Court Seems Unconvinced Of Microsoft's Argument To Shield Email Data Stored Overseas
Court Seems Unconvinced Of Microsoft's Argument To Shield Email Data Stored Overseas
Updated at 5:11 p.m. ET
The Supreme Court heard arguments Tuesday about whether emails stored overseas are subject to a U.S. warrant. It all revolved around a 1986 law, five years before the "World Wide Web" even existed.
It was the cloud and robots meet Marty McFly.
And the justices didn't seem to be buying arguments from Microsoft, an American tech company headquartered in Redmond, Wash., which is trying to protect the data.
The question facing the justices didn't exist a few decades ago — does an email provider, faced with a search warrant issued in the United States, have to turn over a customer's email content when those data are stored outside the country?
The case, United States v. Microsoft, involves a federal drug-trafficking investigation in which law enforcement obtained a warrant for all the data associated with a suspect's Microsoft account. In response, Microsoft turned over the user's account identification information that is stored in Redmond, but refused to disclose the content of the emails, which were stored in a data center in Ireland.
Microsoft argues that an international treaty between the United States and Ireland should prevail and is the only correct way to obtain the emails. Ireland agrees. The treaty is known as the Mutual Legal Assistance Treaty.
But the U.S. government argues that process is too slow and cumbersome. Furthermore, it would prove highly problematic with providers such as Google, for example, which breaks up data and moves the information around the world constantly.
The warrant in question was issued under the Stored Communications Act. Congress enacted the law in 1986 when email and the Internet were in their nascent stages, and the idea of data floating around the world was inconceivable.
Although the act was designed to address electronic communications, Congress did not predict the technological revolution, which has since poked major holes in the legislation.
Siding with Microsoft in this case are a raft of major tech companies, including Amazon, Apple, Facebook and Google. They point out that the public did not even have access to the Internet until 1989 and the "World Wide Web" didn't exist until 1991. Nor were emails stored after they were received. So Congress could not have intended to cover data stored forever in a cloud.
Where does the search occur?
The Supreme Court has established a strong presumption against the extraterritorial application of a statute unless Congress expresses a clear intent to reach outside the U.S.
In this case, the government concedes that the Stored Communications Act does not express such an intention but instead argues that because Microsoft would disclose the emails to law enforcement in the United States, the application of the act would be domestic. Deputy Solicitor General Michael Dreeben argued that the idea of an international problem is merely a "mirage that Microsoft is seeking to create."
The idea is that since Microsoft already has custody and control of the data and is legally able to move the content back to the U.S., honoring a warrant would present no "meaningful interference" with the user's property interests.
Microsoft disagrees, contending that the whole purpose of the Stored Communications Act was to protect "communications in electronic storage" from government intrusion.
Joshua Rosenkranz, attorney for Microsoft, emphasized the intrusion on Ireland's sovereignty. The government wants to "reach into a foreign land to search for, copy, and import private customer correspondence physically stored in a digital lockbox, on a foreign computer where it's protected by foreign law."
Justices Anthony Kennedy and Sonia Sotomayor pushed Rosenkranz to explain what, if any, physical activity occurs in Ireland. Justice Kennedy asked, "Does some person have to be there?"
Rosenkranz conceded that a human being does not have to be in Ireland, but rather someone in Redmond would command a "robot" to do the job. He went on to hypothesize, "If you sent a robot into a foreign land to seize evidence, it would certainly implicate foreign interests."
The justices all but gawked at the idea of constitutional claims and robots. Justice Sotomayor responded, "My imagination is running wild."
Privacy on the world stage
This is not the first time the Supreme Court has faced the question of privacy and technology this term. In November, the court heard oral arguments in a case testing whether the government may, without a warrant, search cellphone location data to track a suspect's movements.
That case, Carpenter v. United States, also concerned the Stored Communications Act, but the major question was whether a warrant was needed to get this sort of tracking information.
Microsoft extends the question of privacy into the international arena.
