Adjudicating jurisdiction in the digital age: United States v. Microsoft Corp
Share
On February 27, 2018, the Supreme Court heard oral arguments in the case United States v. Microsoft Corporation. The case deals with weighty issues such as sovereignty and extraterritoriality regarding electronic communications owned by American corporations and stored offshore, but now the U.S. government, one party in the case, is asking the Court to render the complicated case moot because of a new piece of legislation.
I. Background
At the center of this case is the Stored Communications Act (SCA), codified in Title 18 of the U.S. Code, § 2701 et seq., which established privacy protections for digital communications such as emails. Email was invented as a person-to-person communication format in 1971, and saw use throughout the 1970s on the Defense Department’s ARPANET. In the next decade, military officials, government workers, teachers and students constituted the majority of users of email.
Although the American public would not adopt email in any widespread fashion until Tim Berners-Lee invented the World Wide Web in 1991, Congress demonstrated forethought in its passage of the SCA in 1986. The SCA established a Fourth Amendment-style protection for email and other digital communications a decade before the term “email” even entered the public lexicon. These protections established a requirement for a search warrant and probable cause to seize electronic communications (rather than relying on the laxer third-party doctrine).
In the three decades since the statute entered into effect, the use of email has exploded exponentially. Lifewire estimatesthat, in 2017, there were approximately 3.7 billion email accounts in the world and an average of 269 billion emails sent per day. As a result, email service providers have had to build massive server farms to store all of this information. Because internet speeds are generally fast enough to recall any email from any server farm in the world nearly instantaneously, companies are incentivized to build and store communications in whichever country or locale happens to be financially advantageous for them.
Before the existence of massive offshore data centers, when all U.S. communications were stored in centers on U.S. territory, the SCA allowed law enforcement to seek a warrant and serve it to an email provider in order to obtain an email. The advent of such data centers now poses a challenge to American law enforcement officials attempting to use the SCA.
II. Controversy and Arguments
In 2013, the U.S. District Court for the Southern District of New York issued a warrant to Microsoft requesting the company turn over an email potentially incriminating a narcotics trafficker. Microsoft provided some non-content information stored on American soil, but refused to turn over the contents of the email, claiming that the SCA does not apply extraterritorially and thus does not apply to email communications stored in Dublin, Ireland — the physical location of the server possessing the email.
Up until Microsoft’s challenge of the SCA-based warrant, large technology companies have complied with U.S. law enforcement and handed over the emails when asked. After Microsoft challenged the warrant, both a magistrate judge and a district court judge ruled against Microsoft, but the U.S. Court of Appeals for the Second Circuit ruled in favor of Microsoft. Following precedent set in Morrison v. National Australia Bank (2010), the Second Circuit held that unless Congress explicitly expresses otherwise, domestic statutes are not assumed to apply extraterritorially. The Department of Justice appealed to the Supreme Court, where the case awaits its fate.
At the center of Microsoft’s argument in the case is the dilemma the corporation faces under a new European Union regulation. Beginning on May 18, 2018, a new EU rule known as the General Data Protection Regulation will come into effect. Article 48 of the GDPR stipulates that foreign court orders, such as that of U.S. federal courts, to remove personal data from the EU are only valid if the order comes through some international agreement, like a mutual legal assistance treaty (MLAT). The Stored Communications Act, from which the warrant in this case was based, is not an MLAT. As a corporation headquartered in America, Microsoft is subject to American law, but emails stored in Ireland are subject to EU law. In this case, to comply with Irish law is to violate American law, and vice versa.
