Supreme Court Agrees To Hear Case Involving US Demands For Emails Stored Overseas
from the spending-locally,-thinking-globally dept
The Supreme Court has granted the government's request for review of Second Circuit Appeals Court's decision finding Microsoft did not have to turn over communications stored overseas in response to US-issued warrants.
This is a pretty quick turnaround as far as tech issues go. The Supreme Court is finally willing to take a look at the privacy expectation of third party phone records (specifically: historical cell site location info), following years of courtroom discussion... which follow years of Third Party Doctrine expansion.
That being said, a resolving of sorts is needed to clarify the reach of US law enforcement going forward. The Second Circuit twice shut down the DOJ's requests to extend its reach to offshore servers. Even as the Microsoft case was still being litigated, other courts were coming to contrary decisions about data stored overseas.
The target in these cases was Google. Google's data-handling processes contributed to the adverse rulings. Unlike Microsoft -- which clearly delineated foreign data storage -- data and communications handled by Google flow through its servers constantly. Nothing truly resides anywhere, a fact the DOJ pressed in its arguments and the one two judges seized on while denying Google's warrant challenges.
The Supreme Court's ruling will be needed to tie these disparate decisions up into a cohesive whole.
Or not. Rule 41 changes that went into effect at the beginning of this year remove a lot of jurisdictional limitations on search warrants. On top of that, the DOJ has been angling for expanded overseas powers, pushing Congress towards amending the Stored Communications Act.
This, of course, is what the Second Circuit Appeals Court told the government to do: take it up with legislators. But if litigation is a slow process, legislation can be just as time-consuming. The DOJ wants permission now and the Supreme Court gives it the best chance of being allowed to grab communications stored outside of the United States using a warrant signed by a magistrate judge anywhere in the US.
In the meantime, the DOJ will continue to pursue amendments to the Stored Communications Act -- a law it's already taken advantage of, thanks to it being outdated almost as soon as it was implemented. Further rewriting of the law in the DOJ's favor would allow US law enforcement to become the world's police, serving warrants in the US to gather documents stored around the globe.
While this may seem like a boon to law enforcement, it should be approached with extreme caution. If this becomes law (rather than just a precedential court decision) the US government should expect plenty of reciprocal demands from other countries. This would include countries with far worse human rights records and long lists of criminal acts not recognized in the US (insulting the king, anyone?). The US won't be able to take a moral or statutory stand against demands for US-stored communications that may be wielded as weapons of censorship or persecution against citizens in foreign countries. Whoever ends up handing down the final answer -- the Supreme Court or Congress -- should keep these implications in mind.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: domestic, ecpa, emails, foreign, sca, scotus, stored communications act, subpoena, supreme court, warrants
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
They Work for the U. S. Government
[ link to this | view in chronology ]
Should probably depend on the nationality and residence of the target
Guidelines that would make sense would take into account the residency and nationality of the target. It doesn't make much sense that I can help to insulate my affairs from law enforcement investigation by telling Amazon, or whomever, to store my data in another country, even though both Amazon and myself are US entities.
Now, if if the target is foreign, and the data is stored local to the target, even if the company holding the data is local, certainly the privacy laws of the target's country should be taken into account.
[ link to this | view in chronology ]
Re: Should probably depend on the nationality and residence of the target
It doesn't make much sense that I can help to insulate my affairs from law enforcement investigation by telling Amazon, or whomever, to store my data in another country, even though both Amazon and myself are US entities.
You can do it with your money, so why not?
What I actually find problematic is multiple sets of rules, period. Why should foreign anything be an easier target? Why should the general human rights enshrined in the Constitution not apply to any human being? (We keep losing them in the States, too, so eventually we may all be equal if not free.)
If you have a valid (truly valid, not gaming, not enhanced by ridiculous new laws or "interpretations", not because you can find the right judge to sign anything) warrant for a particular thing, then sure why not make someone subject to US law (i.e., legal punishment) cough it up?
The real problem is the expansive power to subpoena large swathes of whatever pretty much on a whim, keep it forever, and not discard irrelevant information regarding unrelated parties or things unrelated to any supposed investigation.
[ link to this | view in chronology ]
You got things exactly backwards
I didn't say that. Not one bit.
In fact, I said the exact opposite. "if the target is foreign, and the data is stored local to the target, even if the company holding the data is local, certainly the privacy laws of the target's country should be taken into account." So it the target of the investigation is European, and the data is on a European server, the EU privacy laws should be part of the calculus for granting the warrant.
[ link to this | view in chronology ]
Re: Re: Should probably depend on the nationality and residence of the target
Why should the general human rights enshrined in the Constitution not apply to any human being? (We keep losing them in the States, too,
The reason you are losing them in the US is precisely BECAUSE the constitution is not applied to every human being everywhere.
