left-caret

Caveat Vendor

Overseas Data Not Safe from U.S. Government Search Warrant Power

May 01, 2014

Behnam Dayanim and Mary-Elizabeth Hadley

In a decision last week, U.S. Magistrate Judge James C. Francis IV in the Southern District of New York became the first to hold that the U.S. Government can obtain user data stored outside the United States through search warrants. In addition to broadly interpreting the Stored Communications Act (“SCA”) to require U.S. cloud and Internet service providers (“ISPs”) to share clients’ data located abroad, the opinion also casts doubt on the ability of companies to shield documents from the Government’s grasp by keeping them offshore.

The Stored Communications Act

The SCA, passed as part of the Electronic Communications Privacy Act of 1986 (the “ECPA”) and codified at 18 U.S.C. §§ 2701-2712, governs the obligations of an ISP to disclose customer information or records.  As we have written, the ECPA has attracted much recent attention from both Congress and other courts, as legislators have sought reform of its antiquated provisions and plaintiffs push to use it to support civil causes of action. Warrants issued under the SCA generally permit the government to compel an ISP to produce everything that would be produced in response to a court order, as well as unopened emails stored for less than 180 days.

The Warrant at Issue

Here, the challenged search warrant, issued by Magistrate Judge Francis in December 2013, sought information on a Microsoft customer, including the contents of emails stored in the account and all records regarding the identification of the account, namely details such as the customer’s name, physical address and payment sources (including any credit or bank account credit card numbers). Microsoft complied by producing account information kept on U.S. servers but moved to quash the warrant to the extent it directed the company to produce customer data stored on a server located in Dublin, Ireland. Microsoft argued that U.S. courts are not authorized to issue warrants for extraterritorial search and seizure.

After conceding that Microsoft’s argument was not inconsistent with the statute’s language, Magistrate Judge Francis nonetheless rejected its position.
In the court’s view, the enactment of the SCA was due, at least in part, to a recognition that Fourth Amendment protections that apply in the physical world might not apply to information communicated through the Internet. The opinion distinguished the Government’s request from a “traditional” search warrant, finding that digital content governed by the SCA merits less protection. The decision further characterized a warrant seeking email information as a “hybrid” because, although it is obtained from a neutral magistrate judge like a search warrant, it is executed like a subpoena through service on the ISP and does not involve government agents visiting the ISP’s premises.

The magistrate judge emphasized that “[i]f the territorial restrictions on conventional warrants applied to [SCA warrants], the burden on the government would be substantial, and law enforcement efforts would be seriously impeded.” He therefore viewed it as unlikely that Congress intended to limit the reach of SCA warrants to data stored in the United States.

Interestingly, the court also noted that, since Microsoft presumably would search for the responsive documents from the United States, the physical location of the servers was irrelevant.  “[I]n the context of digital information,” the court stated, “a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather that when it is copied by the hard drive or processed by the computer. . . . [C]onsequently, no extraterritorial search has occurred.”
In an immediate response, Microsoft insisted it would continue to challenge the warrant and reiterated its position that, just as“[a] U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, . . . the same rules should apply in the online world.”  The company also reaffirmed its commitment to protecting its customers’ privacy originally conveyed in a December 2013 blog post by Brad Smith, Microsoft’s General Counsel & Executive Vice President, Legal & Corporate Affairs.

When Is a Warrant Not a Warrant?

The court’s decision is interesting in its understanding of the meaning and implications of an SCA warrant.  If this were a traditional warrant, the government probably would have been required to seek the cooperation of the foreign country in which the documents were located.  That process typically involves the use of mutual legal assistance treaties, or MLATs, and reflects a recognition that one sovereign should not impinge on the authority of another within its territory.
The court here distinguished the SCA warrant from those more conventional warrants, noting that “an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored.”  Furthermore, “[a]t least in this instance, it places obligations only on the service provider to act within the United States.”
For that reason, the court thought the SCA warrant to be more analogous to a subpoena.  Subpoenas often require parties otherwise subject to the jurisdiction of the court to produce documents located abroad.
Potential Implications

The court’s decision has at least two potential implications of note, beyond the outcome of this particular case.

  • First, the court’s determination that an SCA warrant is not “really” a warrant creates some concern since it seems to disregard the fact that, like a traditional warrant, it allows the government to obtain information that could later be used for a range of governmental purposes.In that regard, loosening the limitations on its exercise in effect grants the government another tool by which in many cases it may be able to avoid the “traditional” search warrant process to obtain information.

  • The idea that electronic access to a document in the United States, in effect, means that the document is available here – is “searchable” without need to enter the foreign jurisdiction – is not necessarily limited to the SCA context and conceivably could be applied more broadly, even to conventional warrants. That, in turn, may pose implications for document review in a host of situations involving companies facing potential governmental action.Companies may need to think twice before conducting electronic review “on-shore,” for example, even if the documents themselves are located elsewhere.

How the district court handles the magistrate judge’s decision – and how any future appellate courts further consider the issue – thus bears close watching.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.

Subscribe to Caveat Vendor by Email. You will receive an email when the blog has been updated.