Tech firms seem to be clashing more with law enforcement, though their interests needn’t be irreconcilable. On Tuesday the Supreme Court will consider if U.S. internet providers can subvert federal law and public safety.
At issue in
v. U.S. is whether warrants issued under the 1986 Stored Communications Act apply to records stored on the cloud. The law allows the government to obtain records from a U.S. internet provider if there is probable cause of a crime. A special Section 2703 warrant functions like a subpoena since law enforcement doesn’t directly seize records from servers.
In 2013 the U.S. government sought such a warrant for contents associated with an MSN.com email account believed to include evidence of narcotics trafficking. A federal magistrate issued a warrant covering “information associated with” the account “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation.”
While Microsoft agreed to disclose records stored on its U.S. servers, it refused to turn over content on its “cloud” servers in Dublin, Ireland. The Redmond, Wash.-based company, which was held in civil contempt, says the law doesn’t authorize extraterritorial warrants. It’s right on this point, but wrong on everything else.
In Morrison (2010) and RJR Nabisco, Inc. (2016), the Supreme Court developed a two-step analysis to determine if a law applies overseas. First, courts must ask whether a law includes a “clear, affirmative indication that [the statutory provision] applies extraterritorially.” If not, the statute is presumed not to be extraterritorial.
But then courts must assess whether a case primarily “involves a domestic application of the statute” by looking at its “focus.” As the Court held in Nabisco, “If the conduct relevant to the statute’s focus occurred in the United States, then the case involves a permissible domestic application even if other conduct occurred abroad.”
This second part is key in the Microsoft case. There’s no disputing that the Stored Communications Act doesn’t expressly apply to foreign parties. The government could not compel an internet provider based in France to hand over a French citizen’s emails. But as the judge who issued the warrant observed, the government’s application of the law “does not criminalize conduct taking place in a foreign country” and doesn’t deploy U.S. cops overseas.
Employees at Microsoft headquarters could obtain records stored on foreign servers with a few keystrokes. Internet providers typically decide where to store data to maximize efficiency. Google cuts up emails into “shards,” which can move between countries within seconds without human intervention. U.S. internet users aren’t entitled to know where in the cloud their records are stored, let alone to recourse under U.S. law if a company moves them.
A federal district judge held that the Microsoft warrant wasn’t extraterritorial since the disclosure of records to the government occurs in the U.S. But a Second Circuit Court of Appeals panel disagreed in 2016, and tech companies have since resisted warrants for data stored overseas. While the circuit refused to hear the case en banc, Judges
wrote an incisive dissent on the far-reaching implications of the panel’s rogue ruling, which conflicts with every other district and magistrate decision.
The panel “has substantially burdened the government’s legitimate law enforcement efforts; created a roadmap for the facilitation of criminal activity; and impeded programs to protect the national security of the United States and its allies,” the judges explained.
Tech firms argue that a Court decision upholding the government’s authority to compel disclosure of data overseas would cause international friction due to conflicting legal regimes on data privacy. But more than a dozen countries including Australia, France, Ireland, Canada and the U.K. assert this authority. The U.S. would be an outlier.
They also argue that Congress is better situated to resolve the complicated issues of cloud computing that were never envisioned three decades ago. Senators
have introduced legislation to modernize the Stored Communications Act and clarify legal obligations for internet providers.
But pending legislation shouldn’t obviate a judicial decision on a black-and-white legal question critical to public safety. Letting a flawed ruling stand would lead to more needless failures in law enforcement.