Supreme Court case centers on law enforcement access to data held overseas

The Supreme Court is set to hear on Tuesday a case that could have far-reaching implications for law enforcement access to digital data and for U.S. companies that store customer emails in servers overseas.

What began as a challenge by tech giant Microsoft to a routine search warrant for a suspected drug dealer’s emails has become a marquee case over data access in the Internet age.

At issue is whether a U.S. company must comply with a court order to turn over emails, even if they are held abroad — in this case in a Dublin server. The litigation turns on a 1986 law, the Stored Communications Act, passed long before email became a ubiquitous way to communicate and before American firms began storing massive amounts of data outside U.S. borders.

The arguments are abstract — “metaphysical,” one analyst quipped — but each side says the stakes are significant.

The government fears investigators will lose the ability to obtain email evidence in what it says are “hundreds, if not thousands” of criminal cases — from terrorism to child pornography to fraud. And, some analysts say, a Microsoft win could encourage more countries to require that providers keep data on local servers to ensure access to the information.

Microsoft frames the case as one of digital privacy, warning that an adverse ruling would leave the government “no basis to object” when other countries demand Americans’ emails stored inside the United States, that it would “trammel” other nations’ sovereignty and erode trust in a way that poses “an existential threat” to the $250 billion cloud-computing industry.

The arguments will take place against the backdrop of pending legislation that would moot the case. The Cloud Act represents a compromise between the Trump administration and tech firms. It has support from and is being pushed by the White House, the British government and major tech firms, including Microsoft, Facebook and Google.

The law would clarify that a warrant issued under the Stored Communications Act applies to data stored overseas and would allow companies to honor data requests from approved foreign governments with sufficient laws to protect privacy and civil liberties.

For those who support it, the Cloud Act would allow law enforcement agencies in the United States and partner countries access to data in a way that avoids international legal conflicts and safeguards privacy. But the legislation is opposed by civil liberties advocates and lawmakers who feel its privacy protections are not strong enough.

With congressional action unclear, the stakes are high for U.S. v. Microsoft, such that more than 30 friend-of-the-court briefs have been filed by the European Union, members of Congress, the U.S. Chamber of Commerce, tech firms, privacy advocates, and former law enforcement and national security officials, among others.

The case began in 2013 when federal agents conducting a drug investigation obtained a warrant from a magistrate judge in the Southern District of New York for a suspect’s emails. Microsoft challenged the order, saying the emails were stored in Ireland and the warrant could not reach beyond U.S. borders. The emails, Microsoft said, were housed at a facility in Dublin, one of approximately 100 centers the firm runs in 40 countries. The company says it stores emails close to their owner so retrieval is faster. “The Government has never suggested that the account holder is a U.S. citizen or resides here,” Microsoft has argued.

A U.S. District Court judge upheld the warrant, but a panel of the U.S. Court of Appeals for the 2nd Circuit reversed the decision. The government appealed to the Supreme Court. Although there was no split on the issue in the appellate courts, the high court agreed to hear the case — a sign of its significance.

The case centers on the Stored Communications Act’s territorial reach, not the Fourth Amendment, which protects against unreasonable search and seizure. In this case, the government obtained a probable-cause warrant in its drug investigation, the acknowledged legal standard for privacy protections.

The government argues that the SCA focuses on the emails’ “disclosure” and that Microsoft employees could retrieve them “without leaving their desks in the United States.” Thus, applying the law to require disclosure of data stored abroad does not violate the “presumption against” extraterritorial warrants, Solicitor General Noel J. Francisco contends in a court filing.

Microsoft argues that the law’s focus is protecting emails in “storage” and that a “remote seizure’’ occurs “where the seized object is located, not where the operator happens to sit.”

The government, said Orin Kerr, a former federal prosecutor who teaches law at the University of Southern California, is merely asking an American company to “press a button in the United States to disclose an email in the United States.” Said Kerr: “In a way, it’s metaphysics they’re arguing instead of statutory interpretation.”

If Microsoft prevails, the government says, a company could shift all its U.S. customer data beyond the reach of U.S. law enforcement simply by building its servers outside the United States. It also notes that other companies, such as Google, sometimes hold portions of single email accounts in multiple countries. Microsoft’s argument in short “would erect an insurmountable barrier” to U.S. law enforcement’s ability to secure evidence.

Microsoft’s president and chief legal officer, Brad Smith, has acknowledged that law enforcement needs access to data stored overseas, “but it can’t be pursuant to unilateral search warrants under a 1986 statute that never contemplated it.”

E. Joshua Rosenkranz, who will argue Microsoft’s case, called the government’s position “a recipe for global chaos.” He added: “If ever there were a step that is sure to stoke international tension, it is sidestepping the treaties that were negotiated by countries precisely to protect their sovereignty, and instead unilaterally obtaining reams of personal letters. . . . If another country did this to us, we would be outraged at the most basic level.”

Marc Rotenberg, executive director of the Electronic Privacy Information Center, an independent advocacy group, said the United States should follow the established Mutual Legal Assistance Treaty process with Ireland for data transfers in criminal cases. “We’re not saying that the data should be beyond the reach of governments,” he said. “We’re simply saying that the MLAT should be the process followed.”

Jennifer Daskal, a former Justice Department national security official who now teaches law at American University, said the case is “a huge deal for the future of the Internet, security and privacy.” She argued that the key “sovereign interests” are tied to factors such as the location and nationality of the user, not the location of the data.

A central principle underlying the case is that of “comity,” or the respect for each other’s laws that countries accord one another. Even if the court holds for the government, it should conduct a “comity analysis” that balances U.S. and Irish interests, said the Electronic Discovery Institute, a group of lawyers, academics and technologists, in a friend-of-the-court brief.

Even if emails stored overseas are accessible in the United States, requiring a company to produce them raises “sovereignty concerns” and could “conflict” with foreign law, the group wrote.

“This issue is not going away,” the group said. “The Court’s approach here will reverberate beyond the specifics of this case.”

Robert Barnes contributed to this report.

Go to Source