Does a U.S. Warrant Apply to Data Stored on a Foreign Server?

This article first appeared on the Council on Foreign Relations site.

In December 2013, the U.S. Department of Justice (DOJ) served Microsoft with a warrant requiring the company to hand over the e-mails of a Microsoft customer suspected of drug trafficking.

Microsoft refused to turn over the e-mails on the basis that they are stored in servers at a data center in Ireland and that the warrant did not apply to overseas data. Instead, Microsoft argued the DOJ should work with Irish authorities to obtain access to the data.

In July 2014, a U.S. district court ordered Microsoft to turn over the e-mails, but Microsoft appealed to the Second Circuit Court of Appeals, which will hear arguments on September 9.

In light of the significance of this case for U.S. consumers and businesses, and the impact that its outcome could have on the privacy of digital communications, Brad Smith, executive vice president and general counsel for Microsoft, took the time to answer some questions regarding the case and what its outcome might mean.

It's obvious why foreign citizens have a stake in the outcome of this case: The privacy of their data is in question. Why should a U.S. citizen, whose data is stored only on servers located in the United States, care?

At the broadest level, this issue is about the future of technology. We need to ensure that people can trust the technology on their desks and in their pockets. And this trust will only come if the laws are clear.

There are other immediate reasons too, and perhaps the most powerful is public safety and national security. If the U.S. government is permitted to serve warrants on tech companies in the United States and obtain people's e-mails in any country, it will open the floodgate for other countries to serve warrants on tech companies for the private communications of American citizens that are stored in the United States in a data center owned by a foreign company. Imagine the immediate implications for journalists, advocacy organizations, or government officials here.

If you win this litigation, it could be argued that the United States will have less authority than other states to pursue national security and law enforcement investigations across borders. Does greater privacy protection necessarily equal fewer powers for national security investigations?

We need to balance both privacy and national security, and we believe that can be achieved. In the first instance, we believe that the U.S. government should use effectively the international legal tools that exist today. When the French government confronted the horrendous attack on Charlie Hebdo, it routed a request through the U.S. government, and Microsoft provided the e-mail content within 45 minutes—legally.

There exists a good treaty between the U.S and Irish governments that could be used to access the e-mail that is located in Ireland and is the subject of this case. All of the testimony in the lawsuit in fact indicates that this provides an effective mechanism for law enforcement purposes.

But there are additional alternatives as well.

For example, if law enforcement needs more tools than Congress has provided, then we should all turn to Congress to change the law. That in fact is what Microsoft has done by advocating for the LEADS Act in Congress. This would give U.S. law enforcement the ability to obtain e-mail content located outside the United States unilaterally when the content belongs to a U.S. citizen or resident.

But it would require the U.S. government to go through international mechanisms when the e-mail belongs to a foreigner who is outside the United States. We think that's a sensible way to draw a line that will assist law enforcement and also respect international borders.

Finally, there's a clear need and opportunity to create new international legal rules and processes. We've been making concrete suggestions in this area, too. Ultimately there are clear areas for improvement, but they will come only if everyone focuses on advancing them. And that starts with winning our case and putting all of us on a path that will focus on the changes that are needed.

What if you lose the litigation? What are the technological and legal consequences for Microsoft and others?

As we've made clear since we filed this case, we'll certainly do our best to take it all the way to the Supreme Court if that's what is needed. The case raises important questions about the future of the Internet, privacy, respect for borders and public safety.

When we took on this case, we did so not only with an eye on our own needs but a much broader set of interests. That is reflected in what I think is an extraordinary set of amicus briefs filed in support of our position, coming from 28 technology and media companies, 23 trade associations and advocacy groups, 35 leading computer scientists and the government of Ireland itself. That captures a bit of what is at stake here.

When the laws governing access to electronic communications were passed in 1986, it was inconceivable that an individual might want to (or even have the capacity to) store large amounts of data on a remote server. Do you think Congress should modernize the law to avoid disputes such as these in the future?

In the first instance, we think Congress's intent was clear and this warrant was meant to be domestic like other warrants. There's simply no indication that Congress intended to give the Executive Branch the legal authority to reach unilaterally into other countries. This scenario wasn't even discussed.

