Microsoft Challenged the Wrong Law. Now What?
The Supreme Court recently agreed to hear an important electronic privacy case, United States v. Microsoft, on whether Microsoft has to comply with a United States search warrant for email stored by Microsoft on a server in Ireland. I’m going to explain in this post why I think the case comes to the court with a major problem. Specifically, Microsoft brought its challenge under the wrong statute.
Published by The Lawfare Institute
in Cooperation With
The Supreme Court recently agreed to hear an important electronic privacy case, United States v. Microsoft, on whether Microsoft has to comply with a United States search warrant for email stored by Microsoft on a server in Ireland. I’m going to explain in this post why I think the case comes to the court with a major problem. Specifically, Microsoft brought its challenge under the wrong statute. Microsoft is challenging its compliance under the Stored Communications Act (SCA), but it should be challenging its compliance under the All Writs Act (AWA).
The difference is important. Microsoft's focus on the Stored Communications Act leaves the Supreme Court with no good options. From a perspective of policy, you wouldn't want either rule that Microsoft's framing sets up. Had the challenge been brought under the All Writs Act, however, the court could use traditional interpretive principles to craft a sensible rule in the case. This post explains how.
This will be a long post, so here's a road map. I'll start with the law before Congress enacted the SCA. Next I'll turn to the SCA and show why Microsoft's challenge really has nothing to do with it. I'll then cover the AWA and show how Microsoft's arguments are really about the AWA. I'll next show how framing the case under the AWA gives the Supreme Court discretion to reach results that are vastly better than those under Microsoft's misframing. I'll conclude by discussing what options the Supreme Court has to better resolve this case.
I. Legal Authorities Without the SCA
Let's start at the beginning. According to the briefs filed in the lower courts, the Microsoft case rests on whether the SCA applies to contents stored abroad. Microsoft argues that the SCA does not apply because the emails to be accessed under the search warrant are stored outside the United States on a server in Ireland. Complying with the warrant would be an extraterritorial application of a territorial statute, Microsoft contends. The United States responds that the SCA applies because compliance with the SCA would occur inside the United States. According to the United States, complying with the warrant is territorial and therefore proper.
Both positions are premised on a critical assumption: If Microsoft must comply with the warrant, it is the SCA that compels it. But I think that assumption is wrong. Whether Microsoft must comply with the warrant actually has nothing to do with the SCA. Instead, it has to do with an entirely different law, the All Writs Act.
To appreciate this point, it helps to step back and understand the role of statutory privacy laws in criminal investigations.
There are two traditional ways that criminal investigators can compel the disclosure of information in the absence of specific privacy laws. First, investigators can issue grand jury subpoenas. Subpoenas order recipients to disclose records in their possession, subject to challenge for overbreadth and any legal privileges. The second way investigators traditionally compel the disclosure of information is with a search warrant based on probable cause. A warrant authorizes government agents to search for and then seize evidence.
In the context of network investigations, however, there is a twist. Third-party providers have the records, so legal process is typically served on the providers rather than executed directly by investigators. This dynamic is obvious with subpoenas. The government serves subpoenas on the providers, who then respond to the subpoenas.
But the same thing happens with warrants. Network warrants usually order third-party providers to assist with executing them. Everyone likes this, as it's obviously better to have providers collect and hand over data to investigators than to have investigators enter the providers' headquarters to collect the data themselves. No one wants FBI agents breaking down Microsoft's door and looking for the contents of an email account.
In the absence of a privacy statute, though, what authority does a federal court have to order providers to help them execute a warrant? Warrants traditionally say that law enforcement can search and seize, after all. They don't usually direct others to do anything. The assistance issue was resolved in a 1977 Supreme Court case, United States v. New York Telephone Co., 434 U.S. 159 (1977). New York Telephone held that federal judges have authority to issue assistance orders on communications providers, requiring them to assist in the execution of a warrant on the networks. The exact limits of how much assistance courts could order was left unclear, but the basic idea was that courts had the authority to require network providers to assist the government in the execution of warrants.
II. The Role of the SCA
Let's finally turn to the SCA. The SCA was passed in 1986 to provide a legal framework regulating access to remotely stored files such as emails. The problem, Congress realized, was that email and cloud storage providers often possessed files that were the contents of user communications. The third-party storage problem threatened two problematic results under Fourth Amendment doctrine. First, because the providers were not state actors, providers could access user contents and disclose them voluntarily with no Fourth Amendment restriction. Second, it wasn't at all clear whether a warrant was needed to compel providers to disclose contents to the government. There were good arguments that a subpoena alone would be constitutionally sufficient to do that, mostly on the thinking that the contents of emails might be voluntarily disclosed under the third-party doctrine and therefore be unprotected by virtue of the network architecture.
