Microsoft v. United States: DOJ Petitions for Certiorari in Microsoft Ireland, Argues that Probable-Cause Warrants Require Service Providers to Supply Data Stored Overseas

Privacy Fourth Amendment Cyberlaw

Petition for a Writ of Certiorari, Microsoft Corp. v. United States, 829 F.3d 197 (2016), No. _______,  Petition hosted by Ars Technica.

On Friday, June 23, the Department of Justice (DOJ) petitioned for certiorari in Microsoft v. United States. Microsoft and the DOJ first butted heads in 2013 over whether a warrant obtained under § 2703 of the Stored Communications Act, 18 USC §§2701–2712 (1986) (“SCA”) applied to data stored on servers in Ireland. The DOJ hoped to avoid the lengthy process of obtaining the data through a Mutual Legal Assistance Treaty (MLAT). Microsoft resisted, arguing that the SCA was not intended to apply to data stored overseas. After a magistrate judge and district court ordered Microsoft to comply, the Second Circuit reversed on the basis that § 2703 was not intended to apply extraterritorially and that the main focus of the SCA, protecting the privacy of users’ electronic communication, did not allow for extraterritorial application. In January 2017, the Second Circuit denied rehearing.

In support of its petition, the DOJ makes three arguments. First, it argues that the Second Circuit misinterpreted the SCA and § 2703. While other sections of the SCA focus on privacy, § 2703 focuses on disclosure. The focus of § 2703 is pivotal. If the conduct on which a statute focuses takes place domestically, the warrant can be applied extraterritorially. See Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) hosted by Bloomberg Law. Disclosure to law enforcement, the DOJ argues, is a domestic activity because the service provider has already accessed and retrieved the foreign-stored data. The data has already returned to the US; therefore, the act of simply disclosing it to law enforcement is wholly domestic conduct. Thus if the focus of § 2703 is disclosure, the Second Circuit erred in refusing to enforce the warrant extraterritorially. However, the DOJ further asserts that even if the focus of § 2703 is privacy, users have no privacy interests in where Microsoft stores their data, only in whether that data is disclosed to law enforcement.

Second, the DOJ argues that the Second Circuit departed from the established framework for determining whether a statute may be applied extraterritorially, and that the decision is “inconsistent with the settled law on the operation of subpoenas.” The Second Circuit, the DOJ claims, focused too little on the text of § 2703 and too much on the general Congressional concern for privacy at the time the SCA was enacted and on other sections of the SCA directed to privacy. According to the DOJ, conducting the analysis this way led the Second Circuit to incorrectly conclude that § 2703 focuses on privacy, rather than disclosure. Though sections of the SCA focus on privacy, the DOJ believes that the extraterritoriality analysis should be strictly limited to § 2703 itself. Further, the petition argues that the § 2703 warrants function as subpoenas, and this would require Microsoft to supply any requested data even if that data must be recovered from another country.

Third, the DOJ offers a number of policy considerations, including national security and terrorism concerns. The DOJ argues that the Second Circuit decision inhibits the government's ability to stop future terrorism attacks and its ability to “effectively investigat[e] crimes like child pornography, sex trafficking, drug trafficking, racketeering, and fraud.” Service providers, including Google, who used to comply readily with § 2703 warrants, are now refusing in light of the decision. The DOJ also worries that US perpetrators can easily fake a foreign address to ensure their Microsoft data is stored abroad. Further, MLATs do not exist within every country and their execution may be too slow, as the data may have already been moved by the time the MLAT is executed. Finally, Microsoft’s economic concerns “ring hollow” to the DOJ, and these concerns should not supersede national security interests.

David Kravets of Ars Technica notes that Congress is already working on updated legislation to address the issue, which Senator Grassley (Iowa) hopes to have “out . . . before the end of the year.” Other lawmakers, such as Orrin Hatch, have pointed out that enforcing these warrants might force service providers to choose between violating US law by not complying with the warrant and violating the laws of other nations by complying. Kate Cogner of Gizmodo worries that if “the US can snatch foreign data with impunity, other governments will want to do the same—and companies like Microsoft won’t have good legal standing to refuse. That’s very bad news for US consumers’ privacy.” Brad Smith, chief legal officer for Microsoft, blogged in response to the petition that the “DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans.”