CloudECPAInternet GovernanceNational Security

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.”  The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq.  The SCA was enacted in 1986.  Microsoft Corp., 2016 WL 3770056 at *6.  The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication.  See id. at 7.  The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause.  See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)).  For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber.  See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)).  When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.”  See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland.  Outlook is part of Microsoft’s “’enterprise cloud service offerings.’”  See id. at *2.  Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries.  See id.  The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network.  Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer.  Id. 

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect.  Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S.  See id. at *3.  The Magistrate denied the motion to quash, and the District Court affirmed.  Id. at 4.  The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990.  Id.  The SCA therefore was adopted in a very different technological context than today’s networked world.  In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago.  The court noted that there is a presumption against extraterritorial application of statutes.  Id. at *9.  Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA.  Id. at *11-12.  Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant.  Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment.  Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.”  Id. at *19.  Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S.  Id. at *20.  He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement.  Id.  Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.”  Id. at 21.  Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality.  Id.  He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S.  Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer.  See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016.  In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”  Id., Complaint for Declaratory Judgment, ¶ ¶  2-3.  For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments.  But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention.  This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.


Leave a Reply

Your email address will not be published. Required fields are marked *