But looking beyond that, you're absolutely right, there's no way Congress could have known about cloud computing in 1986. The LEADS Act is one example of legislation that would carry Congress's original intent into the Internet age by updating the law.

What about other governments? Are you seeing EU or other sovereign governments putting forward solutions that could resolve these types of conflicts between sovereign nations?

It's already public that the United States and EU are discussing these issues, and there's a foundation in place for the two to forge new trans-Atlantic legal rules that will better enable law enforcement, with appropriate safeguards, to obtain information needed for lawful investigations across borders. I also think there's work many governments can do to modernize Mutual Legal Assistance Treaties, or MLATs, including by standardizing the terms and moving to electronic systems to process them.

According to the U.S. government in its filings, Microsoft has not objected to handing over data stored on foreign servers to federal investigators serving warrants pursuant to the Stored Communications Act (SCA) and Electronic Communications Privacy Act (ECPA) in the past. What makes this case different?

What led to this case is a rise in the storage of content around the world. A few years ago, we started building data centers in many countries because keeping people's content close to them helps ensure they can access it quickly and smoothly. So it's fairly recent that the concept of a U.S. warrant for content in a datacenter abroad—like the one in this case—was even conceivable.

Looking beyond the technological change, we think it's important that we be transparent about government requests we receive and how we respond to them. We produce a global report here and, through a separate lawsuit we filed against the U.S. government, we're now able to report specifically on U.S. national security orders and publish those here.

Microsoft has argued that it cannot turn over user e-mails to the government because the user owns those e-mails. Yet a long series of court precedents going back more than 40 years say that even custodians of a third party's records—both physical and electronic—must hand those records over to federal investigators serving a valid warrant. Why isn't this true here?

This is a critical question and hits at the heart of the legal case. The warrant in our case isn't for business records such as a record of banking transactions, a hotel bill, or a list of phone numbers that were called. Rather it's for the content of personal communications, in this case e-mails. The courts have long recognized the distinction between business records and the content of personal communications. And not surprisingly, they have held that the contents of personal communications are entitled to a higher level of legal protection.

In our case the U.S. government is arguing that a customer's e-mail becomes a cloud operator's business records and hence the government can obtain it more easily. This is fundamentally at odds with traditional respect for privacy and limitations on government powers. For over two centuries the courts have held that the contents of a letter don't become a business record of the U.S. Postal Service when they're sent through the mail. They remain personal communications that are entitled to a higher level of legal protection. If our longstanding privacy rights are going to remain intact in the 21st century, we need this legal approach to make the transition effectively from traditional mail to modern e-mail.

According to the U.S. government's brief, Microsoft has not produced any evidence that Microsoft would violate Irish or EU law by complying with the U.S. warrant in this case. Further, the U.S. government argues that Irish law contains similar powers for the Irish government to compel the production of records located outside Ireland by a company subject to Irish jurisdiction. How does Microsoft answer these arguments?

In fact, multiple EU officials have raised the prospect that compliance with the warrant would violate EU law. They haven't yet announced a final position, and we think it's worth hearing them out. And it's also important to acknowledge the point made in a declaration from the former attorney general of Ireland who was involved in negotiating the MLAT with the United States. His declaration says this type of situation is exactly why they negotiated the MLAT.

Ultimately, however, the question here is not about Irish or European law but about U.S. law. This is a law enacted by Congress. There is no reason to believe that Congress intended it to apply outside the United States. If law enforcement wants authority to apply search warrants outside of our own borders, it should go to Congress to seek that approval.

We in fact have proposed to Congress what we believe would be a sensible approach that would give law enforcement this unilateral authority when e-mails belong to an American citizen or resident. But it would require the use and strengthening of international legal processes when e-mails belong to someone else. This is the type of approach that we believe American citizens could accept when the shoe is on the other foot, so to speak. It would strike the right balance between privacy and public safety.

No doubt there are opportunities to make improvements to the legislation that is being considered. But that will happen only if everyone starts to work on a legislative approach. And after almost two years of litigation, I think it's fair to say that everyone will come to the table only if we win this case.

Adam Segal is the Maurice R. Greenberg Senior Fellow for China Studies and Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.