Say you sign up for a free email account. You live in country A, the tech company providing the email service is headquartered in country B, and the data center where the emails are stored is in country C. If the police in one country want your emails, where do they have to go, and whom do they have to ask?
That’s the logistical nightmare lurking in the background of US v. Microsoft, a case that will be heard before the Supreme Court on February 28th. In US v. Microsoft, law enforcement served a specific kind of warrant — called a Section 2703 warrant — under the Stored Communications Act (SCA), seeking the emails of someone who had signed up for an email account with Microsoft. (This person may or may not be a foreign national; it’s not even clear where this person lives.)
In response, Microsoft surrendered metadata (like the subject’s address book) that was hosted on American servers, but the contents of the emails themselves were stored in a data center in Dublin, Ireland. So Microsoft took the position that law enforcement would have to go to the Irish authorities to get the emails. (It should be noted that the United States has mutual legal assistance treaties (MLATs) with about half the countries in the world, including Ireland.) If the US wanted Irish assistance with something on Irish soil, there’s a process in place.
To the DOJ, this whole rigamarole is simply absurd
But to the Department of Justice, this whole rigamarole is simply absurd. If the DOJ could get the US-hosted metadata, why couldn’t it get the Ireland-hosted contents? The emails were just a few keystrokes away for Microsoft, and Microsoft is an American company, isn’t it? If the Stored Communication Act is for domestic data, and Microsoft is a domestic company, then in the DOJ’s view, the SCA warrant was perfectly proper.
Like many cases involving warrants and subpoenas that make their way to the Supreme Court, the actual criminal case recedes into the background as something of secondary or even tertiary importance. Microsoft and the United States are going head-to-head over the principle of the thing, and the principle of the thing has nothing to do with an inviolable right to privacy.
For Microsoft, it has more to do with international relations and corporate reputation. Microsoft fears that if the US government gets its way, the company will lose a competitive edge with foreign customers. There’s a concern that this will set a bad example for other countries — a fear best encapsulated by a recent article on the case framed under the somewhat hyperbolic question, “Why is the U.S. government trying to help Vladimir Putin access information stored in the United States?” If the US gets to directly access a foreign national’s data in a foreign center, then why can’t Russia do the same?
Microsoft and the United States are going head-to-head over the principle of the thing
All of this could cause a balkanization of the internet. Rather than hosting data with a tech company like Microsoft, foreign customers might prefer to host data locally rather than be subject to the whims of law enforcement in the US — or other countries that assert the same kind of rights as the US.
For the United States, it’s all about logistics. The United States Department of Justice doesn’t want to deal with foreign countries that it may or may not have an MLAT with. Rather, the government would prefer to just go directly to the American companies that dominate the internet, many of which are based Stateside. The emails at the core of this case are probably small beans compared to the principle at stake. That’s probably why the US has been litigating this case for five years and hasn’t yet sought Ireland’s help to get access to the emails through their MLAT — something that Ireland has politely reiterated in its own amicus to the Supreme Court. Not every criminal case has to be blown up into a formal international procedure, but that’s what the dispersal of data across the cloud is going to do.
How much — and under what conditions — the government should have access to our data is a difficult question that has only grown thornier as technology had advanced over the years. The Stored Communication Act, which was passed as part of the Electronic Communications Privacy Act (ECPA) in 1986, never anticipated the rise of the cloud. Users live in one place, the companies “live” in another place, and the data can live practically anywhere. While the emails in question in US v. Microsoft are stored in Dublin, information in the cloud is often “sharded” — meaning it is distributed across data centers. If you think the facts in US v. Microsoft are headache-inducing, imagine if the emails had been broken up between data centers in several different countries.
Users live in one place, the companies “live” in another place, and the data can live practically anywhere
Many of the legal nuances being presented before the Supreme Court are subtle works of lawyerly quibbling. Is a section 2703 warrant under the Stored Communications Act an actual warrant or is it a combination warrant-subpoena? Does section 2703 actually focus on privacy? If so, is the violation of privacy “occurring” in Redmond, Washington, or in Dublin, Ireland?
While all of that will be great for the legal scholars to chew over, there are some fairly obvious questions for everyone else watching on the sidelines: who is this person whose emails they’re fighting over? Where do they live? And where did they supposedly commit a crime, if any?
If Microsoft is refusing to honor an American warrant for the emails of an American living in Oregon, just because he put in a fake city of residence while signing up for an email account, the whole case begins to feel very different from a case where the United States is trying to get the emails of a foreign national residing in a foreign country. This seems like it would be an obvious deciding factor.
But, legally speaking, it’s not. The Stored Communications Act doesn’t care about those details because the Stored Communications Act isn’t written for the age of cloud servers. It’s why the best outcome in US v. Microsoft for everyone involved isn’t one that comes out of the Supreme Court; it’s one that comes out of Congress: an amendment to the SCA that creates additional procedures for dealing with foreign data centers (like, say, procedures that bypass MLATs if the government can show that the person being targeted by the warrant is an American).
A ruling, if not carefully crafted, can run the risk of engendering suspicion abroad
Microsoft’s hard line in US v. Microsoft can only be understood in the context of Microsoft’s public support for exactly that kind of legislative reform, like the International Communications Privacy Act in the past, and more recently, the CLOUD Act. Updating the SCA helps to streamline a day-to-day grind of processing warrants and other government requests for information.
A Supreme Court ruling, if not carefully crafted, can run the risk of engendering suspicion abroad in the American tech industry, balkanizing the internet, or making it comically onerous for law enforcement to get their hands on cloud-stored emails. New legislation can counteract that risk.
But, notably, it only does so in the United States. A reformed SCA can’t answer the question of what procedures other countries must follow to wrest information from data centers abroad. The answer to that is still being hammered out through an ever-growing thicket of crisscrossing treaties, national court rulings, and shifting tech company policies. US v. Microsoft will be but one landmark in the shifting landscape of how the law — both home and abroad — will treat your data in the future. And as that data gets sharded across the globe, the playbook is going to have to be rewritten on multiple levels.