Last spring, I did a post – Trojan Horse Warrant – Fail? – that examined an opinion in which a federal judge ruled on the FBI’s application for a search
warrant that would authorize them to “surreptitiously install data extraction
software” on a “Target Computer” which was located somewhere outside the United
States. In re Warrant to Search A
Target Computer at Premises Unknown, ___ F. Supp.2d ___, 2013 WL 1729765
(U.S. District Court for the Southern District of Texas 2013). As I explained, the Texas
federal judge denied the FBI’s application because he found (i) he did not have
the authority to issue a warrant to search a computer outside the federal
district in which he sat and (ii) the application violated the 4th
Amendment’s requirement that warrants particularly describe the place to be
searched and the things to be seized. In re Warrant to Search A Target Computer,
supra. For more on that, see the
prior post.
This case examines an opinion in which a U.S. District Court
Judge in New York dealt with Microsoft’s motion “to quash a search warrant to
the extent that it directs Microsoft to produce the contents of one of its
customer's e-mails where that information is stored on a server located in
Dublin, Ireland.” In the Matter of a Warrant to Search A Certain E–Mail Account Controlled
and Maintained by Microsoft Corporation, 2014 WL 1661004 (U.S. District Court for the Southern District of New York 2014) (“In re Warrant”). So this judge was dealing with an issue
similar to the one the Texas judge dealt with in the case noted above: “the circumstances under which law
enforcement agents in the United States may obtain digital information from
abroad”. In re Warrant, supra.
He began his opinion by explaining how the government came
to seek the warrant:
Microsoft has long owned and operated a
web-based e-mail service that has existed at various times under different
internet domain names, including Hotmail.com, MSN.com, and Outlook.com. . . . Users of a Microsoft e-mail account can,
with a user name and a password, send and receive email messages as well as
store messages in personalized folders. . . . E-mail message data include
content information (message and subject line) and non-content information (such
as the sender address, recipient address, and the date and time of
transmission). . . .
Microsoft stores e-mail messages sent and received
by its users in its datacenters. Those datacenters exist at various locations
both in the United States and abroad, and where a particular user's information
is stored depends in part on a phenomenon known as `network latency’; because
the quality of service decreases the farther a user is from the datacenter
where his account is hosted, efforts are made to assign each account to the
closest datacenter. . . . Accordingly, based on the `country code’ the customer
enters at registration, Microsoft may migrate the account to the datacenter in
Dublin. . . .When this is done, all content and most noncontent information
associated with the account is deleted from servers in the United States. . . .
The non-content information that
remains in the United States when an account is migrated abroad falls into
three categories. First, certain non-content information is retained in a data
warehouse in the United States for testing and quality control purposes. . . .
Second, Microsoft retains `address book’ information relating to certain web-based
e-mail accounts in an `address book clearing house.’ . . . Finally, certain
basic non-content information about all accounts, such as the user's name and
country, is maintained in a database in the United States. . . .
In re Warrant, supra.
The judge also explained that on December 4, 2013, in
response to an application by the government, he issued the search warrant that
is the subject of the instant motion.
That warrant authorizes the search and seizure of information associated with a
specified web-based e-mail account that is `stored at premises owned,
maintained, controlled, or operated by Microsoft Corporation, a company
headquartered at One Microsoft Way, Redmond, WA.’
In re Warrant, supra. The information to be disclosed by Microsoft consisted
of
`a. The contents of all e-mails stored
in the account, including copies of e-mails sent from the account;
b. All records or other information regarding the
identification of the account, to include full name, physical address,
telephone numbers and other identifiers, records of session times and
durations, the date on which the account was created, the length of service,
the types of service utilized, the IP address used to register the account,
log-in IP addresses associated with session times and dates, account status,
alternative e-mail addresses provided during registration, methods of
connecting, log files, and means and sources of payment (including any credit
or bank account number);
c. All records or other information stored by an
individual using the account, including address books, contact and buddy lists,
pictures, and files;
d. All records pertaining to
communications between MSN . . . and any person regarding the account,
including contacts with support services and records of actions taken.’
In re Warrant, supra (quoting
an attachment to the warrant).
He also noted that it is the responsibility of Microsoft’s
Global Criminal Compliance
(`GCC’) team to respond to a search
warrant seeking stored electronic information. . . . Working from offices in
California and Washington, the GCC team uses a database program or `tool’ to
collect the data. . . . Initially, a GCC team member uses the tool to determine
where the data for the target account is stored and then collects the
information remotely from the server where the data is located, whether in the
United States or elsewhere. . . .
