A dispute between Microsoft Corp. and the Department of Justice over e-mails stored on a Microsoft server in Dublin could end up reshaping US electronic privacy laws and defining the limits to which domestic statutes are applied abroad.
The US wants Microsoft to hand over the contents of an Outlook e-mail account belonging to a suspect in a narcotics investigation. The government claims that provisions of the Stored Communications Act (SCA) give it the authority to seek the content regardless of where it's stored.
Microsoft has refused to comply with the demand even though a magistrate and a federal district court have ordered it to do so.
The company has challenged the government’s search warrant as illegal, saying it involves the search and seizure of e-mails stored exclusively in another country, outside US jurisdiction. Microsoft argues the content in question is covered under Irish law and any request for the data needs to be made through that country.
In an appeal filed with the US Court of Appeals for the Second Circuit last week, Microsoft characterized the government’s position as an extra-territorial application of US laws that could have huge implications for privacy and for US technology companies in general.
“Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we’re seeing today,” Microsoft general counsel Brad Smith said Monday. “This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.”
It is a position that has garnered widespread support from a variety of quarters.
On Monday, a coalition of 28 leading technology companies, 35 computer scientists, and 23 trade associates filed a total of 10 amicus briefs in support of Microsoft. Among the companies throwing their legal weight behind Microsoft are AT&T Inc., Verizon Communications Inc., Cisco Systems Inc., and Apple Inc.
For Microsoft and other US technology companies, the case is an important opportunity to demonstrate their willingness and ability to guard customer data from government prying in a post-Edward Snowden era.
Mr. Snowden’s leaks about the National Security Agency’s surveillance practices have raised considerable concerns about US government access to customer data stored in the cloud by American technology companies. The concerns have made it harder for these vendors to do business overseas and could end up costing tens of billions of dollars in lost revenue opportunities over the next few years.
If Microsoft were to lose the dispute, it would confirm for many, their fears about the government’s ability to pry customer data loose from technology vendors using flimsy legal pretexts.
“There are some very real business issues here,” says Jennifer Archie, partner with the law firm Latham & Watkins in Washington. “A perception exists in foreign countries that your data is only a heartbeat away from being given to US law enforcement.”
In such a climate, a government victory is almost certain to further erode willingness on the part of foreign companies to trust American businesses with their data.
The government's claim
For the US government, the case is about the continued ability to have access to information needed for legitimate law enforcement purposes at a time when cloud computing models have completely upended traditional notions of data storage, data access and retrieval.
In trying to defend that ability, government lawyers have used what some legal experts say is a liberal interpretation of the SCA and the broader Electronic Privacy Communications Act (ECPA) of which it is a component.
The government for instance, has argued that the SCA search warrant applies to the service provider and not necessarily to the storage location of the content. The real issue, it has also maintained is whether the service provider has direct control over the data in question and not whether the data is stored in the US. If it has control, then it can be compelled to provide the data.
In using these arguments the government has asked Microsoft to respond to the SCA search warrant like it would to a subpoena.
The US has also argued that the mere act of Microsoft accessing and retrieving content from its server in Dublin does not constitute a search. The search, in fact, only occurs when a government agent actually inspects the content in the US after Microsoft has retrieved the content.
A precedent for privacy
Such arguments set a dangerous precedent if allowed to prevail, says Hanni Fakhoury, staff attorney at rights advocacy group Electronic Frontier Foundation (EFF), which has filed an amicus brief supporting Microsoft in the case. It would give government the authority to unilaterally enforce US laws on data stored in a foreign country and potentially pertaining to citizens of that country, merely because the company storing it is American.
Once that precedent is set, there would be little to stop foreign governments from forcing companies under their jurisdiction to provide access to data on American businesses even if the data is stored entirely in the US. “This creates a big slippery slope where foreign companies are going to be able to do the same thing,” that the US says it has the authority to, says Mr. Fakhoury.
The real issue is not about providing government access to the data but the process involved in getting that data, says Mrs. Archie.
“I think what is being tested here is the ability of the government to use this particular form of process to get at e-mail content stored abroad,” she says.
There are other ways to get at the data, which the government has chosen not to use because it involves more time and effort. The US, for instance, could compel Microsoft Ireland Operations Ltd to disclose the data using the Ireland-US Mutual Legal Assistance Treaty (MLAT), says Archie. The process involves US law enforcement working with their counterparts in Ireland to compel disclosure in a manner fully compliant with the laws in that country.
Archie says that regardless of the eventual outcome of the case, the suit will almost certainly push Congress to change the ECPA and SCA.
“Updating ECPA would respond to the deeply held concerns of Americans about their privacy,” the Center for Democracy and Technology had noted in a letter to the US Senate earlier this year expressing support for a bill that sought to do just that.
Any changes to the statute must make it clear that the search warrant standard of the US Constitution applies equally to both private digital information and to physical property, said the CDT, another organization that signed an amicus brief in the Microsoft case.
“The fundamental question is how to strike a right balance between the clear cut need for public safety and personal privacy and who should strike that balance,” Brad Smith of Microsoft said on Monday. “It is a problem and we would be among the first to acknowledge this.”