Courts & Litigation

A Primer on Microsoft Ireland, the Supreme Court’s Extraterritorial Warrant Case

Andrew K. Woods
Monday, October 16, 2017, 2:07 PM

The Supreme Court announced this morning that it will grant the Department of Justice’s petition for a writ of certiorari in its dispute with Microsoft over access to emails stored on the company’s Irish servers. The crux of the dispute is the territorial reach (and territorial applicability) of the Stored Communications Act (SCA), a subset of the Electronic Communications Privacy Act (ECPA) that governs law enforcement access to communications data.

Published by The Lawfare Institute
in Cooperation With
Brookings

The Supreme Court announced this morning that it will grant the Department of Justice’s petition for a writ of certiorari in its dispute with Microsoft over access to emails stored on the company’s Irish servers. The crux of the dispute is the territorial reach (and territorial applicability) of the Stored Communications Act (SCA), a subset of the Electronic Communications Privacy Act (ECPA) that governs law enforcement access to communications data.

What follows is a summary of the procedural history, the issues, and a few things to keep an eye on.

Background

The dispute arose when the Justice Department brought a warrant to Microsoft – issued based upon probable cause under the SCA (18 U.S.C. § 2703) – asking for the details and contents of an email account believed to be associated with a suspected drug trafficker. Specifically, the warrant sought:

(a) The contents of all e‐mails stored in the account, including copies of e‐mails sent from the account;

(b) All records or other information regarding the identification of the account, including, among other things, the name, physical address, telephone numbers, session times and durations, log‐in IP addresses, and sources of payment associated with the account;

(c) All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files; and

(d) All records pertaining to communications between MSN [redacted] and any person regarding the account, including contacts with support services and records of actions taken.

Microsoft produced the transactional records it held on its data centers in the United States, but declined to produce the customer’s emails that it said were stored on a data center in Ireland. Microsoft declined to comply with the warrant on the grounds that (1) the SCA does not apply extraterritorially, and that (2) because the contents of the email account are stored in Ireland, the warrant would have unlawful extraterritorial reach.

A federal judge upheld the warrant (denying Microsoft’s motion to quash) and held Microsoft in contempt for not complying. Microsoft appealed to the Second Circuit. Last summer, the Second Circuit vacated the lower court’s contempt order and reversed the denial of Microsoft’s motion to quash. The court agreed with both of Microsoft’s premises, concluding:

  1. Because the SCA is silent as to its territorial reach, it must be read consistent with the presumption against extraterritoriality and therefore does not apply abroad; and
  2. The relevant territorial question for the purposes of determining the warrant’s reach is “where is the data stored?” rather than other possible inquiries, such as “where is the company located when they are served with the warrant?” or “can the company access the data from the U.S.?” Because the data in this case is stored in Ireland, a U.S. warrant delivered in Washington operates in Ireland for the purposes of the SCA, and therefore is an impermissibly extraterritorial application of that statute.

These are the main issues on appeal.

Issues Before the Court

In its cert petition, the Justice Department does not question whether the presumption against extraterritoriality might apply to limit the territorial reach of the SCA (see issue (1) above) but instead weights the bulk of its argument on the second question about the location of the relevant activity. DOJ argues in its petition that:

The provision [of the SCA] is applied domestically when a court issues a warrant to a provider in the United States requiring disclosure in this country of material over which the provider has control, regardless of whether the provider store s that material abroad.

For support, DOJ cites a number of banking cases where courts allowed subpoenas to compel banks to produce foreign-held banking records. If the disclosure happens in the U.S., that is the relevant location – wherever the provider chooses to store it. This conclusion appears to be supported by the court’s most recent case on extraterritoriality, RJR Nabisco v. European Community, which concluded that an order “involves a permissible domestic application” of the provision in question where it relates to domestic conduct and even if it has secondary effects on foreign conduct.

DOJ also concludes that as a matter of policy, the court ought not allow a provider to thwart valid law enforcement efforts based on its decision – which can be changed in an instant – to store data in another jurisdiction.