The company argues that allowing the U.S. to reach into foreign territory to retrieve a user's private emails, even with a warrant, would set a dangerous precedent for other countries to reciprocate. Disregard for another country's sovereignty could be seen as an open invitation to the rest of the world to look into American citizens' private emails, commencing a "global free-for-all."
The U.S. and European Union demonstrate different priorities when it comes to data protection. Privacy is enshrined as a fundamental right in Europe. Both the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union recognize a "right to the protection of personal data."
The U.S. Constitution contains no such corresponding right. The concept of privacy lies solely in the Fourth Amendment ban on unreasonable search and seizure. In contrast to the Fourth Amendment, which was adopted more than 200 years ago, the EU treaties had the advantage of being drafted in the 21st century. Thus not only did the EU framers have the telephone, electricity and automobiles in mind, but the Internet was alive and well.
In May, the EU's General Data Protection Regulation goes into effect. It has few fans among major international companies. Fortune's Global 500 will spend an estimated $7.8 billion to meet the EU's strict privacy standards. Any company that processes the personal data of an EU resident is subject to the law.
The provisions include swift notification to users of data breaches, data minimization, (i.e., processing only absolutely necessary data) and the controversial "right to be forgotten," which confers a right to permanent deletion upon request. If a company is found in violation of the regulation, it could be subject to a fine of 4 percent of annual global revenue or 20 million euros (about $24.7 million), whichever is greater.
Article 48 of the regulation states that "any judgment of a court requiring a [provider] to transfer or disclose personal data may only be recognized or enforceable ... if based on an international agreement."
So Microsoft is in something of a bind. If the EU considered Microsoft's disclosure of a resident's emails a significant breach of the regulation, Microsoft would be fined $3.6 billion for this breach alone.
According to Jan Philipp Albrecht, the rapporteur of the General Data Protection Regulation, "It is almost certain" that the fine would be imposed.
Bipartisan support for privacy
In a rare convergence of opposing ideologies and bitter competitors, Fox News, CNN, the ACLU, Republican and Democratic senators and representatives, Apple and Microsoft agree: The U.S. government should not unilaterally seize data stored in a foreign country. Doing so, many say, would mark a disregard for the sovereignty of other nations and infringe on privacy laws that explicitly forbid such action.
Microsoft expresses a concern that such a unilateral intrusion on foreign soil could lead other countries to reciprocate. Microsoft's President and Chief Legal Officer Brad Smith said, "It's just a matter of time before other governments seek to reach into the data centers in the United States to get the emails and other documents of American citizens."
The U.S. government, on the other hand, dismisses these concerns, noting that when served with a warrant, Microsoft could, by tapping a few keys, transfer the information back to the U.S. from the stored data center in Ireland, thus avoiding international complications.
To rule otherwise, the government suggests, would require a lengthy process that would involve the State Department seeking the information via international cooperation. And that, says the Trump administration and, previously, the Obama administration, would provide a road map for criminals and terrorists to shield email communications from law enforcement authorities in this country.
A CLOUD fix?
Congress may solve this problem before the court even has a chance. On Feb. 6, a bipartisan group of senators proposed the CLOUD Act, which has the support of both the government and Microsoft. The justices seemed hesitant to intervene in the face of pending legislation.
"If Congress wants to regulate in this brave new world" shouldn't it do it? Justice Ruth Bader Ginsburg asked.
Justice Sotomayor also seemed wary.
"Things have changed," she told the government's advocate, Dreeben, on Tuesday. "But what you're asking us to do is to imagine what Congress would have done or intended in a totally different situation today."
She worried about the potential for international friction, saying, "What our jurisprudence doesn't want to do ... is to create international problems." She pointed to the CLOUD Act, asking, "Why shouldn't we leave the status quo as it is and let Congress pass a bill in this new age?"
Microsoft's lawyer, Rosenkranz, urged the justices to do just that.
He warned the court, if you "try to tinker with this, without the tools that only Congress has, you are as likely to break the cloud as you are to fix it."