On Friday, Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania ordered Google to comply with search warrants for emails stored overseas. In the past, Google “routinely complied” with search warrants for user data stored outside the United States, but the company changed its practice following the Second Circuit’s decision this past summer in Microsoft v. United States. Microsoft effectively placed U.S. persons’ user data stored overseas out of law enforcement’s reach; the case was denied en banc rehearing last month by a divided court. Evidently, the Justice Department has been asking judges outside the Second Circuit to reject this ruling. Now, at least one has.
The case arose from two search warrants issued in August 2016 under the Stored Communications Act (SCA). The SCA was passed in 1986 to ensure that Fourth Amendment-type protections extended to emails. The Act allows the government to compel service providers to produce customer subscriber information and other non-content data by subpoena or court order, respectively. Content data requires a search warrant. Here, the government obtained search warrants that ordered Google to produce electronic data associated with two U.S. account holders who were the subjects of ongoing criminal investigations. Google partially complied, turning over to the FBI some but not all of the data identified in the warrants. The data that Google did produce was located on servers within the United States.
The government then filed a motion to compel Google to produce the rest of the emails. Google responded that it could not be required to produce data stored outside the United States. Google pointed to Microsoft to support its position and justify noncompliance with the search warrants. The government urged the court to depart from Microsoft and compel disclosure.
In Microsoft, the Second Circuit ruled that it could not enforce a search warrant for user data stored on Microsoft’s servers in Ireland. At issue was the extraterritorial application of the SCA, or more simply, whether a warrant issued pursuant to the Act could reach data held overseas. The Second Circuit relied on the Supreme Court’s 2010 decision in Morrison v. National Australia Bank Ltd. to answer that question. First, the circuit court looked to the language of the SCA warrant provision (§ 2703) and determined that Congress did not specifically contemplate extraterritorial application. Second, the court looked at the “focus” of the statute to see if the case at bar actually involved extraterritorial application. The court decided that the focus of the SCA is user privacy, which would be invaded at the time the user’s data is seized—overseas. Therefore, the court held that it could not enforce the warrant. (For more detailed analysis of Microsoft, see here, here, here, and here).
In In re Search Warrant No. 16-960-M-01 to Google, Judge Rueter reached the opposite result and ruled in favor of the government. He did so not by adopting the government’s argument that the focus of § 2703 is disclosure, not privacy, but by distinguishing Microsoft. He stated that in contrast to Microsoft, here the privacy infringement would occur inside the United States.
This court . . . respectfully disagrees with the Second Circuit’s analysis regarding the location of the seizure and the invasion of privacy.
Judge Reuter proceeded to state the question before the court:
The crux of the issue before the court is as follows: assuming the focus of the Act is on privacy concerns, where do the invasions of privacy take place? To make that determination, the court must analyze where the seizures, if any, occur and where the searches of user data take place.
Framed this way, the question is somewhat different from that in Microsoft. In Microsoft, the court identified privacy as the focus of the SCA and asked where the conduct affecting user privacy occurred. Here, Judge Rueter asked what action, in the chain of events, constitutes a Fourth Amendment search or seizure, and where does that action take place. The distinction is subtle but important. As Orin Kerr pointed out in the Washington Post last week, the first question is purely statutory, while the second is constitutional.
To answer the question thus framed, Judge Rueter looked to the Supreme Court’s Fourth Amendment jurisprudence protecting individuals’ privacy from unreasonable search and their property from seizure. He reasoned that transferring user data from overseas servers to Google’s data center in California “does not amount to a ‘seizure’ because there is no meaningful interference with an account holder’s possessory interest in the user data.” He noted that Google transfers data between its servers located domestically and abroad all the time, and that none of these transfers involves a seizure within the meaning of the Fourth Amendment. Furthermore, account holders’ privacy is not invaded until the government reviews the data. Because the search warrant requires Google to turn over the emails to FBI agents located in Pennsylvania, the conduct constituting a search will occur on U.S. soil.
Finally, Judge Rueter explained that to hold otherwise would yield an absurd result. If he were to follow Microsoft and rule that the data was not recoverable by search warrant, the government’s only avenue for compelling its production would be by Mutual Legal Assistance Treaty (MLAT). An MLAT is a mechanism that allows the U.S. to seek another country’s assistance in a criminal investigation. But because of the way Google stores it data, an MLAT is not an option. Google uses an algorithm that divides an individual’s user data across data centers and even splinters the data such that an email is not stored as a “cohesive digital file” but in “multiple data ‘shards,’” each stored in a separate location around the world. There is no one country to which the government can address an MLAT for Google user data. This is in contrast with the situation in Microsoft, where there was one such country—Ireland.
Unwilling to render certain Google user data immune to legal process, Judge Rueter ordered Google to “gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.”