Yesterday, the Second Circuit released its long-awaited opinion in the Microsoft Ireland case, ruling that the DOJ cannot compel Microsoft to produce emails stored on its Irish servers, because to do so would be an extraterritorial application of the Stored Communications Act (SCA), and nothing in the Act rebuts the presumption against extraterritoriality. I will have more to say about the case in the coming days, but I wanted to share a few initial reactions here.
- This is not an obvious “win” for privacy (and this was not a case about mass surveillance).
Microsoft has been characterizing the case as a win for privacy, and that is indeed how it is being celebrated on Twitter. (Over on LinkedIn, Dan Solove called it “a huge case against government surveillance.”) This is understandable. Microsoft has invested a lot of energy in characterizing the case as a response to the government’s internet surveillance programs. But this is not in fact a case about US government overreach. Here, the government went to a judge to get a warrant and a judge found probable cause to search a suspect’s email account. If you think the government ought to have the ability to seek data pursuant to a legitimate law enforcement operation, then presumably you’re not opposed to searches that meet the high bar of the American warrant standard: individualized, judge-approved, and constitutionally-compliant.
This case is really about whether the US can compel evidence stored by US firms on foreign servers. So the relevant privacy question is: is it better to have the privacy standards of the US apply to those servers or the privacy standards of whatever country the servers are in? Your answer might depend on the country, but on average, US privacy law is more privacy protective than other countries’ laws. So it strikes me as odd that privacy advocates are celebrating a case that has the effect of holding that foreign search-and-seizure law should regulate access to the foreign servers of American firms.
Today’s decision may also have downstream effects that are bad for privacy. For example, it may incentivize states to pursue localization policies or find other ways to get data that is extraterritorial and therefore – under the logic of today’s case – beyond the state’s jurisdictional reach. In the larger debate about when governments ought to get access to user data, there are technological barriers (such as encryption) and jurisdictional barriers (such as blocking statutes, or today’s case). I am of the mind that solving the jurisdictional barriers to make individualized searches easier is preferable to and much less fraught than regulating encryption, which implicates the stability and security of an entire network. We ought not erect additional jurisdictional barriers to reasonable lawful access to data because doing so only increases the government’s desire to look for solutions elsewhere, including backdoors and mandatory localization requirements.
- This is a win for Microsoft – not the tech industry as a whole.
Because of the number of technology firms that filed amici in support of Microsoft, the case is often described as a battle between the tech industry and the government. (This tweet is characteristic.) Microsoft did indeed have considerable support – from companies like Apple, Verizon, and AT&T. But two names were notably absent from the amicus filings: Google and Facebook. And the reason they were not on the list is that Microsoft’s position is actually problematic from the perspective of a globally distributed network. The logic of the opinion suggests that states have the authority to regulate the data stored on disks in their territory, but nothing beyond that. This data-location-centric test is a welcome one if your network is structured around state lines – as, for example, a telephone network might be, or like Microsoft’s country-specific cloud in Germany. But such a rule hurts firms that structure their network largely independent of state lines and that maintain that the data is either located in the US or “somewhere in the network” – firms like Google and Facebook. In a number of disputes around the world, US firms have argued that their data is in the US, even if it is really pinging around a globally distributed network, because they rely on a control test to determine jurisdiction. This case rejects such a test and thereby gives a competitive edge to firms, like Microsoft, that have built networks along country lines.
- The logic of the decision is troublingly consistent with data localization efforts (and may undermine the US’s Internet Freedom agenda).
Because the court holds that territoriality analysis turns on the physical location of data at rest, rather than the location of the suspect or the location of the company being asked to produce the data, the court is endorsing a very particular understanding of how territoriality ought to apply to data. As I point out in a recent law review article, I think this test is overly narrow – states can define their jurisdiction much more broadly and there may be good reasons to do so. But the message this decision sends is: “what matters is the location of the data.” So if you’re Brazil or Russia, you are thinking: “yes, sovereignty turns on location of the data, which is why we are asking these foreign Internet firms to store data locally.” Data localization policies – where countries demand that data be stored on servers on their soil – are rightly seen as a threat to many aspects of the Internet as we know it. If the result of this case is that a company like Google decides to store customer data on servers in Brazil, for example, in order to comply with Brazilian law (or to keep data away from warrant-wielding US law enforcement) a number of bad things happen: it becomes easier for the Brazilian government to surveil that data; it becomes easier for the NSA to surveil that data; and it increases Google’s costs enormously. (The cost may not prohibitive for a flush firm like Google, but it will be for many smaller businesses.)
- The US-UK agreement (and its ilk) just became even more important.
The US and the UK have been negotiating an agreement regarding cross-border access to data. Because most of the world’s internet data is handled by US firms, the US government has not often needed to cross borders in order to get digital evidence in a law enforcement investigation. So why negotiate the US-UK deal? The conventional wisdom has been that DOJ is negotiating this deal because our good partners in the UK want it, because tech companies want it, and because there will come a day when the US will need to get access to data stored abroad. Yesterday’s ruling suggests that that that day has arrived. As a result of yesterday’s ruling, the Department of Justice can access the emails it seeks from Microsoft only if it receives mutual legal assistance from Ireland, via the notoriously slow MLA process. The only alternative would be to strike a deal with Ireland that gets around the MLA process. And that is exactly what is contemplated with the US-UK deal. So far, focus on that agreement has been pretty sleepy – I know, MLA tends to put people to sleep – but here’s hoping that this case will change that.
- The court relies on the Supreme Court’s recent extraterritoriality decision, RJR Nabisco v. European Community, but I’m not sure it needed to.
This may explain why it took the Second Circuit so long to get the opinion out; RJR Nabisco was only just decided in June. I plan to write a longer post on how RJR Nabisco applies to the Microsoft dispute, but for now it is worth noting two things. First, if the Second Circuit had concluded that the warrant asking Microsoft to produce an email on its servers was domestic, because it operated at the moment of the order against a domestic subject, the court wouldn’t have had to ask whether the Stored Communications Act had extraterritorial reach at all, and wouldn’t have needed to look to RJR Nabisco. This is the way that many expected the case to come out – me included. Instead, the court asserted – without explaining why, as Orin notes – that the territorial location of the warrant’s action is where the data resides. For the reasons I point out above, this is troubling.
The second thing worth noting is that RJR Nabisco can be distinguished in important ways from the Microsoft Ireland dispute. In RJR Nabisco, the underlying activity being regulated – drug sales and racketeering in Europe – was clearly extraterritorial, so the core of the dispute was whether the law prohibiting that conduct had extraterritorial reach. In the Microsoft case, by contrast, there is no dispute about the territoriality of either the conduct being investigated – the Silk Road drug bazaar – or the laws that prohibit that conduct. Rather, the dispute is about the territorial reach of a court order to produce evidence in relation to that illegal conduct. The relevance of the Supreme Court’s Morrison and RJR Nabsico decisions to this very different context merits further attention (and may be a big piece of the DOJ’s cert petition if and when it comes).
That’s it for now. It will be very interesting to see how DOJ responds – presumably with a cert petition and/or new legislation – so stay tuned.