In the lore of the Wild West, when an outlaw needed to escape the hangman’s noose, he made a run for the border, hoping to cross the border before the sheriff could catch him. Today, with the Wild West of the Internet, where the U.S. government chases people with tools significantly more sophisticated than a tin shield and a six-shooter, and a mouse replaces a horse when crossing borders, the issue of how and when the U.S. government can obtain information about a person engaged in commerce has become a real challenge. This is especially true when the government chooses to employ the warrant provisions of the Stored Communications Act (“SCA”), passed in 1985 before “e-mail” was a recognized word.
Into this milieu stepped the Second Circuit last week, ruling that the provisions in the SCA permitting the U.S. government to seek a warrant for stored electronic communications lack extraterritorial application, thereby quashing a search warrant that had been served on Microsoft to retrieve e-mails stored on a server in Ireland. The three-judge panel concluded that an SCA warrant had the same geographic limitations as other “warrants” and could not apply to electronic communications held outside of the United States. In so holding, the court lifted the civil contempt order hanging over Microsoft’s head.
The search warrant was rendered ineffective by the happenstance of Microsoft’s routine practice of moving a customer’s data to the data center closest to where the customer had self-identified his location; in this case, to a data center located in Ireland. The panel noted that the warrant would have been perfectly effective if the data had been stored at Microsoft’s Redmond headquarters. In addition, the Court held that extraterritorial application would not have been an issue had the Government sought the same information through a Grand Jury subpoena – but that would have given Microsoft greater opportunity to contest the subpoena without facing the jeopardy of civil contempt. Instead, if the U.S. government continues to seek the data by warrant, it will have to rely on cooperation from the Irish government to obtain the information.
The implications of this ruling for criminal investigations ranging from credit card fraud to drug dealing to terrorism, as noted by the panel, may be enormous. Not before the court was the circumstance of a person intentionally seeking to avoid disclosure as a result of a warrant by seeking out and employing a data provider that ensures data storage in an overseas server. Further, what happens if the service provider colludes with the individual to ensure that data will be stored overseas, particularly if the service provider knows of a potential criminal purpose for doing so? Would that change the application of the SCA warrant or raise a risk of charges of conspiring to obstruct justice?
As urged by Judge Lynch in an impassioned concurring opinion, law enforcement’s concerns probably can be addressed, in large part, by legislation amending the SCA, the current version of which predates the appearance of Facebook by almost 20 years.
Whether the rustlers and bandits of today can hide their data over the border will depend, in large part, on whether and how Congress chooses to act. Stay tuned.