Huge Win: Court Says Microsoft Does Not Need To Respond To US Warrant For Overseas Data
from the big-news dept
We've been following an important case for the past few years about whether or not the US can issue a warrant to an American company for data stored overseas. In this case, Microsoft refused to comply with the warrant for some information hosted in Ireland -- and two years ago a district court ruled against Microsoft and in favor of the US government. Thankfully, the 2nd Circuit appeals court today reversed that ruling and properly noted that US government warrants do not apply to overseas data. This is a hugely important case concerning the privacy and security of our data.The key issue here is that the US government was basically on a fishing expedition for information hosted on Microsoft Outlook.com email servers. And there are a few really key issues, concerning jurisdiction, privacy and the all important difference between a subpoena and a warrant (something that many people seem to think are the same thing). Microsoft's own response to the lawsuit did a really good job explaining the issues and how the government wanted to pretend a warrant was a subpoena, and what that meant for the 4th Amendment:
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant" when using that term, but instead meant some previously unheard of "hybrid" between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.It was unfortunate that two judges at the district court level basically ignored this argument, so it's good to see the appeals court shoot it down completely.
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.
The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
For the reasons that follow, we think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.In the full discussion, the court points out where the lower court went wrong, thinking that thanks to the PATRIOT Act, a warrant could apply to the location of the service provider rather than the location of the server. But the court says that's clearly wrong, and the Congressional record makes it pretty clear that it was looking to apply the law just to the United States. As for the idea that the warrant was really a subpoena in disguise, the court says that's not how it works:
Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term “warrant” in the Act to require pre‐disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument’s territorial limitations and other constitutional requirements. The application of the Act that the government proposes ― interpreting “warrant” to require a service provider to retrieve material from beyond the borders of the United States ―would require us to disregard the presumption against extraterritoriality that the Supreme Court re‐stated and emphasized in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) and, just recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. __, 2016 WL 3369423 (June 20, 2016). We are not at liberty to do so.
Warrants and subpoenas are, and have long been, distinct legal instruments. Section 2703 of the SCA recognizes this distinction and, unsurprisingly, uses the “warrant” requirement to signal (and to provide) a greater level of protection to priority stored communications, and “subpoenas” to signal (and provide) a lesser level. 18 U.S.C. § 2703(a), (b)(1)(A). Section 2703 does not use the terms interchangeably. Id. Nor does it use the word “hybrid” to describe an SCA warrant. Indeed, § 2703 places priority stored communications entirely outside the reach of an SCA subpoena, absent compliance with the notice provisions. Id. The term “subpoena,” therefore, stands separately in the statute, as in ordinary usage, from the term “warrant.” We see no reasonable basis in the statute from which to infer that Congress used “warrant” to mean “subpoena.”There is, of course, the further issue of Microsoft being a US company, but the court says that doesn't magically make its overseas data subject to these kinds of warrants, because the intent of the law is to protect the privacy of users' communications, not to make it easier for the government to snoop.
[....] We see no reason to believe that Congress intended to jettison the centuries of law requiring the issuance and performance of warrants in specified, domestic locations, or to replace the traditional warrant with a novel instrument of international application.
The reader will recall the SCA’s provisions regarding the production of electronic communication content: In sum, for priority stored communications, “a governmental entity may require the disclosure . . . of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure,” except (in certain cases) if notice is given to the user....The court goes on at length arguing that the Stored Communications Act's default is that communication privacy must be protected, and the exceptions are narrow.
In our view, the most natural reading of this language in the context of the Act suggests a legislative focus on the privacy of stored communications. Warrants under § 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is undergirded by the Constitution’s protections of citizens’ privacy against unlawful searches and seizures. And more generally, § 2703’s warrant language appears in a statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key concern.
The overall effect is the embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government’s (and other third party) access to priority stored communications. The circumstances in which the communications have been stored serve as a proxy for the intensity of the user’s privacy interests, dictating the stringency of the procedural protection they receive—in particular whether the Act’s warrant provisions, subpoena provisions, or its § 2703(d) court order provisions govern a disclosure desired by the government. Accordingly, we think it fair to conclude based on the plain meaning of the text that the privacy of the stored communications is the “object[] of the statute’s solicitude,” and the focus of its provisions.
All three judges on the panel agreed, but one -- Judge Gerard Lynch -- wrote a concurrence that tries to undercut the strong 4th Amendment/privacy arguments in the overall opinion, basically noting that he believes the decision doesn't come down to 4th Amendment issues or privacy protection, but merely how Congress drew up the law in the Stored Communications Act -- and basically argues that if Congress doesn't like this result, it can just rewrite the law.
