duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

US law in European datacenters: Microsoft in federal court



The media firestorm of the Snowden revelations has reignited a long smoldering controversy about the legal authority claimed by the United States over information stored in datacenters in Europe.

The US Patriot Act was at the origin of this often confusing controversy: a hastily conceived law, adopted in the post September 11 panic, which brought an unprecedented expansion of the surveillance powers of the federal government in matters of national security, cloaked in nearly total secrecy.

That law, however, is only one part of the potentially extraterritorial legislative arsenal now available to US prosecutors and judges. The American Stored Communications Act (SCA), which sets out the rights and obligations of Internet Service Providers (ISPs) and their customers, is also a powerful weapon, as illustrated by a recent decision against Microsoft in a New York federal court.

In December 2013, US Magistrate Judge James Francis issued a search warrant requested by federal prosecutors under section 2703(a) of the SCA, ordering Microsoft to give the Court access to the contents of a customer’s email account stored in a server located in Dublin.

Microsoft challenged the decision because, according to the company, “the US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas.”

On April 25, 2014, Judge Francis rejected the company’s challenge and ordered Microsoft to comply with the warrant, in a ground breaking ruling that dramatically expanded the reach of US law into the datacenters of American Service Providers wherever located. Microsoft immediately announced plans to appeal the decision.

The stakes are very high because, if the ruling stands, it could potentially impact not only ISP email services but also services like Office 365 and Google Apps, and even the B2B cloud services provided by AWS, IBM, Verizon and of course Microsoft itself.

Data location doesn’t matter: the legal reasoning for US authority

Whatever one may think of this outcome, the 27 page tightly reasoned ruling has the merit of making public the legal reasoning deployed by the government to justify US access to data stored in the European facilities of American Internet and cloud providers.

A careful reading yields invaluable insight into both the underlying judicial philosophy and the key conclusions of the judge’s broad interpretation of the SCA and federal government authority.

The Internet disregards geographical boundaries and throws the law into disarray

The rise of the Internet is central to the nascent judicial philosophy that underlies the Court’s decision.

Starting from the premise that a clear distinction must be made between physical property and “electronic property”, various legal scholars are cited to support the need for a new approach in matters of search and seizure in the digital world, In the philosophy of the ruling, this new kind of property is in reality “just a block of ones and zeroes stored somewhere on somebody else’s computer” that is accessible over “an electronic medium that disregards geographical boundaries and throws the law into disarray”.

In particular, Judge Francis quotes George Washington University Law professor Orin Kerr who writes, in "A User's Guide to the Stored Communications Act”, that “protections that apply in the physical world, and especially to one's home, might not apply to information communicated through the Internet."

In fact, Kerr goes even further in his 2004 treatise, stating that an Internet user "does not have … any private space at all." The Court may or may not agree with this sweeping affirmation, but it is certainly indicative of a growing acceptance in American legal thinking of wide ranging government surveillance, as the Snowden revelations made entirely clear.

With this overall judicial philosophy as background, Judge Francis examined Microsoft’s challenge to his search warrant for emails stored in the company’s Dublin datacenter.

Microsoft’s “deceptively simple” argument

According to the Judge, “Microsoft’s argument is simple, perhaps deceptively so… the Government sought information here by means of a warrant. Federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States. Therefore, Microsoft concludes, to the extent that the warrant here requires acquisition of information from Dublin, it is unauthorized and must be quashed.”

Judge Francis concedes that Microsoft’s analysis is “not inconsistent with the statutory language” of the SCA, but he opts for a less traditional interpretation, more in line with the realities of the digital world, at least in the opinion of the Court.

While the ruling is very detailed, the Judge comes to clear conclusions on three major legal issues as the basis for his decision: the nature of an SCA warrant, the moment when a search of electronic property is considered to be a search and the fundamental question of extraterritoriality.

An SCA warrant is more than a search warrant

Under the SCA, the US government may seek customer information from a Service Provider by way of subpoena, court order, or search warrant. With the latter option, the customer is kept in the dark (as in the Patriot Act). In the current case, Judge Francis issued a search warrant under section 2703(a) of the SCA for the contents of the email account in Dublin.

