On Tuesday, the 2nd U.S. Circuit Court of Appeals denied, by a 4–4 split, the government’s petition for rehearing en banc in a suit against Microsoft. It’s a result that is bad for privacy, security, and the future growth of the internet—and calls out for Congress to take action in response.
The denial was accompanied by one concurrence and four dissents—the tenor of which highlights the contentiousness, importance, and unsettled nature of the key issues. The end result: The 2nd Circuit panel decision stands. U.S. warrant authority only extends to stored communications content (like emails) that are physically located in the United States—even if U.S. law enforcement is seeking access to the data of a U.S. resident in the investigation of a local crime, and the only foreign government connection is that the sought-after data happens to be held in that foreign country’s jurisdiction.
It is an outcome that makes little sense, which in fact appears to be the one thing that all sides of the case agree on. All five opinions issued in connection with the rehearing denial suggested that the result was unsatisfying and urged congressional action as a result. Even Brad Smith, the president and chief legal adviser of Microsoft, coupled his praise of the decision (after all, his side won) with a call for Congress to “modernize” the law—and thus modify the result in the case.
I couldn’t agree more.
The case stems back to December 2013, when the government, as part of an investigation into a narcotics case, served a warrant pursuant to the Electronic Communications Privacy Act on Microsoft for emails associated with a particular account. Microsoft refused, asserting that the data was located in Dublin and claiming that this was therefore an impermissible extraterritorial application of the government’s warrant authority. The government fought back, noting that Microsoft could access the data from Redmond, Washington, where it is based, which made this a territorial search, not an extraterritorial one. Although the magistrate and district court judge sided with the government, in July a panel of the 2nd Circuit reversed.
Specifically, the 2nd Circuit ruled that the ECPA does not have extraterritorial application, meaning it does not apply to searches and seizures that take place outside the United States This part was uncontroversial. But the 2nd Circuit also concluded that the “focus” of the statute was on protecting privacy. It ruled that the privacy intrusion occurs when and where the data is seized, and it held that because the data was located—and seized—in Ireland, the warrant is invalid.
It’s a conclusion that is hard to support.
Even if the 2nd Circuit is right that the key focus of the statute is about protecting privacy, it is not at all obvious that the privacy intrusion occurs where the data is located, as opposed to where it is disclosed. (Judge Susan Carney, the panel decision’s author, actually acknowledges the difficulties in pinpointing the “location” of the privacy violation—calling the effort an “elusive inquiry, at best.”) Microsoft has access to and regularly moves its customers’ data across borders, without notice to or consent by its customers. Any additional privacy intrusion occurs not when Microsoft transfers its customers’ data from one location to another, but when Microsoft turns that data over to the U.S. government. That happens in the United States, not Ireland. (Judges José A. Cabranes and Reena Raggi are worth reading on this point.)
And even if the panel is right that the focus of the statue is on privacy, the ruling does little to nothing to advance it. After all, the U.S. government proceeded by a warrant based on probable cause, as reviewed and approved by an independent judge. That means there wouldn’t be any privacy violation if the data were located in the United States. There isn’t any additional privacy intrusion simply because the data happens to be held outside the United States.
In fact, the ruling is arguably bad for privacy. To get access to emails that happen to be stored outside its borders, the U.S. government now must turn to what is known as a mutual legal assistance treaty and request the foreign government that happens to have jurisdiction turn it over. The recipient foreign government then accesses the data based on its own substantive and procedural standards—standards that are generally lower than that of probable cause review by an independent judge.
Furthermore, the potential costs to security are concerning. As a result of the ruling, U.S. law enforcement will be unable to get data needed for the investigation of local crimes, simply because of where the data happen to be stored. The United States only has mutual legal assistance treaties with about one-third of the world’s countries. (It does have one in place with respect to Ireland and all other EU countries.) This means that in many cases there isn’t any workable process for the United States to request sought-after data from the government where the data happens to be located. Moreover, even when there is a treaty in place, the process is often slow and laborious. The lag time between when a request is made and data is actually produced means that information may not be produced in time to be useful. And in some situations, there is no government with jurisdiction to compel production of sought-after data, no matter how critical or how substantive the procedural protections are in place.
Finally, the opinion entrenches the rather nonsensical notion that location of data is the exclusive determinant of whether the government can access sought-after data. (In the words of Judge Dennis Jacobs: “[l]ocalizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a denizen of the North Pole.”)
Among many problems, this approach incentivizes data location mandates as a way to ensure a government’s access to and control over data. Such mandates are not only bad for privacy, but they are inefficient and costly—pricing startups that can’t afford the costs of purchasing storage space in multiple jurisdictions out of the international market.
Hence the near unanimous calls for Congress to rewrite ECPA to better reflect the privacy, security, and economic interests at stake. So what should Congress do? It should make clear that U.S. law enforcement is, as a general matter, able to compel, via a warrant based on probable cause, U.S.-based providers to disclose communications content within their custody or control, regardless of where the data is located. But Congress also should ensure that the countervailing interests of sovereign states are taken into account. Specifically, it should specify that if the warrant targets a non-U.S. person (meaning not a citizen or legal permanent resident) located outside the United States, the reviewing court must take into account potential foreign governments’ interests—effectively requiring as a matter of statute what is now done by courts as a matter of discretion. In cases of conflict, the U.S. government should be required to make a mutual legal assistance request for the data, absent a finding of an urgent need for the data and the absence of a workable alternative for accessing the data in a timely matter.
Such an approach reflects the notion that the United States should be permitted to access, pursuant to valid warrants, the stored communications of its citizens and residents in the investigation of criminal activity, regardless of where the data is located. This offers both a shield and a sword—ensuring that the relatively robust warrant requirement applies when the law enforcement seeks the data of U.S. citizens and residents and also guaranteeing that the government can access that data when the warrant standard is met. Such an amendment to ECPA also reflects the view that governments have a sovereign interest in controlling access to data of their citizens and residents—and that these interests need to be taken into account.
There is of course the possibility that the 2nd Circuit case will be appealed to and ultimately reversed by the Supreme Court. But this too would be an unsatisfactory answer. A Supreme Court reversal eliminates the key problems I outline above, but it would also create new ones. If U.S. warrant authority extends to any data anywhere, without any limitation based on legitimate sovereignty concerns, what is to prevent other countries from asserting the same? The United States would—and should—be concerned if foreign governments began demanding that U.S. subsidiaries start directly producing U.S. citizen and resident data, rather than accessing that data via the mutual legal assistance process. And in fact some governments are making just such moves. Belgian courts have asserted the broad authority to compel the production of data, irrespective of the location of the target, data, or provider. U.K. law now explicitly provides for extraterritorial disclosure authority. Others are likely to follow suit.
Simply put, this is just too complicated to leave to the courts. It’s time for Congress to step up—as just about everyone from a wide variety of perspectives (and party affiliations) agrees.