Pennsylvania Court Shrugs Off Microsoft Decision; Says Google Must Turn Over Emails Stored At Overseas Data Centers
from the redefining-'seizure' dept
Just south of the Second Circuit Court of Appeal's district, a Pennsylvania (3rd Circuit) federal judge has come to (nearly) the opposite conclusion on law enforcement's access to emails stored overseas. This case deals with two FBI SCA (Stored Communications Act) warrants seeking emails that Google says aren't stored in the United States. Google, however, also says the sought emails could be at any of its data storage sites -- which would include those in the US. It all depends on when it's asked to retrieve the communications.
And there's where this decision parts ways with the Second Circuit, which found that emails stored in an Irish data center weren't subject to US-issued warrants. The court explains [PDF] Google's process for handling user data, which is built for efficiency, rather than what's central to the FBI's demands: efficiency of retrieval in response to law enforcement requests.
Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google's network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.
As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
Because of the way Google handles data, it theoretically could refuse every US law enforcement request for communications. (It could do the same to foreign requests as well.) This makes Google's case distinguishable from Microsoft's legal battle. Microsoft knew exactly where the stored communications were located. Google says the communications might be anywhere -- in one place upon receipt of a warrant and in another when retrieval efforts begin. As the court sees it, the Second Circuit's ruling would basically make Google completely immune to law enforcement requests.
[I]f the court were to adopt Google’s interpretation of the Microsoft decision and apply such a rationale to the case at bar, it would be impossible for the Government to obtain the sought-after user data through existing MLAT channels.
The "fix," according the Pennsylvania court, is to have Google round up the sought communications in the US, putting them within reach of the FBI's warrants.
In contrast, under this court’s interpretation, Google will gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.
Of course, this means compelling Google to do something with its data that it doesn't normally do, which would make it a seizure. And since the data sought is constantly in transit, the court is giving the government the power to step in and alter Google's data-handling. This would obviously be a seizure of data potentially stored (at least temporarily) in foreign countries. To get around the Fourth Amendment concerns this raises -- not to mention the expansion of the US government's power to compel the production of data from foreign servers -- the court decides no seizure actually takes place until the government takes control of the data Google has been ordered to compile.
In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a "seizure" nor a "search" of the targets' data in a foreign country. This court agrees with the Second Circuit's reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit's analysis regarding the location of the seizure and the invasion of privacy.
[...]
Electronically transferring data from a server in a foreign country to Google's data center in California does not amount to a "seizure" because there is no meaningful interference with the account holder's possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer's access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis and temporary.
This is a really weird -- and wrong -- interpretation of the word "seizure." While it's true the FBI won't actually have taken possession of the emails until after Google has gathered them in a California datacenter to make them more Fourth Amendment-compliant (or whatever), the fact that Google has to interrupt its normal flow of data at the government's request would appear to make that initial interruption a "seizure" -- de minimis or not.
In essence, the court is saying the Fourth Amendment doesn't apply to data in transit. The government can compel the collection of overseas data and have the Fourth Amendment applied to it after it's already been gathered and stored locally. The decision makes a mess of the Fourth Amendment cart-horse configuration, but figures this is more acceptable than informing the FBI that its warrants might be useless.
The better conclusion to reach would be the one the Second Circuit reached: if the concern is that the 30-year-old SCA limits law enforcement's ability to demand data from overseas data centers run by US companies, the solution lies with the entity that created it (Congress), rather than the courts. This decision will be appealed and it's safe to assume the Third Circuit Court of Appeals will arrive at the same conclusion.
Even if Congress doesn't "fix" the SCA to make US companies with foreign data centers more responsive to law enforcement demands, cases going forward may start applying the Rule 41 changes that went into effect at the beginning of this year, which greatly expand the jurisdictional reach of US court-issued warrants. As for Google, its system isn't built with law enforcement's needs in mind, nor should it be. It does what works best for it, which is what we expect from private companies. This ruling gives law enforcement a workaround for dealing with the SCA's limits, so some forum shopping should be expected until this decision is (hopefully) overturned.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, ecpa, emails, pennsylvania, stored communications act, subpoena, third circuit, warrant
Companies: google, microsoft
Reader Comments
The First Word
“Wait a sec. Did a District Court judge in Eastern Pennsylvania (where I live) just come out and essentially say, as a key part of an official ruling, that copying is not theft because making a copy doesn't interfere with the owner's use of the original?
The wide-ranging implications are staggering!
Subscribe: RSS
View by: Time | Thread
Wait a sec. Did a District Court judge in Eastern Pennsylvania (where I live) just come out and essentially say, as a key part of an official ruling, that copying is not theft because making a copy doesn't interfere with the owner's use of the original?
The wide-ranging implications are staggering!
[ link to this | view in thread ]
Re:
A better question might be made about when. Did the move take place before or after notice of a subpoena? Another might be, is Google purposefully storing email in a country other than recipients/creators places of residence, in order to prevent government snooping? This might or might not be to Google's advantage as it would (in the long run) teach governments to not try to get at email.
[ link to this | view in thread ]
What's the issue with providing information about a US person subject to a warrant?