Microsoft’s response argues for denial of cert based on two grounds:

  1. The fact that the Second Circuit’s territoriality analysis of the SCA is sound; and
  2. “Congress is actively considering amendments to the SCA that would expressly provide for limited extraterritorial reach.”

Things to Watch:

1. Microsoft’s Legislative Gambit

Microsoft’s second argument – that legislation is pending – adds a bit of an odd element to this case. Microsoft is arguing that the SCA does not apply extraterritorially, but as the firm’s brief makes clear, Microsoft is not opposed to extraterritorial applications of the SCA. Indeed, it has been pushing very hard for legislative changes along those lines. (See the firm’s website dedicated to legislative reform here.) So Microsoft does not agree with the amici who argue that it would be terrible for U.S. law enforcement to be able to access data stored abroad. Rather, Microsoft’s argument about the SCA’s reach is something like “the SCA should apply extraterritorially, but it does not currently, and the court should not be the one to extend it because that is Congress’s job.” It will be interesting to see how explicitly the firm makes this argument before the court.

2. An Industry Divided?

A number of civil society groups and companies filed amicus briefs before the Second Circuit in this dispute, but there were two notable absences: Facebook and Google. My guess at the time was that Facebook and Google did not want to argue in open court that the SCA should not apply extraterritorially because it would conflict with what they tell non-U.S. law enforcement around the world. Both firms resist foreign law enforcement requests on the grounds that they cannot comply because the SCA covers all of the digital contents flowing through their global networks (even data flowing through servers located in places like Ireland). It will be interesting to see if and how these tech giants weigh in at the Supreme Court.

3. Is the Case About User Privacy?

The press describes this as a “privacy” case, and that is how Microsoft characterized its win in the Second Circuit, but it really isn’t one – at least not in the standard sense of a court determining what kinds of data the police can collect about you and how. As Judge Lynch described in his begrudging concurrence in the Second Circuit,

To uphold the warrant here would not undermine basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country. (emphasis added)

That is because a court had already found probable cause to issue the warrant. To the extent that the case is about privacy rules, then it is about which country’s search and seizure rules apply to Microsoft’s data center in Ireland: the U.S.’s or Ireland’s.

Confusion about the privacy implications of the case are made worse by the confusing stance that privacy groups are taking. In another odd twist, some of the civil society groups lined up behind Microsoft to argue that the SCA should not extend to data stored on Microsoft’s data center in Ireland also argue before Congress that the U.S.’s Fourth Amendment should govern foreign law enforcement access to data held abroad by U.S. firms. (Compare, for example, the Center for Democracy and Technology’s amicus brief in the Second Circuit with their testimony before Congress on the legislative solution Microsoft is pushing.)

4. What Will the Court Make of Sovereignty Claims?

Another thing to keep an eye on as briefs make their way to the court: sovereignty concerns. I expect foreign sovereigns will weigh in with amicus briefs, just as Ireland did before the Second Circuit. But while the case is riddled with foreign affairs concerns, it is not clear which way international comity arguments cut. I expect Microsoft to argue, for example, that the court ought to defer to Ireland’s compelling interest in making sure that data stored on its shores is accessed only in accordance with Irish law. But what exactly is the sovereignty concern? Unless Ireland has a complaint with the adequacy of the U.S. due process standard – and so far it does not – the argument must be something about abstract principles of international comity. Yet international comity is not at all inconsistent with extraterritorial applications of the law. Indeed, while half of the court’s comity doctrines call for judicial self-restraint, another half call for enabling and extending a country’s laws extraterritorially.

As we say a lot around here, stay tuned.


Andrew Keane Woods is a Professor of Law at the University of Arizona College of Law. Before that, he was a postdoctoral cybersecurity fellow at Stanford University. He holds a J.D. from Harvard Law School and a Ph.D. in Politics from the University of Cambridge, where he was a Gates Scholar.

Subscribe to Lawfare