As Microsoft correctly points out, it is well established law that federal courts do not have authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the ruling, however, a warrant under SCA section 2703(a) “is not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena… executed like a subpoena in that it is served on the ISP in possession of the information.” Judge Francis derives this distinction not from the statutory language (which he considers ambiguous) but rather from a detailed examination of its legislative history, internal logic and surmised congressional intent.

In any case, this is a very convenient distinction for the government because, as the ruling continues, “a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.”

When and where a search becomes a search

Despite this first conclusion that Microsoft must indeed produce the emails, the problem remains that there is no federal authority to search property overseas. Here too Judge Francis finds an ingenious answer: the actual search will only take place in US territory.

On this point, the ruling once again cites Professor Kerr who maintains that, in the context of digital information, “a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer.”

In other words, a digital search is not a search until the information is exposed to human observation. The government only needs to ensure that this takes place in the United States.

This second conclusion is, to say the least, an extraordinary innovation in American legal doctrine of search and seizure.

No need for extraterritoriality

Building on the previous reasoning, Judge Francis arrives at his key conclusion: “Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. “

Judge Francis also draws support for his reasoning from the legislative history of Section 108 of the Patriot Act, which concerns the service of search warrants for electronic evidence. According to the ruling, the report of the House Committee examining the Patriot Act explicitly equates the notion of “where the property is located” with the location of the ISP.

It is important to note that, in this case, both the government and the Court took great care not to claim extraterritorial authority, taking the position that such authority is not needed under the SCA to oblige an American Service Provider to turn over emails stored in Europe for a lawful search in the United States.

Overall, the ruling of the Court represents not just a specific decision in a specific case under the SCA, but also a new and extremely important judicial doctrine: data location doesn’t matter.

Open questions

The most important question, of course, is whether this extraordinary ruling will stand or be overturned on appeal. Microsoft is clearly girding up for a long and expensive judicial battle.

Assuming that the ruling survives the appeals process, there are several important open questions as to the scope of its possible impact.

Will the ruling apply to all electronic information and not just email?

This is a very important question because US prosecutors generally take a very expansive approach in claiming federal authority.

If the idea that “data location doesn’t matter” becomes established US judicial doctrine, they will almost certainly try to apply it to all sorts of electronic information managed by US Service Providers, with at least a reasonable chance of success.

At the present time, therefore, it is not yet clear whether the impact of the ruling will remain limited to email or evolve to include any and all sorts of electronic information. One thing however is entirely clear: in the privacy sensitive European market, the stakes are indeed very high for American Internet and Cloud Providers.

Could the ruling apply to non US Service Providers?

As noted earlier, both the government and the Court took great care in this case not to claim extraterritorial authority, and for the very good reason that they had no such authority.

According to the US Supreme Court, in Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010), there is a presumption against the extraterritorial application of U.S. laws that can only be overcome by a clear statement by Congress to the contrary. Neither the SCA nor for that matter the Patriot Act make any such statement.

In the innovative legal reasoning of the ruling by Judge Francis, however, a US Provider can indeed be obliged to turn over electronic information stored overseas, because the data is considered to be located at the company’s headquarters in the United States. This logic clearly does not apply to non US Providers.

While it is certainly possible that a federal judge might issue a warrant for data managed in Europe by a European Provider, perhaps on the basis that the Provider has significant business presence in the US and invoking the legal doctrine of “minimum contact”. This doctrine however is applied only in civil cases that explicitly concern assets or business done in the United Sates. Even if a claim of jurisdiction were made by a US court, a warrant could only be executed abroad pursuant to a Mutual Legal Assistance Treaty with the cooperation of national judicial authorities.

As things stand, the answer to this second question is relatively clear: the ruling does not apply to European Providers and their facilities outside of the United States.

Conclusion

The stakes are indeed very high for American Service Providers in this case, but the federal court’s ruling in New York is only the first step in what is likely to be a long and expensive judicial battle.

It is not without irony that Microsoft, a company often treated with condescension by today’s “tech intelligentsia”, now finds itself in the position of a principled industry leader, defending not only the interests of all US Internet and Cloud Providers but also the rights of users to privacy in the digital world.

Tuesday, May 13th 2014
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory Ltd is a European firm, headquartered in the UK, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.