Microsoft complied with the search
warrant to the extent of producing the non-content information stored on
servers in the United States. However, after it determined that the target
account was hosted in Dublin and the content information stored there, it filed
the instant motion seeking to quash the warrant to the extent that it directs
the production of information stored abroad.
In re Warrant, supra.
The judge concluded that Microsoft’s argument in support of its
motion was “simple,”
perhaps deceptively so. It notes that,
consistent with the [Stored Communications Act (“SCA”)] and Rule 41 of the Federal Rules of Criminal Procedure, the Government sought
information here by means of a warrant. Federal courts are without authority to
issue warrants for the search and seizure of property outside the territorial
limits of the United States. Therefore, Microsoft concludes, to the extent that
the warrant here requires acquisition of information from Dublin, it is
unauthorized and must be quashed.
In re Warrant, supra.
He then began his analysis of Microsoft’s argument, noting
that the obligation of an
Internet Service Provider (`ISP’) like
Microsoft to disclose to the Government customer information or records is
governed by the Stored Communications Act (the `SCA’), passed as part of the
Electronic Communications Privacy Act of 1986 (the `ECPA’) and codified
at 18 U.S. Code §§ 2701–2712. That statute authorizes the Government to
seek information by way of subpoena, court order, or warrant. The instrument
law enforcement agents utilize dictates the showing that must be made to obtain
it and the type of records that must be disclosed in response.
In re Warrant, supra.
As the judge explained, 18 U.S. Code § 2703 defines three
methods by which the government can obtain “customer information or
records”: a grand jury, trial or
administrative subpoena; a court order; or a search warrant. In re
Warrant, supra.
Under § 2703(b), it can use a subpoena to compel the ISP to
produce “basic customer information, such as the customer's name, address,
Internet Protocol connection records, and means of payment for the account . .
. ; unopened e-mails that are more than 180 days old . . ; and any opened
e-mails, regardless of age”. In re Warrant, supra.
Under § 2703(d), the government can require an ISP to
disclose all the “information subject to production under a subpoena and also `record[s]
or other information pertaining to a subscriber [ ] or customer,’ such as
historical logs showing the e-mail addresses with which the customer had
communicated”. In re Warrant, supra. If the
government obtains a warrant under § 2703(a), it can compel an ISP “to disclose
everything that would be produced in response to a section
2703(d) order or a subpoena as well as unopened e-mails stored by the
provider for less than 180 days.” In
re Warrant, supra. The warrant must
be issued in accordance with the procedures set out in Rule 41 of the Federal
Rules of Criminal Procedure. In re Warrant, supra.
The judge then took up Microsoft’s argument, noted
above. He found that its analysis “while
not inconsistent with the statutory language, is undermined by the structure of
the SCA, by its legislative history, and by the practical consequences that
would flow from adopting it.” In re Warrant, supra. The judge noted that the SCA was adopted
because
there were no constitutional limits on
an ISP's disclosure of its customer's data, and because the Government could
likely obtain such data with a subpoena that did not require a showing of
probable cause, Congress placed limitations on the service providers' ability to
disclose information and . . . defined the means that the Government could use
to obtain it.
In re Warrant, supra.
He also pointed out that although the SCA uses the term
`warrant’ and refers to the use of
warrant procedures, the resulting order is not a conventional warrant; rather,
the order is a hybrid: part search warrant and part subpoena. It is obtained
like a search warrant when an application is made to a neutral magistrate who
issues the order only upon a showing of probable cause. On the other hand, it
is executed like a subpoena in that it is served on the ISP in possession of
the information and does not involve government agents entering the premises of
the ISP to search its servers and seize the e-mail account in question.
In re Warrant, supra. In other words, it is an “SCA warrant”, not a
4th Amendment warrant. In re
Warrant, supra.
The judge then found that this interpretation of § 2703(a)
supported the government’s
view that the SCA does not implicate
principles of extraterritoriality. It has long been the law that a subpoena
requires the recipient to produce information in its possession, custody, or
control regardless of the location of that information. See Marc
Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (U.S. Courtof Appeals for the 2d Circuit 1983) (`Neither may the witness resist the
production of documents on the ground [they] are located abroad. The test for
production . . . is control, not location’. . .); Tiffany (NJ) LLC v. Qi
Andrew, 276 F.R.D. 143 (U.S. District Court for the Southern District
of New York 2011) (`If the party subpoenaed has the practical ability to
obtain the documents, the actual physical location of the documents -- even if
overseas --- is immaterial’). . . . To be sure, the `warrant’
requirement of section 2703(a) . . . requir[es] a showing of probable cause not required for a
subpoena, but it does not alter the basic principle that an entity lawfully
obligated to produce information must do so regardless of the location of that
information.