To avoid prosecution in either country, Microsoft is asking the Court to find that the SCA does not apply extraterritorially, so that U.S. courts cannot issue future warrants for digital communications held abroad. Microsoft points out that emails must be stored for legal and compliance reasons, sometimes in other countries. Counsel for Microsoft have also painted hypotheticals to demonstrate the positive effect of requiring an MLAT process to retrieve emails on American soft power: if Microsoft stores emails of Chinese dissenters in the U.S., for instance, the U.S. could deny China the ability to persecute dissenters on the basis of those emails by tying the warrant up in legal tape. Most of the stored communications of large U.S. corporations are in fact stored domestically giving the U.S. an outsized role. On the other hand, if the Supreme Court rules the SCA does apply extraterritorially, legal scholars have predicted a sort of “arms race” of SCA-like legislation around the world, which would eliminate the role of the U.S. government as an arbiter of valid warrants and perhaps promote authoritarian crackdowns.
In opposition, the U.S. government has articulated the cumbersome nature of alternatives to the SCA. The U.S. government’s lawyers have also painted hypotheticals to demonstrate the circular nature of the MLAT process at times. For example, imagine if a Paris investigator goes to Washington, as per the long MLAT process, to issue a warrant to Microsoft to find out where the email is being stored, only to have to follow up with Irish authorities through another long MLAT process to retrieve the actual email.
The U.S. government has also emphasized the positive effects of continuity with the current system. As the SCA stands, e-businesses with jurisdictional bounds in the U.S. have to retrieve records stored abroad, a legal standard that is consistent with rules for physical businesses. Before Microsoft brought the suit, the government points out, providers complied with the SCA and there was no proliferation worldwide of SCA-like legislation. Lawyers for the U.S. argue that because disclosure of the emails occurs in the U.S., the emails don’t retain the right to privacy of their physical environment.
III. Oral Argument
If the oral argument is any indication as to how the Court will decide, Microsoft should be worried. In general, Microsoft’s attorneys received the hardest questions about hypotheticals, particularly from Chief Justice Roberts and Justice Alito. Justice Sotomayor was toughest on the government, but the rest of the justices quizzed both sides with hypotheticals, except Justice Thomas, who demonstrated his characteristic silence. The highly technical nature of the case may sway the justices’ decision-making — Justices Roberts and Kennedy both remarked about how easily Microsoft executives could comply with SCA warrants and retrieve files stored abroad, regardless of legal principle or jurisdiction.
However, as Justice Kennedy expressed during the argument, an outright victory for either side could be devastating for the legal system. If Microsoft wins, the U.S. government will need to seek a warrant to find out which jurisdiction the email is in — and with which jurisdiction it must begin the MLAT process. If the U.S. wins outright, other countries may pass protections to render the SCA invalid, like the EU’s GDPR, or laws like the SCA. In addition, corporations will still be caught between complying with multiple jurisdictions offering mutually incompatible standards. The Court will probably seek a narrow ruling or some compromise, and give Congress leeway to act.
IV. A Legislative Solution?
On March 23, 2018, President Trump signed an appropriations bill including a piece of legislation known as the “Clarifying Lawful Overseas Use of Data” Act, or CLOUD Act. The bill, introduced by Senator Orrin Hatch (R-Ut.), alongside Senators Christopher Coons (D-Del.), Lindsey Graham (R-S.C.), and Sheldon Whitehouse (D-R.I.) to the Senate Judiciary Committee, would adopt into law the U.S. government’s position in the U.S. v. Microsoft Corp. by forcing companies to turn over to U.S. authorities records of which they have “possession, custody, or control.”
The CLOUD Act also contains safeguards: the act provides for a legal process by which email providers could appeal a warrant if they believe the subscriber of the email account in question is not a U.S. citizen or if disclosure of the email would violate a foreign statute. The bill also allows email providers to disclose data to foreign countries, but only if the U.S. has signed an executive agreement with the country in question. rendering this case moot. Although some activists worryabout the implications for the CLOUD Act on domestic privacy rights, the Justice Department is now filing for a dismissal of the case — an enticing offer for the Supreme Court, which then avoids a complex, detail-oriented decision-making process.
As Andrew Keane Woods writes in SCOTUSBlog, whatever the outcome of the case, certain themes will persist in future litigation: the value of court-made internet policy, the existence and legality of privacy on the Internet, and the extent of state sovereignty when constructing and enforcing internet policy.