Rarely do Microsoft, AT&T, Verizon, Apple, Cisco and the ACLU all agree on a particular subject; rarer still that such an unlikely coalition fails.
Last week, in a case of first impression, a District Court in New York denied Microsoft’s request to quash a portion of a government warrant seeking data about a customer’s MSN.com email, from a Microsoft server located in Dublin, Ireland. The warrant was issued by the government pursuant to the Stored Communications Act (the “SCA”), which was enacted almost three decades ago to address disclosures by Internet Service Providers (“ISPs”) of “stored wire and electronic communications and transactional records.” Microsoft’s efforts to quash were supported by amici AT&T, Verizon, Apple and Cisco.
Microsoft resisted complying with the warrant as issued, arguing that the U.S. government had exceeded its jurisdictional authority by issuing a warrant for the search and seizure of property outside the United States. Earlier this year, Magistrate Judge James C. Francis IV of the Southern District of New York disagreed and ordered Microsoft to produce the data. Judge Francis held that nothing in the SCA indicated that “Congress intended to limit the ability of law enforcement agents to obtain account information from domestic service providers who happen to store that information overseas.” As he explained, the SCA Warrant is not a typical warrant, but rather a hybrid of a search warrant and a subpoena, in that it is issued like a warrant by the government upon a showing of good cause, but then executed like a subpoena, by the recipient ISP, rather than by law enforcement. The Magistrate reasoned that concerns about extraterritorial searches and seizures by the government are inapplicable when a private company that can control the production of that data from its proprietary servers performs the search and seizure instead. The Magistrate concluded that warrants issued pursuant to the SCA merely reinforce the unremarkable principle of disclosure that “a subpoena requires the recipient to produce information in its possession, custody or control regardless of the location of that information,” especially when the warrant or subpoena compels the ISP to act from within the United States.
After a two hour hearing on the issue, Chief Judge Loretta Preska of the Southern District adopted Magistrate Judge Francis’s ruling and confirmed that indeed the SCA contains no exception for records stored abroad, and the government had not overstepped its authority by seeking documents stored abroad by a domestic ISP. In arriving at its conclusion, the Court relied heavily on the analogous Bank of Nova Scotia doctrine, which requires banks to disclose all information within their control to the government, regardless of where that data is stored. The Court reinforced the Magistrate’s opinion that the SCA was intended to compel production of data within an ISP’s possession, custody and control, regardless of geographic boundaries.
“[I]t is a question of control, not a question of the location of that information,” ruled the Judge.
Judge Preska has stayed her ruling pending Microsoft’s certain appeal. Until that appeal is heard, many questions remain. Prior to Judge Preska’s decision, the European Commission issued a statement that the data at issue “should not be directly accessed by or transferred to U.S. law enforcement authorities” except through treaty channels. While a Mutual Legal Assistance Treaty between the U.S. and Ireland exists for just such a purpose, the Magistrate’s Opinion perfunctorily brushed it aside as cumbersome and not worth dealing with. The Second Circuit may well be faced not only with legal questions, but also diplomatic and treaty issues left unaddressed by the Southern District. The Court’s decision also raises a particularly troubling question about reciprocity – will the United States be able to resist the seizure of data from servers located in this country, by foreign governments seeking information in violation of U.S. privacy law? Will ISPs be caught between the rock of U.S. enforcement and the hard place of foreign data privacy laws as they attempt to operate internationally? And finally, if other countries refuse to allow ISPs like Microsoft, Apple and Cisco to house their servers, because of privacy concerns like those cited by the European Commission, how will the end-user (here and abroad) be affected? And at what cost?