In re Warrant, supra.
He found that this conclusion was further supported by § 108 of
the USA Patriot Act, which amended § 2703 “`to authorize the court with
jurisdiction over the investigation to issue the warrant directly, without requiring
the intervention of its counterpart in the district where the ISP is located.’” In re
Warrant, supra (quoting House of Representatives Report 107-236(I), 2001 WL
1205861 at 58 (2001). The amendment was meant to ensure that Federal Rule
of Criminal Procedure’s requirement that a warrant be issued “within the
district” where the property to be searched is located would not apply to SCA
digital searches. In re Warrant, supra. The
judge therefore noted that Congress
thus appears to have
anticipated that an ISP located in the United States would be obligated to
respond to a warrant issued pursuant to § 2703(a) by producing
information within its control, regardless of where that information was stored.
In re Warrant, supra.
Finally, he also found “it is difficult to believe that, in
light of the practical consequences that would follow, Congress intended to
limit the reach of SCA Warrants to data stored in the United States.” In re
Warrant, supra. He noted that
a service provider is under no obligation
to verify the information provided by a customer at the time an e-mail account
is opened. Thus, a party intending to engage in criminal activity could evade
an SCA Warrant by . . . giving false residence information, thereby causing the
ISP to assign his account to a server outside the United States.
Second,
if an SCA Warrant were treated like a conventional search warrant, it could
only be executed abroad pursuant to a Mutual Legal Assistance Treaty (`MLAT’). .
. . [N]ations that enter into MLATs . . . generally retain the discretion to
decline a request for assistance. For example, the MLAT between the. . . .
United States and the United Kingdom allows the Requested State to deny
assistance if it deems that the request would be `contrary to important public
policy’. . . . Treaty on Mutual Legal Assistance in Criminal Matters,
U.S.-U.K., Jan. 6, 1994, S. Treaty Doc. No. 104–2 (`U.S.-U.K.MLAT’), Art.
3(1)(a) & (c)(i). . . . [A]n exchange of diplomatic notes construes . . .
`important public policy’ to include `a Requested Party's policy of opposing
the exercise of jurisdiction which is in its view extraterritorial and
objectionable.’ . . .
Finally, in the case of a search and seizure,. . . any
search must be executed in accordance with the laws of the Requested Party. . .
. U.S.-U.K. MLAT, Art. 14(1), (2). This raises the possibility that foreign law
enforcement authorities would be required to oversee or even to conduct the
acquisition of information from a server abroad. . . .
[A]s burdensome and uncertain
as the MLAT process is, it is entirely unavailable where no treaty is in place.
. . . [N]ot all countries have entered into such agreements with the United
States. Moreover, Google has reportedly explored the possibility of
establishing . . . server farms located at sea beyond the territorial
jurisdiction of any nation. . . . Thus, under Microsoft's understanding,
certain information within the control of an American service provider would be
completely unavailable to American law enforcement under the SCA.
In re Warrant, supra.
The judge also addressed the presumption against
extraterritorial application of U.S. statutes, noting that “`[w]hen a statute
gives no clear indication of an extraterritorial application, it has none’”. In re Warrant, supra (quoting Morrison
v. National Australia Bank Ltd., 561 U.S. 247 (2010)). The SCA
does not address extraterritorial application, and the judge pointed out that the
“concerns that animate the presumption against”
extraterritoriality are simply not present
here: an SCA Warrant does not criminalize conduct taking place in a foreign
country; it does not involve the deployment of American law enforcement
personnel abroad; it does not require even the physical presence of service
provider employees at the location where data are stored. At least in this
instance, it places obligations only on the service provider to act within the
United States.
In re Warrant, supra.
So he found “[t]he practical implications thus make it
unlikely that Congress intended to treat a § 2703(a) order as a warrant
for the search of premises located where the data is stored.” In re
Warrant, supra. The judge therefore
held that
[e]ven when applied to information that
is stored in servers abroad, an SCA Warrant does not violate the presumption
against extraterritorial application of American law. Accordingly, Microsoft's
motion to quash in part the warrant at issue is denied.
In re Warrant, supra.
No comments:
Post a Comment