Yesterday, Microsoft won a huge case against government surveillance, a case with very important implications: In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation.
The case began a few years ago when the Department of Justice (DOJ) convinced a federal court to issue a warrant to require Microsoft to turn over data it had stored in Ireland.
The DOJ argued it had the authority to obtain the data based on a now 30-year-old law — the Electronic Communications Privacy Act (ECPA), originally passed in 1986 when the Internet was still in diapers. The DOJ claimed that the government could use a part of ECPA called the Stored Communications Act (SCA) to compel Microsoft to provide data stored in another country.
Microsoft argued that this method was improper. Government officials seeking to obtain data stored in a foreign country should use Mutual Legal Assistance Treaties (MLATs) between those countries and the United States.
What’s the Big Deal About How the Government Obtains the Data?
Why does it matter how the government seeks to obtain data stored abroad? It matters because the US government was seeking to obtain data stored in Ireland in a way that would violate Irish law. Had the government used the MLAT process, the government would have had to seek the information by going to a judge in Ireland.
Although the MLAT process is clunkier and more difficult than just using ECPA, following the MLAT process is important to avoid at least three very troubling consequences.
First, by seeking the data through ECPA, the US government would force companies storing data abroad (such as Microsoft and many of our other large tech companies) to violate the laws of the countries where they are storing the data. This is not a position we want to put our companies in.
Second, it would create a huge competitive disadvantage to our tech industry. Imagine you’re an Irish citizen and you want to choose cloud service provider. You have a choice between (1) a US cloud service provider with a data center in Ireland and (2) an Irish cloud service provider also with a data center in Ireland. If the US government can obtain the data through ECPA, then it can ignore Irish law to obtain data stored in the cloud by the US cloud service provider. The Irish cloud service provider would not be subject to ECPA and would be governed under Irish law. So if citizens of Ireland don’t want to lose their country’s legal protections against government surveillance, then they must stay away from the US cloud service provider. This puts the US industry at a disadvantage, especially when the EU is extremely upset about US government surveillance in light of the NSA’s activities.
Third, another consequence of the US government thumbing its nose at the laws of other countries is that those countries might start doing the same to the US. US law enforcement officials often seem to assume a US exceptionalism — it’s fine for the US to flaunt the law of other countries but not vice versa. But what if other countries were to demand that Microsoft turn over data stored in the US pursuant to their own laws? And what if these laws were much less protective than US laws?
Microsoft’s Victory in the U.S. Court of Appeals for the Second Circuit
This brings us to the recent Second Circuit opinion. The court sided with Microsoft and held that the Stored Communications Act (SCA) (part of ECPA) does not govern data stored oversees: “When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.”
The court further noted: “Three decades ago, international boundaries were not
so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.”
The court reasoned that ECPA should be interpreted against the backdrop of a presumption against extraterritoriality: “When interpreting the laws of the United States, we presume that legislation of Congress ‘is meant to apply only within the territorial jurisdiction of the United States,’ unless a contrary intent clearly appears.” The SCA doesn’t indicate any contrary intent, and thus is best interpreted not to apply to data beyond US borders.
The court noted the concerns of the DOJ and the magistrate judge that issued the warrant, in particular mentioning that the MLAT process would not work for countries where the US lacks an MLAT: “[F]or countries with which [the US] has not signed an MLAT, the United States has no formal tools with which to obtain assistance in conducting law enforcement searches abroad.” But, the court held that “we cannot be certain of the scope of the obligations that the laws of a foreign sovereign—and in particular, here, of Ireland or the E.U.—place on a service provider storing digital data or otherwise conducting business within its territory. But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to ‘collect’ from servers located overseas and ‘import’ into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.”
The Implications of the Case
I believe that the Second Circuit was correct in its decision, and that its decision is extremely important for a number of reasons.
1. Respect for Foreign Nations
The outcome here shows respect for the law of foreign nations. Citizens of those nations should be able to use the products and services of US tech companies without having to sacrifice their rights and legal protections in the process. The MLAT process involves a treaty which is agreed to by the US and another country, so it is respectful of that other country’s laws and sovereignty.
In the long run, the US wouldn’t benefit from being able to flaunt the law of other countries if other countries were to start reciprocating. Maybe US muscle could keep some other countries at bay, but I think that a series of battles here would be bad, and the US might not always win.
2. Better Data Sharing with the EU and Elsewhere
The EU has been very concerned about US government surveillance. Last year, an EU court struck down the Safe Harbor Arrangement which was the primary vehicle for companies to transfer data from EU citizens to the US The court’s concerns were primarily over inadequate US legal protections against US government surveillance. The US and EU recently hammered out a new agreement for data sharing — the Privacy Shield. The Microsoft case bodes well for the success of the Privacy Shield and the easing of some of the EU’s concerns about the potency and broad reach of US surveillance powers.
As I’ve written before, a big component of the disconnect between the US and EU on privacy is the EU’s perception that the US is acting as an overly dominant bully, ignoring their concerns and values. The Second Circuit decision in the Microsoft case is a big show of respect for other countries, something US law enforcement officials often have not demonstrated.
3. Better Outcome for US Industry
A decision against Microsoft in this case would have put US industry at a disadvantage. Companies would find it hard to compete for EU customers, and the intrusive reach of US government surveillance would undermine the trust customers have in companies.
4. Impetus to Reform ECPA and US Surveillance Law
It’s high time we reformed ECPA and US surveillance law. The Second Circuit case is a great spark to finally get reform. Circuit Judge Lynch wrote a concurring opinion in part to “emphasize the need for congressional action to revise a badly outdated statute.”
Calls for ECPA’s reform have been ongoing for decades now. The law regulating government surveillance desperately needs to be updated.
Law enforcement certainly has legitimate concerns about the MLAT process being difficult as well as what to do when there is no MLAT with a particular country. These concerns are best addressed directly, not by using a 30-year old law that did not contemplate so many of these issues.
Bills are currently in Congress to reform ECPA, so maybe now Congress might actually do something.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.