The SCA was designed to correct both problems. First, 18 U.S.C. § 2702 imposed a legal bar on provider disclosure of the contents of communications unless an exception applied. In other words, no voluntary disclosure was permitted by statute, solving the first problem. Second, 18 U.S.C. § 2703 created an exception to Section 2702 that a provider can disclose contents if the government obtains a probable cause search warrant. This solved the second problem, as a subpoena that might be sufficient under the Fourth Amendment was not sufficient under the statute.
Here's the key language of § 2703:
A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction (emphasis added).
The SCA in effect recreates the familiar Fourth Amendment rules that were threatened by the Internet's architecture. The fact that third-parties were storing the information might have major Fourth Amendment implications, but under the statute they didn't matter. Voluntary disclosure is prohibited, subject to Fourth-Amendment-like exceptions, and a search warrant was required.
Importantly, the SCA did all of this without any new court order authority. (The subsequent enactment of § 2703(d) in 1994 was a new court order authority for noncontent records, which is at issue in the Carpenter cell-site case. But that provision is not relevant to this case.) The SCA imposes limits on voluntary disclosure and specifies when warrants were required using the traditional forms of legal process. The process itself –- subpoenas and warrants -– were preexisting forms of legal process already regulated by existing law before the SCA was enacted.
III. Why Microsoft's Challenge Is Not Really About the SCA
With this understanding in place, we can see how the parties have misframed the issues. If the SCA applies, it imposes limits on disclosure under § 2702 unless an exception is met such as sufficient legal process. If the SCA applies, § 2703(a) requires the government to get a warrant.
But here's the thing: There is no disagreement about either of those questions in the Microsoft case. Neither the United States nor Microsoft argues that the nondisclosure limits of Section 2702 do not apply. And neither the United States nor Microsoft is arguing that less process than a warrant is sufficient to compel disclosure.
Put another way, both parties agree that the SCA applies. Or rather, whether the SCA “applies” in this case is wholly irrelevant. If the SCA doesn’t apply, there is no warrant requirement. If the SCA does apply, there is. But the government already has a warrant, and no one is suggesting that Microsoft can disclose the contents without it.
Step back and ask the question: What judge ordered Microsoft to retrieve emails from abroad, and under what authority? And the answer is that it's the magistrate judge's initial order -- the warrant, and specifically its provision ordering Microsoft to assist with its execution-- that is attempting to impose a duty on Microsoft to get emails from abroad. Whether Microsoft must comply with that assistance provision depends on whether the provision is lawful. But that is exactly the same question whether or not the SCA applies.
For that matter, it's the exactly the same question whether or not the SCA exists. Congress could repeal the SCA and investigators could get the same warrant and the same assistance order, just as they did in New York Telephone. And the legal question of whether Microsoft had to comply with the warrant with its assistance provision would be the same.
For these reasons, it seems to me that Microsoft isn't a case about the SCA at all. The parties' metaphysical arguments about whether the true focus of the statute is on providers retrieving data (inside the country!) or data being retrieved by providers (outside the country!) are entirely beside the point. The parties are fighting over the wrong law.
IV. Why the Microsoft Case Is Really About the AWA
So if the SCA is irrelevant to the Microsoft case, what law applies? What's the law that determines whether the assistance provision in the warrant exceeds the court's power? The answer is the law discussed in New York Telephone: The All Writs Act, 28 U.S.C. § 1651(a). Here's the text:
The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
You probably heard a lot about the AWA last year during the dispute often known as Apple v. FBI. In that case, the (ultimately unresolved) issue was whether the FBI could get Apple's assistance to help break into a locked phone. It turned out to be a really novel question under the AWA. As I wrote at the time, the case was "like a crazy-hard law school exam hypothetical in which a professor gives students an unanswerable problem just to see how they do."
In contrast, the warrant and assistance order in this case is very similar to the one challenged in New York Telephone In both cases, investigators obtained probable cause search warrant with an assistance provision ordering the provider to help carry out the execution of the warrant. Just as in New York Telephone, whether the assistance provision is lawful hinges on whether it exceeds a federal court's power under the AWA.
