Categories & Search

Another Rematch Between Tech Companies and the Government over the Territorial Reach of the Stored Communications Act

Lawyers for the tech community are gearing up for argument next month in the U.S. District Court in San Francisco, seeking to overturn another magistrate’s order that requires digital information stored outside of the U.S. to be turned over in response to a U.S. search warrant.

The California case is only the latest in a stand-off between the Justice Department and the tech community over the scope of the Stored Communications Act (SCA)—a 30-year-old statute—and whether it authorizes U.S. warrants to reach data stored in foreign countries.

We previously wrote about United States v. Microsoft, the leading case in which Microsoft refused to produce to the government customer emails that were stored on a foreign server. Microsoft ultimately won that case before the U.S. Court of Appeals for the Second Circuit, which held that email traffic stored outside the U.S. was not subject to a U.S. search warrant under the SCA. In a 4–4 decision, the full Second Circuit denied rehearing earlier this year. Last month, the Justice Department asked the U.S. Supreme Court to review the case and the scope of the SCA.

Now Microsoft and other tech companies are lending their support to Google in a similar case that’s pending in California.  The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).  There, the government obtained a search warrant under the SCA for the contents of several Google customer accounts, including emails, contacts, files, location history, and search history.  Google complied in part with the warrant by turning over information that was stored domestically.  But, relying on the Microsoft decision, Google refused to turn over data stored in servers located abroad, and filed a motion to quash.

U.S. Magistrate Judge Laurel Beeler denied the motion, and ordered Google to produce responsive data to the government, regardless of the data’s physical location.  She reasoned that this application of the SCA was not actually extraterritorial, since Google could access the data from its U.S. headquarters.  In so holding, she noted that she found persuasive the four opinions of Second Circuit judges dissenting from the denial of rehearing the Microsoft case en banc.

Google objected to the magistrate judge’s ruling, and is seeking a de novo determination by the district court.  Google urges that the magistrate’s ruling impermissibly extends the SCA extraterritorially, and that absent a legislative amendment to the SCA, such warrants must be limited to domestic data.

Microsoft, Cisco, Apple, and Amazon have also filed a joint amicus brief supporting Google’s objection.  The brief characterizes the magistrate’s ruling as requiring a “serious incursion on foreign sovereignty,” because the act of accessing, copying, and importing foreign data amounts to an invasion of privacy.  It adds that the ruling “invites foreign nations to reciprocate by invading Americans’ privacy—by demanding, for example, that foreign offices of U.S. technology companies turn over U.S. citizens’ private communications stored on U.S. soil.” 

The government responds that, if the logic of Microsoft and the tech companies’ briefing is followed, a company could never be compelled under the SCA to disclose data that it chooses to store outside the United States.

There is one critical difference between Microsoft’s and Google’s approaches to data storage that may affect the district court’s analysis.  Recall that Microsoft chooses where to store customer data based in part upon where a customer claims to live when the account is opened.  Thus, Microsoft might store a New York customer’s data in, say, the Northeastern U.S., and a European customer’s data in Dublin or France.  Privacy advocates argued that this location-based system meant that extraterritorial application of the SCA would likely sweep up the data of non-U.S. citizens, such as citizens of the European Union (which has a relatively strict privacy regime).  At the same time, others have pointed out that this system relies on user inputs and therefore could be exploited by U.S. criminals, who might falsely represent their location to Microsoft and thereby avoid SCA warrants for their data. 

By contrast, Google stores and allocates data through the use of algorithms to maximize overall network efficiency, so data is rarely static and is almost constantly moving from data center to data center—often on different continents.   In another case, a magistrate likened this technology to the proverbial “moving target,” making it nearly impossible to determine whether the data was stored domestically or abroad.

We’ll be watching this case to see how the district court balances these issues.