[ link to this | view in thread ]
[ link to this | view in thread ]
Filing Cabinets
The best way to think about this is if Microsoft and Google were letter carriers that store copies in filing cabinets.
Microsoft keeps their letters all in one place per client. Meanwhile, Google says shipping is cheap and puts the letters wherever they have free space. The court order is telling google to ship the letters to the US so the FBI can then seize it.
If the filing cabinets are in the US, then the US can easily get to them. If they're in a foreign country, then you need a foreign country's permission to get to their filing cabinets. Countries don't take it lightly when foreigners raid their businesses. It's that whole sovereign nation thing.
The only time this analogy breaks down is in the US you don't actually need a warrant to get old E-Mails. As far as US law is concerned, if those E-Mails have been sitting in the filing cabinets for long enough they're considered "abandoned." Microsoft and Google aren't exactly going to say that the US can do this though. In addition to the business loss, widely publicizing this government over reach jeopardizes multiple treaties these companies rely on.
[ link to this | view in thread ]
Re:
But another issue is that they seem to want to serve warrants to third parties as much as possible, instead of serving, you know, the actual person under investigation. Try serving warrants to large corporations for their own internal information, and see how long that can take. The only time they fight like hell for the information they want is when attempting to get third-party information and set legal precedents and the general climate. I can see why Google, or anyone else, would want this thoroughly examined. They can flip the win here back on cases like the Microsoft case. Collect the data so it is here, then hand it over.
[ link to this | view in thread ]
Re: Filing Cabinets
Because Google has no way of knowing where the data is and even admit that the data might be in the USA or maybe it's not, they're not sure, the judge rightfully is ordering them to produce all data which may or may not be in the USA to the government. They had a chance to argue that the data isn't in the USA, but they failed to argue such a case because they themselves do not know the location of the data.
So really, I have no problem with this ruling and it doesn't conflict with the ruling in Washington at all. In fact, it's pretty much just reiterating that compelling Google to move data known to be outside of the country into the country constitutes a foreign search.
[ link to this | view in thread ]
Distributed File Systems
Google is a major contributor to distributed file system development. These are things that look like one "disk" to anyone accessing it, but are based on man hard drives running on many different computers.
These systems are "intelligent". So if I were in Japan, it would see that and slowly move my data over to an Asian data center. Because, that way I'm not waiting for signals to travel halfway across the world and back again every time I want to read an E-mail.
Here's a more likely example: Someone in Japan sends me (in the US) an E-mail. Google recieves that E-mail at their Asian data center, but knows I'm in the US. So, whenever I read that E-mail, or if the US data center has extra space and Google have spare bandwidth, Google will transfer it over to the US.
Managing such a system has to be a huge effort. To find where a specific file is, they have to: find all the data blocks, map those blocks to actual disks/machines, and find out where those machines are. The best part is there are multiple copies of each block, so if a machine dies it doesn't take data with it. Then, 5 minutes later the system could shift and move all that data overseas.
The tools just aren't designed to say that this file must be on this machine. The way Google dealt with China was just setting up an entirely separate network. That is why orders like this, or the possibility of the EU requiring all data to be stored within it's borders scares Google so much. They'd go from one distributed fault tolerant network, to a bunch of small vulnerable networks.
[ link to this | view in thread ]
For all of this...
2. For all the Information data exchange and the INTERNET...
There is NO PROTECTED PRIVACY
except the USPS..the USPS is covered..unless there is ALLOT of paper work, they CANT check your mail..
[ link to this | view in thread ]
Re:
At the time of a law enforcement request, Google doesn't know where the data is located. Therefore, it's a crap shoot for law enforcement to try to get a foreign law enforcement agency to cooperate.
This is superior to Microsoft's approach. Microsoft knew the data was in Ireland. Microsoft argued that Irish law enforcement could require Microsoft to produce the data.
With Google's approach, law enforcement doesn't know what jurisdiction to cooperate with to produce the data. This could get national jurisdictions into a pissing match.
The FBI could try to get all jurisdictions where Google data centers are located to all simultaneously serve a warrant for the sought after data. But that is a much higher bar to jump over.
[ link to this | view in thread ]
Re: Re: Filing Cabinets
The problem with this ruling is it's forcing Google to make huge technical changes to their infrastructure. I'm talking Billions of dollars worth here. At best, Google can spend a couple million to put in hacks and treat the person under investigation as a special snowflake. Except, if those hacks do involve moving data out of say the EU, then Google just broke EU law. Especially since, everyone but this judge believes ordering Google to move things so the Feds can get it is a seizure.
Even ignoring the dubious international legality, the US really doesn't want to be known for having courts that can force company's to completely restructure their internal organization on a whim. The cost to implement the court order means this will be fought as long as possible. If Google loses, then this is additional (not codified) regulation international companies will be wary of when dealing with US markets.
[ link to this | view in thread ]
Re: Distributed File Systems
B = random data block
C = A XOR B
Now delete A. A can be reproduced with C XOR B. But neither B nor C are plaintext. Now store B and C in different countries, on purpose. (Note you could XOR with multiple random blocks so that there are three or more parts that must be recombined to reproduce block A.)
