This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
Two big legal developments last week—a court opinion and a legislative proposal—mean the pressure is on to address the question of when law enforcement can seize personal information stored in other countries, known as cross-border data acquisition. This issue may sound a little arcane, but its resolution will affect privacy, criminal justice, and innovation for years to come. When you use the Internet, do you enjoy the privacy protections of your home country’s laws, or of no country’s laws? (The answer may surprise you!) How can governments obtain the information they legitimately need to find criminals and conduct valid intelligence operations when the data is held in another nation and/or by an American company? What should companies do if the privacy standards in the country where they are holding the data are far more stringent than those of the country asking for the data? Where there’s a conflict of laws, must and should companies give governments information for investigations of things that are legal in the US like homosexuality (illegal in India), talking trash about the king (illegal in Thailand), and holocaust denial (illegal in France)?
Last Thursday, a panel of the Second Circuit Court of Appeals ruled unanimously that Microsoft need not comply with a US government warrant for emails stored on an Irish server. The issue was whether a warrant issued under the Stored Communications Act (SCA) could be applied extraterritorially to seize data in another nation, and whether it was an extraterritorial act to require a Microsoft employee in the United States to enter the database commands that would call the responsive data from Ireland back to the US. The panel held that warrants do not have extraterritorial effect. Further, it considered the warrant as executed in Ireland, where the data was located. Since warrants can’t command searches or seizures outside US borders without explicit authorization from Congress, the warrant was null and void and Microsoft did not have to comply.
I was surprised by the Microsoft Ireland decision. My view was that the seizure of the data takes place in the US and therefore the warrant would not be exercised extraterritorially. My view was not adopted by the Second Circuit. It wasn’t the first time and it won’t be the last. But the opinion isn’t very clear on why the court thinks that the execution takes place in Ireland where the data is, and not in the US where a Microsoft employee is served with the warrant, or where she places her fingers on the keyboard to extract the responsive information, or where the law enforcement official ultimately reviews the data.
The record was silent on the nationality of the target of the investigation. It’s a big obstacle if US law enforcement can’t get information about a US person for a US investigation from a US company just because that company decided to store the data outside the US. The police would likely have to make a request through that nation’s mutual legal assistance treaty (MLAT) provisions, which can take months. But it might make sense to require the US to go through the courts of another country if the target is a foreign national that the other government would want the US to respect whatever privacy safeguards provided to that person by his own nations’ laws. (More about this later.)
Another question is whether US authorities can continue to use the provisions of theElectronic Communications Privacy Act (ECPA) that authorize warrantless access to data to obtain information stored outside the US. For example, ECPA provisions allow access to some kinds of transactional data (session data but not electronic communications transaction records) and subscriber information with a subpoena with notice. Further, email 180 days old or older and, the concurring judge controversially suggests, messages that have been read, can be obtained with an order or subpoena. Can these procedures, less privacy-protecting than a warrant, be enforced extraterritorially? The majority suggests not:
“[O]ur Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.”
Indeed, the majority goes further, calling into question the so-called third party doctrine, a DOJ theory that information held by service providers and other data custodians is not protected by the Fourth Amendment because people have no expectation of privacy in information others can access. The theory is premised on two cases, Smith v. Maryland, involving phone numbers dialed, and United States v. Miller, involving bank records. Contrary to DOJ canon, the majority says that the records in Miller have nothing to do with email content. The government goes too far, says the majority, to assume that it could ever enforce a subpoena for email content given how different the role of the service provider is as compared to a bank or other traditional subpoena recipients. (p. 37) In other words, while it is generally accepted (outside the DOJ at least) that communications content doesn’t lose Fourth Amendment protection due to the third party doctrine, the Second Circuit appears to go further here and suggest that metadata, too, could be protected by a warrant requirement.
Did Privacy Win?
Ultimately, it’s unclear to me whether this opinion is a privacy-friendly outcome, though that is certainly how the panel majority seemed to view their task of interpreting the SCA. I say this because other countries generally have surveillance laws that are less, not more, privacy-protecting than US law. European readers might prefer that Ireland consider whether to authorize the search. If so, I’d like to hear why because the US’s warrant requirement and our wiretapping procedures—when they apply—are generally comparatively stringent. Further, the US has written laws that curtail domestic intelligence gathering, where many European nations do not.
So to my mind, the more privacy-friendly outcome would be if the search were found by the court to be taking place in the United States, if not also in Ireland. That is because US law imposes more constraints on US officials acting inside the US. Outside the US, the Fourth Amendment does not apply to law enforcement searches targeting foreign nationals (see United States v. Verdugo-Urquidez). Searches targeting citizens must be “reasonable”, and though courts have split on what reasonableness means, they have uniformly held that these investigations do not require a Fourth Amendment search warrant. Further, US intelligence agencies are generally more constrained by FISA when conducting surveillance from inside the US Even section 702, the controversial law behind the NSA’s PRISM program, is more privacy protective than the executive order under which most overseas intelligence gathering takes place. As a matter of ensuring constitutional and statutory privacy protections, the public might prefer a ruling that says the search takes place in the US.
Read the full post at Just Security.