Cross-Border Data

Mueller’s Indictment of Russian Hackers Highlights the Stakes of the Microsoft Case

By Andrew Keane Woods
Saturday, February 17, 2018, 1:27 PM

Robert Mueller’s indictment of Russians suspected of interfering in the 2016 presidential elections is remarkable for a number of reasons. It is remarkable because it suggests that Mueller’s team was able to identify the organizational structure of a group of Russians who were acting in a manner deliberately designed to appear organic and not coordinated. It is remarkable because Mueller’s team appears to have learned the names of individual defendants and their roles within the conspiracy despite the tools available to foreign hackers to evade detection by U.S. authorities. And the indictment is remarkable because it suggests that Mueller’s investigation into foreign elections depends on access to data across borders—an issue that will be heard by the Supreme Court on Feb 27.

The case, of course, is United States v. Microsoft (commonly known as Microsoft Ireland). The question presented is whether a warrant issued under the Stored Communications Act compels a U.S. provider to produce emails stored in the company’s Irish data center. This matters to Mueller’s investigation because it—and future investigations into foreign election meddling, terrorism, hacking, and more—very likely involves some foreign-connected data.

The Production Order

We do not at the moment have much information about the legal authority Mueller’s team used to secure the evidence that supports these indictments, but the Russian communications were probably obtained under either Section 702 of the FISA Amendments Act or the Stored Communications Act (SCA), which governs law enforcement access to cloud-based services like email and social media accounts—the statute at issue in Microsoft Ireland. If the special counsel’s office secured the communications under the SCA, it would have either obtained a warrant or a 2703(d) order under the statute.

While we don’t know for sure, it seems likely that Mueller’s team operated under the SCA to compel U.S. service providers—like Twitter, Google, Facebook—to produce the suspects’ accounts. There are reasons Mueller may not have wanted to obtain the email contents under Section 702 (such as incurring litigation risk), and in any event the reporting suggests that Mueller obtained a warrant. If this is correct, it has obvious implications for the outcome of the case to be argued in two weeks.

Cross-Border Users, Cross-Border Data

The question in Microsoft Ireland is whether a production order issued under the SCA applies to data held abroad. This matters because the vast majority of Internet users are located abroad. All major American Internet firms therefore hold data abroad, even sometimes for customers who might have signed up for their account in the U.S.

Where were the indicted suspects when they conducted their alleged election meddling? It appears that they came to the U.S. for periods of time but were primarily based in Russia. Much of their work done in Russia would naturally have passed through corporate servers in Europe and may even be held primarily there. This means that Mueller’s warrants would have needed to reach data held abroad.

The indictment suggests that the suspects used Virtual Private Networks (VPNs) to make it appear as if they were operating from within the U.S.:

Defendants and their co-conspirators connected from Russia to the U.S.-based infrastructure by way of these VPNs and conducted activity inside the United States—including accessing online social media accounts, opening new accounts, and communicating with real U.S. persons—while masking the Russian origin and control of the activity.

But the fact that the suspects used VPNs to sign up for their Facebook and Twitter accounts from “within” the U.S. does not mean that their data is actually held on U.S. soil.

First, providers can sometimes tell if a user is merely using a VPN to pretend to be in the U.S. (This is why VPNs are no guarantee that users can get around geographic restrictions to streaming content on Netflix and the like.)

Second, even if the providers thought the users were all located in the U.S., or for some reason acted that way, that fact is no guarantee that the users’ data would actually be stored on U.S. soil. Providers often move data around the world in order to keep latency times low. So even if a provider initially stores a user’s data in the U.S., the provider might move some or all data to servers in Finland, Norway, or some place closer to Russia if it later detects that the user is located there. (In practice, the providers handle their networks differently—for example, Google says that it “stripes” a user’s data and distributes it across many data centers potentially in different countries, while Microsoft stores a user’s data in the country where they say they’re located at the time of sign-up.)

This underscores the question that will be heard at the Supreme Court on Feb 27: should U.S. investigators be able to compel foreign-held data? Microsoft argues that they should not, while the U.S. government argues that they should.

Mueller’s latest indictments provide the U.S. with powerful circumstantial evidence that access to data across borders is critical for solving not just crimes, but perhaps some of the most consequential crimes of our era. Even if Mueller’s team only accessed U.S.-held evidence, it's clear that the problem of election interference is not going away. Investigators looking into that meddling will, as a matter of course, need access to data held offshore.