Importantly, the AWA controls the lawfulness of the assistance order even though the statute is not actually mentioned in the warrant. That was true in New York Telephone, too. In New York Telephone, the district court ordered the FBI to install the surveillance tool and then required the phone company to furnish the FBI "all information, facilities and technical assistance" necessary to install and use it. The order itself was deemed a Rule 41 warrant, the nature of which is to order only law enforcement to act. As the current text of Rule 41 says, a "warrant must command the officer to . . . execute the warrant." Rule 41(e)(2)(A) (emphasis added). The lawfulness of the part of the order commanding the phone company to act was governed by the All Writs Act even though the order did not mention the All Writs Act.
The same is true here. Under New York Telephone, whether Microsoft must comply with the assistance provision of the warrant depends on whether compliance falls within the court's authority granted by the All Writs Act.
V. The Better Path Opened by the AWA
Why does all of this matter, you wonder? I mean, it's legally correct -- or so I think. But if I'm right, so what? Here's the so-what: Understanding Microsoft as an AWA case gives the Supreme Court a clear path to a sensible legal solution to the case that it otherwise lacks.
Let me explain why.
As a lot of people have noticed, framing the case under the SCA leads to bad results no matter who wins. If you say that the SCA "applies," and therefore Microsoft must comply with the warrant, then U.S. providers must comply with warrants even for the foreign-stored contents of foreign nationals who have never been in the United States. This would expand the role of U.S. search warrants, giving the government access to contents traditionally outside the warrant authority. If you say that the SCA doesn't "apply," and therefore Microsoft doesn't need to comply with the warrant, then U.S. providers can place contents of U.S. citizens on servers abroad. This would have the effect of thwarting U.S. search warrants, denying access to contents traditionally within the warrant authority.
If Microsoft is an SCA case, in other words, the Court has two bad options. It must either interpret the SCA so that the law significantly expands the government's search warrant authority or else interpret the SCA so that the law significantly restricts that authority.
Judge Lynch hinted this problem in his concurrence to the Second Circuit panel decision:
[I]t does seem to me likely that a sensible answer [as a matter of policy] will be more nuanced than the position advanced by either party to this case. As indicated above, I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely “domestic” statute. That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals. Nor is it likely that the ideal balance would allow the government free rein to demand communications, wherever located, from any service provider, of whatever nationality, relating to any customer, whatever his or her citizenship or residence, whenever it can establish probable cause to believe that those communications contain evidence of a violation of American criminal law, of whatever degree of seriousness.
But here's the key: Properly understanding Microsoft as an AWA case enables other options that are far better. Unlike the SCA, the AWA requires judgment calls of what is "appropriate in aid of [the court's] respective jurisdiction." 28 U.S.C. § 1651(a). The Supreme Court has treated this an invitation for flexible judicial rule-making relating to a judge's enforcement power. "A federal court may avail itself of all auxiliary writs as aids in the performance of its duties," the Supreme Court has said of the AWA, "when the use of such historic aids is calculated in its sound judgment to achieve the ends of justice entrusted to it." Adams v. United States ex rel. McCann, 317 U.S. 269, 273 (1942).
Further, the AWA is all about preserving judicial authority. The idea is that a federal court has a certain amount of authority that the AWA helps it maintain if something gets in the way. As the Court held in New York Telephone, the federal court's power under the AWA "extends, under appropriate circumstances, to persons who, though not parties to the original action or engaged in wrongdoing, are in a position to frustrate the implementation of a court order or the proper administration of justice." New York Telephone, 434 U. S. at 174. A court can use the AWA to ensure the implementation of preexisting legal authorities in flexible ways "calculated in its sound judgment to achieve the ends of justice entrusted to it." Adams, 317 U.S. at 273.
You can see, before we get to the details, that understanding Microsoft as an AWA case means that courts aren't stuck with the two bad answers everyone seems to think. And as I'll explain in the next section, I think there's a pretty sensible interpretation of the AWA that creates a sound policy answer to Microsoft otherwise missing from the case.
VI. A Proposed Framework Under the AWA
There are a few possible ways to apply traditional AWA principles to the Microsoft case. But one particularly appealing and sensible approach is to adopt this rule: U.S. providers can be ordered to assist with the production of foreign-stored data belonging to U.S. persons but not the foreign-stored data of foreigners.
