I recently had the pleasure of joining Fr. Robert Ballecer, SJ and the TWiET crew to talk about the legal perils of extraterritorial data storage, aka Microsoft v. United States of America, In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation.
It’s not much of a movie title. Not surprisingly, I spent a bunch of time digging into the details of this case so far. Some of what I learned might have been a little too detailed for a fast-paced format like TWiET, but there’s always the blog!
First, though I occasionally wear a suit and use big words, I am not a lawyer. If you’re looking for legal advice, this isn’t the blog for you.
Back in 2013, the U.S. Department of Justice issued a warrant to Microsoft. In it, they required that Microsoft turn over emails related to an unnamed MSN email user as part of a drug trafficking case. Microsoft refused, saying that because the emails were stored in Ireland, not inside the United States, the DOJ didn’t have jurisdiction for a warrant.
Microsoft lost the case and appealed, then lost again and appealed. It’s now in its third appeal in the Second Circuit Court of Appeals.
We’re here because Microsoft made headlines with their oral argument in the Second Circuit court, which claimed that upholding the warrant would result in a “global free-for-all” and that “any country with jurisdiction over a provider can reach into any other country and plunder our e-mails.” They may have used the term “international firestorm.”
It’s worth noting that neither party in this case claims that US government shouldn’t have access to this data. It’s accepted that there’s sufficient cause.
Microsoft says that a ruling against them would be disastrous. It would set a precedent allowing the US government free reign to go after data stored anywhere around the world, and as a consequence, other countries will do the same.
One immediate impact would be that non-US countries would begin taking data on US citizens stored in the United States. It would threaten the sovereignty of the US and other countries. The secondary effect would be that companies, and users, globally would actively avoid US businesses because their data wouldn’t be safe from government spying.
In other words, there would be a material impact on not just Microsoft’s business but the economy in general. The Microsoft argument hinges on the conclusion that this is an extraterritorial search. We might call this the “Data Domino Argument.”
The United States Argument
The US government argues that this is not an extraterritorial search at all; the service provider, Microsoft, is the subject of the warrant, not the end user, and therefore must comply with the law in the country where the service is based. The data specified is in the provider’s custody, regardless of geographic location.
None of the issues that Microsoft has brought up apply because their base argument that the search is extraterritorial is wrong. They argue that the result of ruling against the United States would be that criminals thrive and can hide their super-secret plans simply by choosing a provider that stores email somewhere else. We might call this the “Protect, Serve and Seizure Argument.”
Two Thought Experiments
Honestly, I think there’s merit in both of the arguments here. How do we come to a conclusion, then, as to the right ruling? Let’s work through two thought experiments about how this ruling might apply to future real-world scenarios.
Multi-Territorial Data Storage
Isn’t the idea that data is stored in a single location getting old? We already live in a world where our personal data (contacts, photos, etc) are stored in multiple locations. It’s hardly a stretch to imagine it might be stored in multiple countries.
It wouldn’t surprise me one bit to learn that Apple or Google move my data around the globe for faster access based on the location of my phone. Multiple copies of the data is one thing, but what about a single copy distributed across borders? How would this ruling play out if the data required was literally split across countries?
Without further clarification, the Data Domino Argument would require that the US government work through each individual country to obtain the pieces of the data required to assemble the whole. That’s a pretty hefty burden, and it certainly doesn’t address data stored in a country where we don’t have an agreement in place.
Without further clarification, the Protect, Serve and Seizure Argument would be far simpler, requiring that the controlling entity, assuming that entity is the US, assemble and provide the data required.
In other news, we’re all talking about encryption, government backdoors, and privacy. The email in question here isn’t encrypted, apparently, but it’s a useful thought experiment to consider how this would work if it were. There are two ways to look at encryption here. Ok, there are lots of ways to look at encryption here, but I’m going to look at two broadly. First, if the provider has the ability to decrypt the contents and second, if only the user has the ability to decrypt the contents.
In the first case, the Data Domino Argument is unchanged if the keys are stored in the same country as the data requested. If the keys are stored in the US, however, this argument is substantially weaker. In that case, the country in possession of the data could not actually provide the content, but the provider could do so.
In the second case, where only the user could decrypt the content, we’re into the murky waters of key disclosure laws in the US. Essentially, the precedent set here wouldn’t apply unless the United States could obtain the key from the user, at which point we’d be back to plaintext content.
Fair warning here, this section might be painful, but I think these details are pretty interesting.
In case you’re interested, this case starts with the Electronic Communications Privacy Act (ECPA), which was passed in 1986, more specifically, the Stored Communications Act section of that law. The EPCA has been amended by more recent laws, including the CALEA (1994), FISA (2008) and the PATRIOT Act (2001).
Warrants and Supboenas
There’s a distinction between a warrant and a subpoena to be discussed in regards to this case as well. Subpoena’ing a business’s records is one type of legal action, while a warrant is required for access to customer communication and is thus analogous to a phone tap.
The ECPA/SCA basically says that the government can compel the provider to disclose the customer contents with either a search warrant, a court order, or a subpoena, depending on what data they’re asking for. Google has a nice explanation of how this works, actually. So the government is free to use any of these legal mechanisms. Each requires a different level of review and cause.
The other aspect is what opportunity the subject has to protest. A warrant is for a search and requires specifying what you’re searching for; the subject has no opportunity to stop that search. A subpoena requires the subject to collect items in their possession, but they can move, legally, to quash it.
This is relevant to the case because one of Microsoft’s points was that the requested data isn’t Microsoft business records, so it can’t supply them in response to a warrant. The government should subpoena the records from the user. The lower courts then referred to the warrant as a “hybrid warrant,” potentially setting a concerning precedent for burden of proof.
Nationality of the Subject and the LEADS Act
So the ECPA defines this process of accessing communications, stored and in transit, but it’s quiet on the subject of the nationality of the target. While the nationality of the subject in the Microsoft case hasn’t been disclosed, it could be relevant. After all, does the US have the right to search or subpoena data from a foreign national stored on foreign soil because they are using a US provider?
The Law Enforcement Access to Data Stored Abroad (LEADS) [PDF] act is intended to help answer this question from a legal perspective. It’s a rare beast, being both bicameral and bipartisan. The act basically says, clearly, that the US government can’t compel disclosure of data via a warrant if that data is stored outside the US, unless the account holder is a US citizen. This legislation is currently “in committee” in both houses of Congress.
Mutual Legal Assistance Treaties
This can’t be the first time the US government has needed to get data from a foreign country, right? It’s not. In the past, these needs have been met with Mutual Legal Assistance Treaties, which describe how we’ll be data BFFs with other countries. There’s a list here.
Isn’t this fun?! There’s no clear cut conclusion for me here, except that the issue is hugely complicated already. Microsoft has some compelling points and potentially some legal details to stand behind.
The United States argument appears very reasonable at face value, especially if you consider how technology may change in the near future. The best part is that we get to hear more about all of this as the case proceeds.