Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.”  The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq.  The SCA was enacted in 1986.  Microsoft Corp., 2016 WL 3770056 at *6.  The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication.  See id. at 7.  The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause.  See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)).  For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber.  See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)).  When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.”  See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland.  Outlook is part of Microsoft’s “’enterprise cloud service offerings.’”  See id. at *2.  Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries.  See id.  The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network.  Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer.  Id. 

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect.  Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S.  See id. at *3.  The Magistrate denied the motion to quash, and the District Court affirmed.  Id. at 4.  The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990.  Id.  The SCA therefore was adopted in a very different technological context than today’s networked world.  In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago.  The court noted that there is a presumption against extraterritorial application of statutes.  Id. at *9.  Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA.  Id. at *11-12.  Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant.  Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment.  Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.”  Id. at *19.  Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S.  Id. at *20.  He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement.  Id.  Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.”  Id. at 21.  Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality.  Id.  He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S.  Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer.  See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016.  In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”  Id., Complaint for Declaratory Judgment, ¶ ¶  2-3.  For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments.  But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention.  This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

 

Klayman v. Obama Stay Left in Place

On November 9, 2015, Judge Richard Leon issued a preliminary injunction against the NSA bulk data collection program.  On November 10, in a per curiam Order, the D.C. Circuit stayed the preliminary injunction pending the government’s appeal.  Last Friday, November 20, the Circuit denied the plaintiffs’ emergency request for rehearing of the stay order en banc.  In a somewhat unusual move, Circuit Judge Brett Kavanaugh wrote a concurrence to the Order denying the request for hearing en banc.  Judge Kavanaugh states in the concurrence that “the Government’s metadata collection program is entirely consistent with the Fourth Amendment.”  Concurrence at 1.  Judge Kavanaugh states that the bulk data collection program satisfies the “special needs” exception under the Fourth Amendment because it “serves a critically important special need — preventing terrorist attacks on the United States.”  Id. at 2.  According to Judge Kavanaugh, “that critical national security need outweighs the impact on privacy occasioned by the program.”  Id.

In my view, Judge Kavanaugh’s concurrence is troubling.  An emergency petition for en banc review is an extraordinary request that can be denied for many reasons without opining on the merits.  It is difficult to see how Judge Kavanaugh could reach such an easy conclusion about the NSA program in the context of an emergency en banc petition, without full briefing and argument on the merits.  Unfortunately, it seems that the threat of terrorist attacks will remain with us in the foreseeable future.  While the threat is deadly serious, the ordinary rule of law cannot remain suspended in a perpetual state of exception, or else it is a rule of power and not of law.

Klayman v. Obama Preliminary Injunction of NSA Program

Judge Richard Leon in the District of Columbia federal court has again issued a preliminary injunction against the continuation of the NSA bulk telephony metadata collection program.  The bulk collection program is set to expire on November 29, 2015 under the USA FREEDOM Act, so the injunction in this case will not have long-term impact.  Judge Leon’s reasoning, however, could be important to the evaluation of future government data collection programs.  As Judge Leon stated in his November 9, 2015 Memorandum Opinion, this

will not . . . be the last chapter in the ongoing struggle to balance privacy rights and national security interests under our Constitution in an age of evolving technological wizardry.  Although this Court appreciates the zealousness with which the Government seeks to protect the citizens of our Nation, that same Government bears just as great a responsibility to protect the individual liberties of those very citizens.

Mem. Op. at 42.  The first portion of Judge Leon’s Opinion addresses the plaintiffs’ standing to challenge the NSA program.  I will address the standing issue in another post.

On the likelihood of success on the merits, Judge Leon found that the plaintiffs likely will be able to prove that the NSA bulk collection program violates the Fourth Amendment.  According to Judge Leon, plaintiffs “have a very significant expectation of privacy in an aggregated collection of their telephony metadata,” the government’s intrusion on that interest is very broad, and the government has not shown the program has successfully fulfilled the goal of protecting the nation from terrorism.  Mem. Op. at 28-37.  Judge Leon also found that the plaintiffs likely would suffer irreparable harm absent a preliminary injunction and that the public interest favors injunctive relief.  Id. at 37-42.

One notable aspect of Judge Leon’s Opinion is his discussion of expectations of privacy in relation to mobile technology.  He suggests that “Americans’ constant use of cellphones for increasingly diverse and private purposes illustrates the attitude with which people approach this technology as a whole” and that “a person’s expectation of privacy is not radically different when using his or her cellphone to make a call versus to check his or her bank account balance.”  Id. at 29.  Moreover, Judge Leon notes, mobile devices are a necessary part of modern life and therefore entail stronger expectations of privacy than high-security environments that most people enter only occasionally, such as airports.

Another notable aspect of the Opinion is Judge Leon’s often colorful descriptions of the NSA program and the government’s arguments in its favor.  Here is a sampling:  the bulk data collection program “is a sweeping, and truly astounding program that targets millions of Americans arbitrarily and indiscriminately” (Id. at 31); it is “absurd to suggest that the Constitution favors, or even tolerates, such extreme measures!” (Id. at 32 (exclamation point in original)); the government’s evidence in support of the program’s efficacy is “[n]ot exactly confidence inspiring!” (Id. at 35 (exclamation point in original)); “the Government .  .  . suggests that this Court should defer to [its] judgment . .  . Please!” (exclamation point in original)); “the Government incredibly argues that the [newly added] plaintiffs’ claim of irreparable harm is necessarily undercut by their more than two-year delay in joining this suit . . . . Come on!” (Id. at 38, n. 22 (exclamation point in original)); the government argues that the Court must “defer to Congress’ ‘determination’ that continuing the Program during the 180-day transition period is the best way to protect the public interest. . . . Not quite!” (Id. at 39 (exclamation point in original));  “Congress, of course, is not permitted to prioritize any policy goal over the Constitution . . . .  Nor am I!” (Id. at 40 (exclamation point in original)); “[t]his Court simply cannot, and will not, allow the Government to trump the Constitution merely because it suits the exigencies of the moment”) (Id.).

Earlier today, Judge Leon denied the government’s emergency application for a  stay of the preliminary injunction pending appeal, and the government filed an appeal with the D.C. Circuit.