The starting point underlying this rule is that the search warrant power is traditionally domestic, as Microsoft emphasizes in its briefs. The warrant authority traditionally applies inside the United States but not outside the United States. What has changed, I think, is that the global nature of the Internet has put third-party network providers "in a position to frustrate the implementation of a court order or the proper administration of justice." New York Telephone, 434 U. S. at 174.
They're not doing this intentionally, of course. It's just how the technology works. The global Internet lets providers put information anywhere. The files of U.S. persons that traditionally would have been in reach of U.S. warrants might now be placed out of reach because they are on a foreign server. Conversely, the files of non-U.S. persons that would have been out of reach because they were abroad might now be placed in reach because they are accessible by a U.S. company. The technology has ended the logical connection between the location of people and the location of their data, making a focus on data location essentially arbitrary.
Under New York Telephone, however, the AWA authority gives courts the power to craft assistance limits to preserve the traditional search warrant power. It could go like this. If a U.S. person stores contents with a U.S.-based provider, and the provider's network places those contents outside the U.S., the provider is "in a position to frustrate the implementation of a court order or the proper administration of justice." New York Telephone, 434 U. S. at 174. In a world of local storage, the records could be obtained with a domestic warrant. Under New York Telephone, the argument would run, a federal judge can compel the provider that placed the data outside the U.S. to assist by bringing it back inside the U.S. to aid the federal court's jurisdiction.
On the other hand, if a non-U.S. person stores contents with a U.S.-based provider, and the provider's network keeps those files outside the U.S., an assistance order would be improper under the AWA. The domestic warrant authority, whether construed under Rule 41, the common law, or a statutory authority, does not ordinarily extend to the property of foreigners abroad. In such a case, ordering the provider to bring data inside the United States, just because it can, is not in "aid of [the court's] respective jurisdiction." It is an expansion of the court's jurisdiction in such circumstances, not in aid of it. As a result, the argument should run, it exceeds the power of the AWA.
The result would be a rule that U.S. providers can be ordered to assist with the production of foreign-stored data associated with U.S. persons but not the foreign-stored data of foreigners. Procedurally, it could work something like this. After the government serves the warrant on the provider, and the provider has reason to believe that it involves a non-U.S. person, the provider could object to assistance with respect to files stored outside the United States on the ground that forcing it to bring the data into the United States exceeds the All Writs Act. If the government is unpersuaded by the objection because it believes the subject is a U.S. person, either the government can seek enforcement of the warrant's assistance provision or the provider can move to vacate or modify the assistance provision. The court can consider the evidence from both sides and decide whether the subject is a U.S. person and therefore whether assistance is within the AWA. As in New York Telephone, the losing side could appeal the lower court's order subject to an abuse of discretion standard of review.
I'll be the first to say that there are some details to work out in terms of how this would operate. But it strikes me as a framework that both fits existing law and solves the foreign-stored data puzzle in a much better way than the options offered by how the parties have framed the case. It's a win-win answer. Or at least it’s a mostly-win-mostly-win answer. It preserves the traditional search warrant authority but doesn’t expand it. The government would have their warrants executed for U.S. persons no matter where the information is stored, which is what the government mostly wants. The providers would be able to tell their foreign customers (and foreign governments) that their contents are beyond the reach of U.S. search warrants, which is what the providers mostly want.
VII. What Now?
In the event that you've actually read this far and you agree with my basic point that the AWA should control, what should the Supreme Court do?
One approach would be to rule narrowly for the government on the SCA and then remand for consideration of the AWA. The Court could say that (a) the SCA is no barrier to complying with the assistance order for the reasons explained in Parts I and II but that (b) this doesn't answer whether the AWA permits compliance. On the plus side, this would be correct on the SCA and make no errors on the AWA. On the minus side, it would kick the ultimate question of provider compliance back to the lower courts. The Supreme Court took this case without a split because an answer is needed. It would be frustrating for the Court to send the issue back to lower courts for what might be several more years of uncertainty.
An alternative approach would be for the Court to take the rare step of asking the parties to file additional briefs. Assuming the parties only brief the case under the SCA, the Court could direct them to also address whether compliance complies with the AWA. This sort of order happens occasionally. For example, in March 2016, the Court issued a miscellaneous order in Geneva College v. Burwell asking the parties to file additional briefing on a particular concern the Justices had. If they did something similar in the Microsoft case, the Justices could get briefing on the application of the AWA and (if they ask for briefing early enough) discuss that briefing in the oral argument. The Court could then decide both the SCA and AWA issues together, answering the question presented under the correct statutes and handing down a ruling on the scope of assistance under the AWA.