The non-applicability of the constitution to non-US nationals together with its non-applicabilty outside the US provides the thin end of a very convenient wedge that is steadily being used to destroy most of the rights granted by the constitution.
Already being "near the (physical) border" is sufficent to remove constitutional protections. The next step (if not already taken) will be "near the (cyberspace) border", which in practice == everywhere.
[ link to this | view in chronology ]
Re: Should probably depend on the nationality and residence of the target
So why should foreigners be able to "insulate their affairs from law enforcement" by storing their data in foreign countries? Why should foreigners have more rights than US citizens? You do realize that the US government doesn't "own" it's citizens, don't you? The US once fought a civil war partly over the idea of owning people.
[ link to this | view in chronology ]
Re: Re: Should probably depend on the nationality and residence of the target
[ link to this | view in chronology ]
Re: Re: Should probably depend on the nationality and residence of the target
Because people not in the US are NOT SUBJECT TO US LAW. It's the same reason why you are free to insult the king of Thailand or why your mother is free to leave the house without a male guardian accompanying her, or show her ankles in public.
The US should keep it's grubby hands off of my data, fuck you very much.
If US law enforcement has a legitimate grievance against a citizen of a different country, they can work together with that countries' law enforcement.
You are a fucking moron.
[ link to this | view in chronology ]
Wait? What?
All I'm saying is that the US government's jurisdiction should be limited when it's regarding data whose only connection to the US is that it happens to reside on a server owned by a company that has business in the US.
[ link to this | view in chronology ]
Re: Wait? What?
[ link to this | view in chronology ]
Care, custody, and control...
Where are Techdirt's records physically? I don't know that even Techdirt knows the zip code, and there's any number of rentable server racks it could migrate to pretty much imperceptibly.
And Techdirt, as it were, is probably pretty thin compared to,say, equifax or microsoft or facebook on those records, too.
I think the standard would have to be the locus of control...who has care, custody, and control over the records, just like the standards for discovery. Now, how do we apply that if the call center is in india, with americans, mexicans, and canadians all calling in?
[ link to this | view in chronology ]
The last thing the courts would want to do is create a situation where companies are encouraged to offshore data to avoid responsibilities for it. It would be easy to see every American company putting it's data into a "haven" countries strictly to avoid any and all government regulation. Think of it on par with tax avoidance, every big company does it.
I think in the end the will end up having to deal with the basic concept that if the company is here in the US, and the data is accessible and used in the US, then there is no doubt that it should be accessible via warrant or court order.
You could also consider the question from Europe of offshoring data. There is plenty of push back in making sure that the data stored in the US is respecting European privacy standards and what not. Clearly, as far as the Euro side is concerned, the data belongs to them no matter where it's been farmed out to. It's not unreasonable for SCOTUS to come to the same conclusion for data created in the US, held by companies based in the US, or for US citizens, residents, and the like.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That's one way to stop Russian hackers.
[ link to this | view in chronology ]
what if the company is foreign?
If US-based companies are susceptable to third party searches by the United States, doesn't that incentivize me as a business to use foreign-based cloud services? Especially since the US DoJ is known for regarding Fourth Amendment protections as inconvenient.
By the time this era is done the US may be as isolated as North Korea.
[ link to this | view in chronology ]
Doing it wrong
The whole issue could have been avoided if diplomats proposed and legislatures ratified reciprocity treaties for warrants with foreign countries. That would have been the proper and lawful way to deal with out of jurisdiction warrant serving.
Doing it properly would also involve some limitations. Like obvious caveats like needing to meet an agreed upon evidentiary standard and the cause for the warrant actually violating both country's laws.
[ link to this | view in chronology ]
Re: Doing it wrong
You mean like with Kim Dotcom in New Zealand? Oh, wait...
[ link to this | view in chronology ]
Kim Dotcom
The Kim Dotcom raid was a corporate action using ICE as mercenaries in which an alleged civil grievance was used to justify the use of ambiguous US law to attack a business and its civilian owner.
Considering the case is still in litigation, and continues to show no wrongdoing by Kim Dotcom, I'd say it's a bad example of anything, except how US agencies can be too-easily prepurposed to function as corporate heavies.
[ link to this | view in chronology ]
Re: Kim Dotcom
[ link to this | view in chronology ]
"The Supreme Court is finally willing to eliminate the privacy expectation of third party phone records (specifically: historical cell site location info), following years of courtroom discussion... which follow years of Third Party Doctrine expansion."
FTFY
I don't think the current administration would have any qualms about handing over such information anyway.
[ link to this | view in chronology ]