to.
Anyone seeing the pattern here? Judges are less and less about Judging and more and more about legislating.
Good lawyer would request mistrial immediately on grounds that "His Honor" less seems to be incapable of basic high school level reading and deigns to create new and unintended interpretations to codified law.
He should file a complaint against the BAR and see if said judge can have his law license revoked. It may not immediately remove him from the bench, but it would make the next attempt to remove him easier. Judges lately have been enjoying a great deal of extra constitutional power beyond what was intended, but they are not being challenged on it either so why stop?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: And what about NSLs?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: And what about NSLs?
The general rule is this... I a business has an office that country then that business office itself is subject to the laws of that land, but not the rest of the company where other offices are located. This includes things like this... the US Gov really can legally issue a warrant or subpena for anything they want including Pluto. The issue is that if it contradicts laws for that office in that land then the business is obliged to follow the laws of that land. Now if the data is held on server on US soil... that's fair game and can be enforced.
Despite this, you will still see governments go ahead and force their way through like criminals anyways because what is a business gonna do? Hire an army and protect their assets? Are the citizens going to do anything?
So in short despite what the laws and treaties say... if you are a business, you can be quickly screwed and bullied by any country in the world in which you have an office. Governments are every bit as criminal as your local thugs, its just that these thugs have the backing of most of the citizens... well usually.
[ link to this | view in thread ]
How far does this extend?
How many US companies would take advantage, and deliberately hide data in off-shore servers just to keep it away from US government/regulators?
[ link to this | view in thread ]
Slight fix for accuracy
[ link to this | view in thread ]
Re: How far does this extend?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
It is the legitimate, and critically important, role of the judiciary to act as check and balance to the legislature, and to find ways to apply the laws that is both Constitutional and in spirit with the intention of the law. That involves a lot of judgment calls and, occasionally, acting in a manner that resembles legislating.
It's how the system was designed.
[ link to this | view in thread ]
Re: How far does this extend?
[ link to this | view in thread ]
Verizon, go figure. They should read the text they release beforehand.
[ link to this | view in thread ]
So, the government can go shopping for warrants now
Yeah, that's just insane.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
What about banking?
I would be most concerned about banking, when it comes to these privacy issues.
[ link to this | view in thread ]
Most likley it has something to do with potentially opening doors to tax fraud using off shore stuff then protecting customers. After all, it was none other then shyster Bill Gates who whored himself out to NSA with Windows 95 backdoors.
[ link to this | view in thread ]
Re: Re: Re:
It's how the system was designed.
True, but there are too many cases like this one where judges ignore the clear meaning of a law to get a result they want, for whatever reason.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
So they'd have more work to do than just rewriting the protocol specifiers in their HTML (and HTML generators) - possibly considerably more. For all we know, they might be working on doing that right now...
[ link to this | view in thread ]
Re: So, the government can go shopping for warrants now
Even if we don't go that far, there's also an argument to be made that only a country where Microsoft has a business presence could do this to Microsoft, and the worst penalty that could be applied if Microsoft refuses is to deny Microsoft permission to operate or otherwise do business in that country. That might still result in "any country in the world" being able to do it, but it would at least be a sufficiently logical-sounding limitation that courts - including international ones - might sign off on it...
[ link to this | view in thread ]