Introduction

As technology continues to evolve, the need to provide meaningful consumer protections remains an immense challenge for legislators and jurists. Aging statutes and inadequate precedents make devising modern technological solutions difficult.1 Increasingly, courts have had difficulty grappling with the questions arising from the increasing volume of consumer data, particularly how to consider the implications of data in the hands of third parties.2 This difficulty becomes especially acute when applied to data flows and Internet traffic, which defy simple categorization.3 Recently, in Microsoft v. United States, the Second Circuit held that U.S. law enforcement may not compel a domestic data processing company to provide data that is stored outside the country.4

This comment will explain that the Second Circuit correctly applied existing law, but failed to understand the technological underpinnings and statutory intent at issue. To do so, the comment will discuss the history of the Electronic Communications Privacy Act (ECPA), including the development of the statute’s warrant provisions, and original intent to protect individual privacy and civil liberties. The comment will further show that in the years since ECPA’s enactment, new technology has diminished the ability of the statute to provide meaningful guidance for law enforcement. It will then discuss the court’s holding, and analyze why the court has misconstrued the nature of the data at issue, even though the court correctly applied the existing law. The comment will conclude with thoughts on the impact this holding may have on technology companies and consumers, and address concerns rising from the increasing trend of data localization.

Statutory Background and Procedural History

The Stored Communications Act (SCA) was enacted in 1986 as Title II of ECPA.5 ECPA replaced the Wiretap Act, which was part of the Omnibus Crime Control and Safe Streets Act of 1968.6 ECPA was intended to modernize the legal framework for surveillance as new technologies such as computer communication outpaced the civil liberties protections already in place.7 Though ECPA was passed before the mass proliferation of web services, ECPA’s provisions have been interpreted to cover email,8 private social media messages,9 and text messages.10

Section 2703 of the SCA authorizes law enforcement to variously obtain court orders, subpoenas, or warrants compelling private companies to disclose user data. The disclosure mechanisms operate in a tiered system: court orders require the lowest standards for evidence, but only allow access to customer record information.11 Subpoenas require an equivalent level of reasonable suspicion, and allow law enforcement to view non-content data of specific messages.12 The highest level of protection is provided for the contents13 of communications in electronic storage that have been stored for 180 days or fewer.14 To access such data, law enforcement must obtain an SCA warrant consistent with the Federal Rules of Criminal Procedure, including a showing of probable cause to a magistrate judge.15 Each mechanism also allows access to the information obtainable by a lesser degree of proof in a sliding scale: law enforcement officials could obtain a warrant and see all the information available through a court order, for example.16

In Microsoft, the FBI obtained a warrant—subject to the strictest requirements of § 2703—to compel the company to disclose the email record information and email content of an account that had allegedly been used in furtherance of narcotics trafficking.17 Microsoft complied with the portion of the request for the account’s non-content information, which was stored in the United States, but refused to comply with the request for content data, arguing that as the information was stored and maintained in Ireland, and the government had not established that the target of the investigation was a U.S. national, the information was not subject to U.S. jurisdiction.18

Microsoft moved to quash the warrant; however, the District Court denied the motion and held Microsoft in civil contempt for its failure to comply with the warrant.19 Microsoft appealed and the Second Circuit court reversed and vacated the District Court’s contempt holding.20

Technological History

ECPA was enacted in 1986, well before the internet became a ubiquitous feature of everyday interactions. The “sophisticated technology” that prompted the enactment of ECPA in the mid-1980s included video surveillance and information passing over telephone lines.21 The legal issues flowing from these new technologies largely hinged on whether the government could legally access communication data owned by a particular person and stored in a particular place.22 At the time of enactment, the familiar analogy between postal mail and email still held strong: an individual sent a communication, it was transmitted by the individual’s provider, and then collected by the individual’s intended recipient. The email was stored on the personal computers of the two correspondents, and only stored by a provider if a correspondent specifically signed up for that service.23

In Microsoft, the service at issue is Outlook, the familiar email client. Microsoft administers the service through an international network of servers in over 100 countries.24 An Outlook user’s data is stored in servers nearest the user, in order to reduce overall latency and increase the efficiency of the service.25 Messages are transmitted and stored nearly instantaneously, and individuals rely on third-party electronic storage solutions to a degree never contemplated in 1986.

Now, email may be drafted, sent, and stored all in the cloud.26 A provider may be based, or—as in Microsoft—store data in a jurisdiction that may or may not be the same jurisdiction where the user resides. The reference in the SCA to the Federal Rules allows the government to receive data stored outside an individual’s district; however, the Federal Rules are silent on issues of international storage.27 The limitations cloud computing places on law enforcement have been addressed forcefully by the courts, which have found, for instance, that law enforcement may not use a search incident to lawful arrest to view information on a phone stored in the cloud.28

While the privacy interests implicated in the rise of cloud computing are significant, the challenges to law enforcement are similarly daunting. As more data is stored in the cloud, records that would have been accessible ten years ago to law enforcement with the use of a legitimate warrant are now rendered inaccessible because of technological changes. Storage policies of individual companies might include different protocols about how, where, and whether data is stored, creating an inconsistent set of protections and allowances for consumers and law enforcement.29  Individuals and their data cross borders with increasing frequency, and there is limited clarity, both in the United States and abroad, on how territorial boundaries affect data and the substantive rights of its owners.

