How far does the long arm of U.S. law enforcement extend when government agencies seek electronically processed information?
The U.S. Supreme Court recently addressed that issue in an intriguing session involving terms that bordered on the metaphysical applied to global electronic connectivity, the law, and the significance of national borders.
The discussion came during last month’s oral arguments in U.S. v. Microsoft, a lawsuit stemming from Microsoft’s refusal to comply with a federal court order compelling it to release information resting at a computer facility outside the U.S. — in this case, Ireland. The U.S. Department of Justice sought the order in connection with its investigation of a criminal narcotics case.
Microsoft essentially claimed that by turning over data held outside the U.S., the company would run the legal risk of violating another country’s privacy laws, even if the content would be useful to U.S. authorities for catching criminals. Microsoft also said it feared a major business risk: the potential loss of huge numbers of customers who no longer would trust it to protect customer privacy.
“If customers around the world believe that the U.S. government has the power to unilaterally reach in to data centers operated by American companies, without reference or notification to their own government, they won’t trust this technology,” argued Microsoft Chief Legal Officer Brad Smith in an online post published just before the Supreme Court session.
The importance of the case to the IT sector was reflected by the submission of amicus curiae briefs in support of Microsoft by major companies such as Google, Cisco and Verizon, as well as several business associations.
Microsoft Challenges Enforcement
The case boils down to a few basic assertions. For Microsoft to prevail, the company must prove that the action sought through the court order necessarily must take place at the Irish facility where privacy laws applicable in that country could come into play. The company simultaneously must prove that the governing U.S. law — the Stored Communications Act — was not intended by Congress to apply outside of the U.S. under a legal concept awkwardly referenced as “extraterritoriality.”
In opposition, the Justice Department has accused Microsoft of peddling a false contention about action required outside of the U.S. The information easily could be obtained with a few computer key strokes from a U.S. site connected electronically to the Irish facility, according to the DoJ.
Even if the court were to buy the foreign site argument, the SCA still would be enforceable abroad, the Justice Department maintained.
Microsoft and advocacy groups such as the Electronic Privacy Information Center (EPIC) have characterized the case as major privacy showdown. However, the actual legal arguments before the Supreme Court deal less with privacy issues than with the enforceability of the SCA.
“The case is simply not about whether the U.S. authorities have probable cause to ask for the contents of this email account,” said Andrew Woods, assistant professor at the University of Kentucky College of Law.
Instead, the case is about which country’s authorities ought to be able to compel that account information,” he told the E-Commerce Times.
With that legal stage set, the Supreme Court justices entered the fray. While it is risky to predict a Supreme Court ruling based on oral arguments, it is notable that the geographic issue figured prominently in the discussions.
Location, Location, Location!
Several justices pursued the DoJ’s assertion that the information required by the court order could be disclosed simply by accessing the Irish facility from a computer in the U.S.
“This is not an international problem here. This is a mirage that Microsoft is seeking to create,” said Michael Dreeben, deputy U.S. solicitor general on behalf of the DoJ during a dialog with Associate Justice Sonia Sotomayor.
Tapping into the storage unit from the U.S. eliminates the involvement of another country and meets the “disclosure” requirement of the law since the activity would occur in the U.S., the DoJ contended.
Chief Justice John Roberts underscored that point, observing that the applicable section of the SCA is titled “Required Disclosure of Customer Communications or Records,” and noting that Congress intentionally inserted the heading.
“It seems to me that the government might have a strong position there that the statute focuses on disclosure. And disclosure takes place in [the state of] Washington, not in Ireland,” Roberts said, referring to Microsoft’s headquarters site.
Associate Justice Samuel Alito verged into the metaphysical: “I guess the point is when we’re talking about this information, which … yes, it physically exists on one or more computers somewhere, but it doesn’t have a presence anyplace in the sense that a physical object has a presence someplace. And the Internet service providers can put it anywhere they want and move it around at will. The whole idea of territoriality is strained.”
Microsoft’s counsel asserted that a physical element was involved.
“I would not agree with that, Justice Alito,” said Joshua Rosenkranz, partner at Orrick, Herrington and Sutcliffe. “First, I disagree with the premise. These emails have a physical presence. They are actually on a hard drive. Are they movable? Yes, but letters are movable as well — and they are under protection of foreign laws, which, by the way, are really quite robust.”
Criminal Procedure Linked to Case
Just to cover all the bases, the justices discussed criminal law procedure surrounding the designation of warrants and subpoenas related to the case. They also addressed the enforceability of the SCA in an international context, touching on the use of agreements among countries.
Microsoft and the DoJ agreed that the SCA was “silent” on international enforcement, with Microsoft asserting that lack of specific authority meant the law could not be invoked for the Ireland location.
The DoJ argued the reverse: that because the act did not specifically prohibit its use abroad, then the department was correct to cite the SCA to get the desired information.
The scope of the court’s eventual decision theoretically could include a broad consideration of the powers of the SCA. However, that is not likely, according to Jennifer Daskal, professor of law at American University Washington College of Law.
“This case is primarily about the rules that govern law enforcement access to data pursuant to a warrant,” she told the E-Commerce Times. “I imagine the Court will stick to that issue, which is big enough on its own, without reaching out to address other parts of the SCA.”
Some justices wondered aloud if recently introduced legislation, designed to protect privacy without seriously frustrating law enforcement on a reciprocal basis between the U.S. and other countries, might be the answer.
Both President Donald Trump and British Prime Minister Theresa May thought the issue significant enough that they discussed the legislation by phone last month.
The DoJ pressed the court for a decision, noting that legislative initiatives frequently are uncertain, and arguing that the court had a responsibility to deal with the issue before it. Ordinarily the court would issue a decision by the end of the relevant term — in this case by June 2018.
The SCA needs some updating due to advances in technology, Daskal said. The pending Senate legislation, titled “Clarifying Lawful Overseas Use of Data,” or CLOUD Act, “recognizes this reality,” she wrote in an online post for the Harvard Law Review.
The act “separates access to data from the question of where the data happens to be held,” Daskal pointed out.
“Fingers crossed that Congress acts quickly, thereby mooting the Supreme Court case,” she added. “If not, the Court should rule in a similar way. It should recognize that location of data should not dictate access, as Justice Alito seemed to argue, while at the same time highlighting the importance of comity if and when such demands for data create a conflict of laws.”
Such a ruling would reduce international discord, Daskal asserted, while establishing “the kind of precedent the United States would and should demand when foreign governments seek U.S.-held data.”