Now to reproduce block A, at least one block is required from a foreign country.
Blocks could be stored in multiple countries such that if some number of countries are inaccessible, all necessary blocks can still be retrieved to reproduce the original data.
This helps make data big-brother proof.
Note that you don't need quite as many random blocks as you think. Block B could be used again on some other customer's data block somewhere. Just don't use it too often. It still needs to be a drop in the ocean of random data blocks.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Filing Cabinets
Google can call up this data in milliseconds, no changes needed.
[ link to this | view in thread ]
Re: Distributed File Systems
How that works in Hong Kong, Japan, et al is a totally different set of legal issues and could prove to be an violation of a country's sovereignty. I would think it's sort of like when Turkey tried to extradite Fethullah Gülen from his home in the US. They had to go through proper extradition procedures since there isn't a treaty in place and the US court system found the evidence to be lacking.
[ link to this | view in thread ]
I have a fix for this...
[ link to this | view in thread ]
Re: Re:
That is because it makes it difficult to Impossible for the actual target to defend their rights.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
It like panynj tried to say they not liable to subpoenas in 9/11 cases because they span two states.
[ link to this | view in thread ]
Re: Re: Re: Re: Filing Cabinets
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Filing Cabinets
[ link to this | view in thread ]
This isn't like Microsoft. Google is an entirely different circumstance and the courts really need to ensure that a company like Google isn't circumventing the law in order to make it untouchable by any court in any country.
[ link to this | view in thread ]
Re: Re: Distributed File Systems
It reminds me of Wikileaks, who, from very early on, claimed to be routing every request through Sweden. Assange said they were doing it specifically because the Constitution of Sweden protected whistleblowers. This may be one of the earliest "practical" examples of such a legal hack, although cypherpunks talked about similar things earlier.
[ link to this | view in thread ]
USPS
[ link to this | view in thread ]
Re: Re: Filing Cabinets
This seems odd. But consider this - Google is a Search Company. They are in the business of knowing where things are. For them to say they don't know where it's at is laughable, since somehow they obviously know where an index is located where it can be requested from where ever it is.
[ link to this | view in thread ]
Re: Re: Re: Filing Cabinets
In a shell game a scammer purposefully and deceptively hides the pea. You accusation that Google is doing the same without evidence to support it is dishonest.
[ link to this | view in thread ]
Re:
Oh? Which law is Google circumventing?
[ link to this | view in thread ]
Only rights to PRIVACY
TELEPHONES(NOT CELLPHONES, not pagers, NOTHING)
AND the MAIL...the OLD SNAIL MAIL..
these 2 have MORE protection than ANY OTHER..
And the FIGHT goes on, between those that WISH to monitor EVERYTHING, Those that just dont want warrants, Those that THINK it IS private, and those that JUST WANT TO HIDE STUFF..
[ link to this | view in thread ]
Re:
In any case, manipulation of judicial system should not be allowed.
Like, oh I dunno, changing the law so you don't actually have to get a warrant in the jurisdiction a crime is taking place, but can get it from any court, and use it on any system?
[ link to this | view in thread ]
Re:
When a company like Google can effectively circumvent any law in any country, it makes them untouchable by the courts.
Damn right, that sort of thing is only acceptable when the Holy American Empire does it!
Who cares about such trivialities as 'demanding a company provide information located outside US jurisdiction, and despite that fact that ordering a company to provide that information could very well put it in the position of ignoring a US court order or violating the law in another country', US law always gets priority.
[ link to this | view in thread ]
Re: Re: Re: Re: Filing Cabinets
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Filing Cabinets
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Filing Cabinets
> actually say you can search a server, but the data may or
> may not be there from the time you request the data till
> the time you search it. They've hidden the pea, and they
> are telling you they can't find it.
The difference here is that in a shell game, the pea is only moved when the operator intentionally moves it, and the only reason why the operator does so is to prevent the mark from correctly identifying the location.
In the case at hand, the data is moved around automatically all the time even without the operator's intervention, and this serves a valid purpose completely unrelated to preventing government from accessing that data.
> When every indication that if the owner of the pea asks
> for it, I absolutely assure you that Google will present
> it to them.
The difference here is that the owner of the data has the legal right to access that data regardless of jurisdiction, whereas the US government does not have the legal right to access data that is not within US jurisdiction.
It's not about whether Google can _find_ the data in order to present it; it's about whether the party asking for the data has the legal right to access the data in the location where it is stored.
The owner has that right no matter where the data is. (Unless the laws of the jurisdiction where the data happens to be disagree with that, but presumably Google would not set up a data center in such a jurisdiction.)
A government does not have that right unless the data is within the jurisdiction of that government.
[ link to this | view in thread ]
Re: Re:
Doesn't matter. MAI Systems v. Peak Computer, 991 F.2d 511 (US 9th Cir. 1993). Admittedly the court got it embarrassingly wrong, but that happens and you get to live with it.
(and who came up with the dumb idea to use this ``use markdown'' cruft anyway?)
[ link to this | view in thread ]