Analysis

The Second Circuit based its decision on a two-step inquiry. First, after noting the presumption against extraterritorial application of U.S. laws,30 the court examined whether Congress intended for the SCA to apply extraterritorially. It determined that due to the lack of clear language establishing extraterritorial intent, the statute could not be read to include application outside the United States.31 This was particularly true, in the court’s analysis, as the warrant provisions specifically describe procedures for operation in various U.S. jurisdictions, but none for foreign application.32 Second, after determining Congress did not intend the SCA to apply extraterritorially, the court concluded that the intent of the SCA was to protect individual privacy by shielding user content from intrusion, rather than to benefit law enforcement.33 The court held that as the purpose of the law was to protect user information, construing the statute to apply extraterritorially without clear statutory language was inappropriate, since doing so would undermine the original goals of the statute.

However, this holding largely rests on the legal analysis of technological issues that did not exist at the time Congress enacted the SCA, a point emphasized in Judge Lynch’s concurrence: “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case.”34 Further, as Judge Lynch argued, the characterization “that this case involves a government threat to individual privacy,” as was suggested by a number of amici briefs, is largely misguided.35 In this case, the government went through the most privacy-protective requirements in the SCA: obtaining a warrant for the content of communications in compliance with requirements established by the Fourth Amendment.36 While the SCA, and ECPA broadly, may be ill-equipped to address the nuances of modern technology,37 the privacy violations asserted by Microsoft and amici are not as grave as suggested.

While concurring in the court’s holding, Judge Lynch further emphasized the serious need for Congress to revise the SCA to reflect current realities of stored electronic communications.38 If, as the majority suggests, an invasion of privacy occurs where particular content is stored,39 any future litigation against the government regarding information stored in the cloud will necessarily involve fact-dependent analyses of where information may have been at a particular moment it was searched or seized. A more appropriate solution may be to tie the “location” of the privacy invasion to the nationality or residence of the individual whose privacy was violated, rather than to the arbitrary and transitory location of the individual’s data. However, doing so likely requires an amendment to the law, and would require Congressional attention.

Likely Effects of the Decision

In the wake of the Microsoft decision, commentators,40 Congress,41 and Microsoft itself42 have noted the limitations of the SCA and ECPA as they currently stand. Many commentators, including Microsoft, hailed the Second Circuit’s decision as a victory for individual privacy.43 This understanding of Microsoft’s outcome is largely flawed—while the majority opinion cited protecting individual privacy for users of cloud-based services as a motivation for its holding, the opinion missed important implications for individual privacy, as noted throughout Judge Lynch’s concurrence.44 Further diminishing the privacy issues cited by the majority, Microsoft did not contest that if all the data requested was stored in the United States, it would have provided content access to law enforcement.45 Currently, the majority of such email data remains stored in the United States,46 and as such, the effects of Microsoft are likely to remain limited in actual application in the near future.

A purely territorial approach to a user’s privacy expectations (and to the SCA) is becoming increasingly challenging to manage judicially, as users are relying more frequently on cloud-based products and services, and companies providing cloud services continue to diversify the geographic scope of their servers.47

However, the localization of data poses complications beyond the scope encountered in Microsoft. The debate over the ability for data to actually be localized at all has not yet been settled: some argue that data, like money or debt, can indeed be localized,48 while others note that such analogies to other forms of “intangible” items do not properly capture the way that data is stored and moved.49

This debate will certainly continue as the use of cloud storage expands. But discussions on data processing cannot be solely domestic: foreign law and international agreements play a large role. China has strict rules on the export of data;50 U.S.-EU agreements on data privacy could have a major effect on access to various types of data,51 regardless of their localization; and the implications of the EU’s General Data Protection Regulation are so far unclear.52 Any lasting solution for the storage of, and government access to, personal data will need to take place in legislatures, and in international negotiations.

Currently, law enforcement’s access to data stored abroad is governed by the Mutual Legal Assistance Treaty (MLAT) process, by which countries negotiate rules for requesting and granting access for criminal investigations.53 Because ECPA requires that any government entity seeking to compel data must attain a U.S. warrant, foreign governments flood the Department of Justice with MLAT requests.54 The decision in Microsoft is the mirror of that: U.S. law enforcement may not access data stored abroad without seeking assistance from the affected foreign government. While there have been competing suggestions on how best to reform the MLAT process,55 reform of ECPA itself is likely necessary to allow law enforcement to effectively access data while still protecting consumer privacy. Regardless of how reform is achieved, data localization will likely remain a result of company policy, rather than a regulatory or consumer choice.56 Each internet service provider (ISP) still principally acts according to internal policies when granting or denying government requests for account information, including warrant requests. As such, this poses the risk that private companies will continue to determine data privacy policy, rather than the government.57 Whether or not technology companies shift servers abroad to deliberately frustrate legitimate law enforcement prerogatives is irrelevant; if servers are shifted abroad simply to suit a perception of market expectations and possible legal risk, the result will be the same. Legitimate warrants for evidence pertaining to U.S. suspects will be rendered toothless, an unlikely intent of the drafters of the SCA, or the constituents they serve. Individual privacy must be protected, but will be better served, and result in fewer unintended consequences, by an approach that builds those protections on a more accurate factual foundation. Due to the variety of requests from government agencies, differing internal policies, and the limited resources of the offices granting warrants and processing requests, it would greatly benefit the government, the public, and ultimately the technology sector to focus future legislation on standardizing data requests and responses across the industry.

Conclusion

In the wake of the Microsoft decision, the U.S. Congress has contemplated numerous reforms to ECPA that would variously address the scope of the 2703 warrant58 and expand U.S. law enforcement’s access to data overseas.59 In the meantime, consumers are left with a confusing patchwork of statutory obligations, common law, and private corporate policies that reduce overall protection for consumer privacy. As the issue is considered further both in the courts and in the legislature, a keen eye towards the actual technological underpinnings of user communications is essential in order to balance the need for effective law enforcement with the responsibility to protect individual privacy rights.