Last month, Microsoft challenged a warrant that was served on their US offices for customer data that the company stores in Ireland (In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation No 13 Mag 2814, April 25 2014). Verizon, Apple and Cisco, AT&T, and EFF have all filed amicus briefs supporting Microsoft. Our first instinct might be to feel that this is a case of an over-reaching government taking short cuts to access user data, and we should therefore get behind Microsoft. However, before we pick sides or jump on the Microsoft bandwagon, I want to unpack the issues and sound a note of caution. It is certainly not clear-cut that Microsoft’s approach is the best for the user, business, or the evolution of the law.
The first thing that I think we need to get straight is that this is not easy. The Electronic Communications Privacy Act (ECPA) is not designed for the scale and complexity of the way in which providers use international servers and cloud computing today. Using strained analogies with filing cabinets and the tools of traditional statutory interpretation to try to push and pull ECPA into the twenty-first century is not going to give a great outcome. If we want the law to be ‘straightforward’, we really need to start rethinking the law from the ground up (as Professor Kerr suggests), or at least make significant amendments to ECPA (sadly, this is not addressed in the current proposal). Microsoft’s claim that this issue is straightforward might be a good litigation strategy, but it is not helpful if we want to move the jurisprudence forward in a meaningful, sustainable way; we need to acknowledge the complexities and the limitations of the current law.
What did the decision say?
The magistrate upheld the warrant. In short, he found that an order under s2703(d) of ECPA is a special hybrid of a search warrant and a subpoena, so it is not bound by all the same geographical limits of a standard search warrant. He argued that there is ambiguity in the way in which a s2703(d) order applies, so courts can look to context in order to interpret ECPA’s geographical scope. The magistrate reasoned that practical considerations, as well as the structure and legislative history of ECPA support enforcing the court order. He noted the difficulties with the mutual legal assistance treaty (MLAT) process and reasoned that it would not be practicable to limit the application of ECPA so that US law enforcement is forced to rely on MLATs.
In any event, the magistrate found that no actual ‘search’ would occur until the government officers looked at the data. This would only occur after Microsoft had retrieved the data from Ireland.
What’s the issue?
There are some very important issues at the heart of this case, and the magistrate’s decision does not spend a lot of time teasing them out. The key questions are:
- what criteria should determine which laws apply to a user’s data?
- Where the data is stored? Where the company’s headquarters are located? Where the user is located? Where the terms of service specify?
- when does a search or seizure of data actually occur?
- When a company officer copies the data from the server? When a company hands the data over to the government? When a government official looks at the data?
The decision notes some of the difficulties in using data location as the basis for jurisdiction, but doesn’t really analyse the alternative bases for jurisdiction. In fact, the decision does not even specify where the user was located or the user’s nationality.
Similarly, the magistrate quickly dismisses the question of what part of the process constitutes the ‘search’ or ‘seizure’. The magistrate quotes Professor Orin Kerr’s 2005 article to conclude that a search occurs when ‘the data is exposed to possible human observation’ (ie when Microsoft hands the data over to government officers in the US). As the EFF amicus brief points out, Prof. Kerr has since refined his view on this issue and has suggested that a ‘seizure’ can occur when data is copied. This analysis could mean that ‘seizure’ occurred when Microsoft copied the data from the server in Ireland. This could amount to an extraterritorial seizure and enliven fourth amendment constitutional protections. Given these ramifications, the issue of when a ‘search’ or ‘seizure’ occurs in the online context deserves further analysis.
Who should care about this?
This issue is important for every individual who uses online products and cares about how access to their data is governed. It also has implications for all tech and telco companies that store user data across jurisdictions.
Apple, Cisco, and AT&T have all shown their support for Microsoft’s approach to this issue. To date, other companies such as Google, Twitter and Facebook have been quiet. Part of the reason for this is that there is not unanimity among the tech world about how to approach the issue.
Microsoft and its supporters seem to be advocating jurisdiction on the basis of the location of the data, not company headquarters. This makes sense when you look at Microsoft’s terms of service, which specify that different jurisdictions’ laws apply depending on where in the world the user is located (which presumably has some correlation with the data location). Microsoft has chosen to accept legal process in many countries (as you can see in their transparency report). In this way, Microsoft’s position in the current case reflects the business decisions that they have already made about how to operate in different countries.
By contrast, companies such as Facebook, Twitter and Google specify that the laws of their headquarters’ location (California) always apply. The reasoning behind this is partly technical and partly principled. The technical argument is that having to make decisions about where to host data based on legal processes rather than technical considerations could compromise the ability to provide fast, reliable online products. Google has spoken of this issue when they publicly opposed Brazil’s attempt to legislate for data localization.
The principled aspect to this argument is that sheltering behind Californian jurisdiction gives the companies the ability to set their own, US-based standards for when data should be handed over. This means that they can provide services internationally, but can still refuse to hand over data to foreign governments who seek that data for nefarious purposes. Twitter’s strong branding around protecting users’ freedom of speech indicates that this is an important issue for them.
What is the right approach to take?
There is no easy answer to this question; each approach involves compromise and trade-offs. I think it’s important to note that being on the opposite side to the government is not necessarily the same as being on the user’s side. In some instances, Microsoft’s approach might result in stronger user protections, but in others it would not. It would place limits on US government access to user data, which may be beneficial in pushing back against government intrusions. However, it would also mean that users in undemocratic regimes would not necessarily benefit from the protections of US laws or US company policies. It also may limit the ability to provide fast and reliable online services to users through optimal data storage practices.
The Internet and Jurisdiction Project has been doing important work on this issue (see their ambitious compilation of international cases), but we are a still a long way from developing and implementing a solution. What is clear is that we need to take a nuanced approach to jurisdiction; basing jurisdiction solely on the location of the data, user, or company headquarters will give uneven and often unsatisfactory results. We also need to engage with the complexity to understand where ‘searches’ and ‘seizures’ actually occur in the online context. This is something that we need to get right. The Microsoft case is a wakeup call that the current system is not doing a good job at serving either the needs of users or the needs of business.