Categories & Search

U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade

The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day.

Issue:  Are U.S. companies required to hand over customer data – in this case, the contents of email traffic – to U.S. law enforcement when that data is stored on data servers outside U.S. borders?

Facts:  In 2013, U.S. law enforcement served a warrant on Microsoft in Redmond, Washington in connection with a drug trafficking investigation. The warrant sought email traffic including content associated with an unnamed user’s account. It’s not known whether the account belongs to an American or European citizen. Microsoft turned over account information stored on its U.S. servers but refused to hand over information stored on servers outside the U.S. – in particular, a server located in Dublin, Ireland.

Statute:  The Stored Communications Act (SCA), a 1986 law that provides U.S. law enforcement with the authority to require disclosure of “contents” of wire or electronic communications pursuant to a warrant issued “using the procedures described” in the Federal Rules of Criminal Procedure. Rule 41 of the Federal Rules of Criminal Procedure prohibits federal courts from issuing warrants for the search or seizure of property outside of the U.S.

Lower Court Decisions:

April 2014 – Magistrate Judge James Frances called the SCA warrant a “hybrid,” a cross between a warrant and subpoena, although its issuance required a showing of “probable cause.” Once issued, however, the SCA warrant functioned more as a subpoena and required the internet service provider, here Microsoft, to turn over responsive materials within its possession, custody or control – the traditional standard in a civil, not a criminal case.  Microsoft has sophisticated technology that permits it to access information stored on its servers around the world.  Magistrate Francis denied Microsoft’s motion to vacate the warrant.

July 2014 – In a ruling from the bench, U.S. District Judge Loretta Preska adopted the Magistrate’s view, holding that the customer’s email traffic was akin to Microsoft’s “business records,” and under the company’s “control,” because Microsoft’s technology enabled it to access the data from Redmond, where the warrant was served.

Technology has eclipsed the law: – The SCA was enacted into law nearly three decades ago, long before today’s Internet, long before cloud storage, and long before huge amounts of data was stored on servers around the world. This law was not written to cover the uber-connected, data heavy world we live in today. The law is playing catch-up to technology, and even Magistrate Frances acknowledged that the SCA was ambiguous when applied to Microsoft.

What’s really at issue in the case? At its core, we’re talking about the protection of personal communications – in this case, the contents of an email exchange – and the rules by which law enforcement will have access to that information. It’s the digital version of writing a letter and then locking it up in a safe. Under what circumstances can the government get the key to open the safe?  Yesterday’s safe is today’s cloud – secure, but not impossible to access.

Privacy? The outcome of this case is important for two reasons: First, global organizations that both operate and use the cloud to store information – oftentimes private and sensitive information – need to understand the rules of the road, and precisely how governments here and abroad can lawfully access their data no matter where it’s collected and stored.

Second, businesses and individuals whose data is stored in the cloud need to understand the vulnerability of that information, and under what circumstances it might be accessed by law enforcement in the U.S. or elsewhere.

Business Consequences: Data storage is big business:  Digital information is stockpiled around the world on servers and in the cloud at a staggering pace. It’s estimated that by 2020, we will have created 44 zettabytes (44 trillion gigabytes) of information. For context, an iPhone typically holds up to 64 gigabytes of storage. That means there will be as many digital bites as stars in the universe by 2020.

Does a decision against Microsoft mean that U.S.-based cloud storage companies will have a tougher go with foreign customers because of privacy concerns? Perhaps. A recent report by the Information Technology and Innovation Foundation forecasts that the U.S. tech industry will lose more than $35 billion in sales next year from customers with misgivings about the security of their data abroad.

What else would a Microsoft loss mean? If the legal principle decided is that U.S. laws apply to electronic data stored abroad – it then begs the flip side of the issue: What happens when foreign law enforcement or governments come knocking for information held by a non-U.S. provider on American soil – whether or not the information belongs to a U.S. citizen or U.S. company? Will foreign law then apply here, and possibly to the electronic communications of U.S. citizens or companies?

Does this open the floodgates for other countries to serve warrants on tech companies for the emails of American citizens stored in a U.S. data center owned by a foreign company? It’s an unsettling thought.

Imagine the following scenario: You are an American citizen and send an email from your U.S.-based account to a colleague in Germany. The email and its contents are stored in a cloud located in Peru. Now, law enforcement authorities in Finland want to access your email in connection with an ongoing criminal investigation. How is this resolved? Whose laws apply? As an American citizen using a U.S.-based email provider, are you protected by the 4th Amendment, which prohibits illegal search and seizure?  Or, are you (and your email) subject to the laws of another country?

Sound far-fetched? Not really. That’s exactly the situation we could be facing, should the government prevail in this case. And existing laws don’t help since most of them pre-date the invention of the today’s communication technologies. All of this cries out for a legislative solution.

Isn’t this a problem for Congress? That’s exactly the point Judge Lynch made during the oral argument.  The LEADS Act (Law Enforcement Access to Data Stored Abroad) – is slowly working its way through Congress. The current draft would establish a warrant requirement before technology firms must hand over stored communications. But U.S. law enforcement would have the unilateral right to obtain email content outside of the U.S. if it belongs to an American citizen. Not so for non-U.S. citizens. Then, U.S. law enforcement would be required to go through the MLAT (mutual legal assistance treaty) process.

Next move? Once the ruling is issued, there are two general options:  First, the losing party may seek en banc review by the full Second Circuit.

The losing party may also petition the U.S. Supreme Court to hear the case. The Supreme Court grants less than 100 such petitions each year, however, the significance of the issues for domestic and foreign businesses is so great, that it’s likely only a matter of time before a case like this lands at the nation’s highest court. Still, for cases of this type – and based on historical data – there’s only about a 5-percent chance that the case will be heard by the Supreme Court.