It's also important to note that Rule 41 is the underpinning of much of this case, and that's the rule that the courts recently agreed to change to allow the DOJ more power to simply hack overseas servers. That shouldn't directly impact this particular case or similar situations, but does show how the DOJ is looking for ways to create endruns around limitations on domestic laws to try to get international data.
Still, for now, this ruling is a surprisingly good one, reinforcing privacy protections in overseas data. Kudos to Microsoft for going to court over this when it would have been quite easy for it to just give in and hand over the data. I assume that the US government will seek to get this ruling overturned, either via an en banc hearing on the 2nd Circuit or going to the Supreme Court, so the case isn't over yet. But, as for right now, it's in a good position.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2nd circuit, 4th amendment, communications, doj, ecpa, email, ireland, jurisdiction, privacy, sca, subpoena, warrant
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.
The only way to change the amendments is with another amendment that would have to be voted on by a Continental Congress from all 50 states made up from the general population, not professional politicians (oxymoron if I've ever heard one).
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.
[ link to this | view in thread ]
[ link to this | view in thread ]
Hiding in Plain Sight
You see, a corporation is a quasi-person in legal terms. Like a person, it is responsible to the law, and can face many various penalties if it ignores the law. If you are an American person, just because you are in Ireland, does NOT mean you can't be arrested and returned to the U.S., nor does it mean you can't be searched with indictable material being returned to the U.S. for proof. Even if the material does not violate Ireland's laws, doesn't mean that illegally holding classified material feloniously acquired won't leave you in federal prison in the end.
Sadly, this is EXACTLY what the courts just let Microsoft, a U.S. corporation, do. They KNOWINGLY parked data servers in Europe, refused to abide by U.S. court orders, and then the pansy 2nd Circuit Appeals court said, 'no problem'.
Tell you what, try doing this yourself, and see where it gets you. You'll find out that corporations are no longer 'quasi-humans', they are 'super-humans', doing things you'll do time for - and protected by the laws that would burn you alive.
[ link to this | view in thread ]
Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.
It's the responsibility of the courts to point out and invalidate those laws when that happens. Unfortunately, too many judges see their role as helping the government get around those pesky rules to "get the bad guys." In actuality, 'those pesky rules' were specifically placed in the Bill of Rights because the people feared that a Federal government as described in the Constitution would abuse it's power without such strictures.
[ link to this | view in thread ]
Re: Hiding in Plain Sight
[ link to this | view in thread ]
International Warrants
Hmmmm... What about the US warrants against Megaupload?
[ link to this | view in thread ]
Re: Hiding in Plain Sight
If the US government succeeded in this request, what would stop other governments going to their Microsft sunsidiary and demqanding data belonging to US citizens?
[ link to this | view in thread ]
Re: International Warrants
Megaupload was simply Hollywood's temper tantrum the day after the internet went dark, exposing SOPA. As the bright light of news coverage shone on SOPA, its supporters distanced themselves, slinking back into the shadows.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Response to: Padpaw on Jul 14th, 2016 @ 11:37am
[ link to this | view in thread ]
Re: Hiding in Plain Sight
You are aware that there are more than two countries on the planet right? It's not just 'The Grand US of A' and 'Everywhere else', and there are actual people and governments other than the US?
There are perfectly logical and legal reasons to set up data servers in other countries that have nothing to do with attempting to avoid US jurisdiction or whatever you want to call it.
[ link to this | view in thread ]
Re: Re:
And as for those citizens? I don't know, I don't live there. But from the tenor of a few American websites and their comments, a lot of Americans feel the behaviour and goals of their government and their courts is just as hostile to them as it is to us foreigners.
From back here, the USA looks like a rogue nation, cut loose from it's allies and it's own population, just a drifting malignancy of lobbyists, politicians and murdercops, looking for someone to prey on.
[ link to this | view in thread ]
Hmm, Let's see if we got that right
Now that monster with all our data can now SELL our data back to the government who will pay with US tax dollars that we, the data owners will pay for, not the tax avoiding monster. That's just delicious.
[ link to this | view in thread ]
Re: Re: Eh... Sorry - but Congress cannot write laws to conflict the bill of rights.
[ link to this | view in thread ]
MS has probably already provided access anyway
[ link to this | view in thread ]
Re: MS has probably already provided access anyway
[ link to this | view in thread ]
[ link to this | view in thread ]
Possibly not so easy to comply
> give in and hand over the data
It seems to me that this could have violated the European data privacy laws, no? (Assuming the servers were in Europe.)
[ link to this | view in thread ]