Wednesday, June 18, 2014

Microsoft, Email, the Extraterritorial Search Warrant and the 4th Amendment

Last spring, I did a post – Trojan Horse Warrant – Fail? – that examined an opinion in which a federal judge ruled on the FBI’s application for a search warrant that would authorize them to “surreptitiously install data extraction software” on a “Target Computer” which was located somewhere outside the United States.  In re Warrant to Search A Target Computer at Premises Unknown, ___ F. Supp.2d ___, 2013 WL 1729765 (U.S. District Court for the Southern District of Texas 2013).  As I explained, the Texas federal judge denied the FBI’s application because he found (i) he did not have the authority to issue a warrant to search a computer outside the federal district in which he sat and (ii) the application violated the 4th Amendment’s requirement that warrants particularly describe the place to be searched and the things to be seized.  In re Warrant to Search A Target Computer, supra. For more on that, see the prior post.
This case examines an opinion in which a U.S. District Court Judge in New York dealt with Microsoft’s motion “to quash a search warrant to the extent that it directs Microsoft to produce the contents of one of its customer's e-mails where that information is stored on a server located in Dublin, Ireland.”  In the Matter of a Warrant to Search A Certain E–Mail Account Controlled and Maintained by Microsoft Corporation, 2014 WL 1661004 (U.S. District Court for the Southern District of New York 2014) (“In re Warrant”). So this judge was dealing with an issue similar to the one the Texas judge dealt with in the case noted above:  “the circumstances under which law enforcement agents in the United States may obtain digital information from abroad”.  In re Warrant, supra.
He began his opinion by explaining how the government came to seek the warrant:
Microsoft has long owned and operated a web-based e-mail service that has existed at various times under different internet domain names, including Hotmail.com, MSN.com, and Outlook.com. . . . Users of a Microsoft e-mail account can, with a user name and a password, send and receive email messages as well as store messages in personalized folders. . . . E-mail message data include content information (message and subject line) and non-content information (such as the sender address, recipient address, and the date and time of transmission). . . .

Microsoft stores e-mail messages sent and received by its users in its datacenters. Those datacenters exist at various locations both in the United States and abroad, and where a particular user's information is stored depends in part on a phenomenon known as `network latency’; because the quality of service decreases the farther a user is from the datacenter where his account is hosted, efforts are made to assign each account to the closest datacenter. . . . Accordingly, based on the `country code’ the customer enters at registration, Microsoft may migrate the account to the datacenter in Dublin. . . .When this is done, all content and most noncontent information associated with the account is deleted from servers in the United States. . . .

The non-content information that remains in the United States when an account is migrated abroad falls into three categories. First, certain non-content information is retained in a data warehouse in the United States for testing and quality control purposes. . . . Second, Microsoft retains `address book’ information relating to certain web-based e-mail accounts in an `address book clearing house.’ . . . Finally, certain basic non-content information about all accounts, such as the user's name and country, is maintained in a database in the United States. . . .
In re Warrant, supra.
The judge also explained that on December 4, 2013, in response to an application by the government, he issued the search warrant that
is the subject of the instant motion. That warrant authorizes the search and seizure of information associated with a specified web-based e-mail account that is `stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA.’
In re Warrant, supra.  The information to be disclosed by Microsoft consisted of 
`a. The contents of all e-mails stored in the account, including copies of e-mails sent from the account;

b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and sources of payment (including any credit or bank account number);

c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files;

d. All records pertaining to communications between MSN . . . and any person regarding the account, including contacts with support services and records of actions taken.’
In re Warrant, supra (quoting an attachment to the warrant).
He also noted that it is the responsibility of Microsoft’s Global Criminal Compliance
(`GCC’) team to respond to a search warrant seeking stored electronic information. . . . Working from offices in California and Washington, the GCC team uses a database program or `tool’ to collect the data. . . . Initially, a GCC team member uses the tool to determine where the data for the target account is stored and then collects the information remotely from the server where the data is located, whether in the United States or elsewhere. . . .

Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent that it directs the production of information stored abroad.
In re Warrant, supra. 
The judge concluded that Microsoft’s argument in support of its motion was “simple,”
perhaps deceptively so. It notes that, consistent with the [Stored Communications Act (“SCA”)] and Rule 41 of the Federal Rules of Criminal Procedure, the Government sought information here by means of a warrant. Federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States. Therefore, Microsoft concludes, to the extent that the warrant here requires acquisition of information from Dublin, it is unauthorized and must be quashed.
In re Warrant, supra. 
He then began his analysis of Microsoft’s argument, noting that the obligation of an
Internet Service Provider (`ISP’) like Microsoft to disclose to the Government customer information or records is governed by the Stored Communications Act (the `SCA’), passed as part of the Electronic Communications Privacy Act of 1986 (the `ECPA’) and codified at 18 U.S. Code §§ 2701–2712. That statute authorizes the Government to seek information by way of subpoena, court order, or warrant. The instrument law enforcement agents utilize dictates the showing that must be made to obtain it and the type of records that must be disclosed in response.
In re Warrant, supra. 
As the judge explained, 18 U.S. Code § 2703 defines three methods by which the government can obtain “customer information or records”:  a grand jury, trial or administrative subpoena; a court order; or a search warrant.  In re Warrant, supra. 
Under § 2703(b), it can use a subpoena to compel the ISP to produce “basic customer information, such as the customer's name, address, Internet Protocol connection records, and means of payment for the account . . . ; unopened e-mails that are more than 180 days old . . ; and any opened e-mails, regardless of age”.  In re Warrant, supra. 
Under § 2703(d), the government can require an ISP to disclose all the “information subject to production under a subpoena and also `record[s] or other information pertaining to a subscriber [ ] or customer,’ such as historical logs showing the e-mail addresses with which the customer had communicated”.  In re Warrant, supra.  If the government obtains a warrant under § 2703(a), it can compel an ISP “to disclose everything that would be produced in response to a section 2703(d) order or a subpoena as well as unopened e-mails stored by the provider for less than 180 days.”  In re Warrant, supra.  The warrant must be issued in accordance with the procedures set out in Rule 41 of the Federal Rules of Criminal Procedure.  In re Warrant, supra. 
The judge then took up Microsoft’s argument, noted above.  He found that its analysis “while not inconsistent with the statutory language, is undermined by the structure of the SCA, by its legislative history, and by the practical consequences that would flow from adopting it.”  In re Warrant, supra.  The judge noted that the SCA was adopted because
there were no constitutional limits on an ISP's disclosure of its customer's data, and because the Government could likely obtain such data with a subpoena that did not require a showing of probable cause, Congress placed limitations on the service providers' ability to disclose information and . . . defined the means that the Government could use to obtain it.
In re Warrant, supra. 
He also pointed out that although the SCA uses the term
`warrant’ and refers to the use of warrant procedures, the resulting order is not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena. It is obtained like a search warrant when an application is made to a neutral magistrate who issues the order only upon a showing of probable cause. On the other hand, it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question.
In re Warrant, supra.  In other words, it is an “SCA warrant”, not a 4th Amendment warrant. In re Warrant, supra. 
The judge then found that this interpretation of § 2703(a) supported the government’s 
view that the SCA does not implicate principles of extraterritoriality. It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information. See Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (U.S. Courtof Appeals for the 2d Circuit 1983) (`Neither may the witness resist the production of documents on the ground [they] are located abroad. The test for production . . . is control, not location’. . .); Tiffany (NJ) LLC v. Qi Andrew, 276 F.R.D. 143 (U.S. District Court for the Southern District of New York 2011) (`If the party subpoenaed has the practical ability to obtain the documents, the actual physical location of the documents -- even if overseas --- is immaterial’). . . .   To be sure, the `warrant’ requirement of section 2703(a) . . . requir[es]  a showing of probable cause not required for a subpoena, but it does not alter the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.
In re Warrant, supra. 
He found that this conclusion was further supported by § 108 of the USA Patriot Act, which amended § 2703 “`to authorize the court with jurisdiction over the investigation to issue the warrant directly, without requiring the intervention of its counterpart in the district where the ISP is located.’”  In re Warrant, supra (quoting House of Representatives Report 107-236(I), 2001 WL 1205861 at 58 (2001). The amendment was meant to ensure that Federal Rule of Criminal Procedure’s requirement that a warrant be issued “within the district” where the property to be searched is located would not apply to SCA digital searches.  In re Warrant, supra.  The judge therefore noted that Congress
thus appears to have anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to § 2703(a)  by producing information within its control, regardless of where that information was stored.
In re Warrant, supra.  
Finally, he also found “it is difficult to believe that, in light of the practical consequences that would follow, Congress intended to limit the reach of SCA Warrants to data stored in the United States.”  In re Warrant, supra.  He noted that
a service provider is under no obligation to verify the information provided by a customer at the time an e-mail account is opened. Thus, a party intending to engage in criminal activity could evade an SCA Warrant by . . . giving false residence information, thereby causing the ISP to assign his account to a server outside the United States.

Second, if an SCA Warrant were treated like a conventional search warrant, it could only be executed abroad pursuant to a Mutual Legal Assistance Treaty (`MLAT’). . . . [N]ations that enter into MLATs . . . generally retain the discretion to decline a request for assistance. For example, the MLAT between the. . . . United States and the United Kingdom allows the Requested State to deny assistance if it deems that the request would be `contrary to important public policy’. . . . Treaty on Mutual Legal Assistance in Criminal Matters, U.S.-U.K., Jan. 6, 1994, S. Treaty Doc. No. 104–2 (`U.S.-U.K.MLAT’), Art. 3(1)(a) & (c)(i). . . . [A]n exchange of diplomatic notes construes . . . `important public policy’ to include `a Requested Party's policy of opposing the exercise of jurisdiction which is in its view extraterritorial and objectionable.’ . . . 

Finally, in the case of a search and seizure,. . . any search must be executed in accordance with the laws of the Requested Party. . . . U.S.-U.K. MLAT, Art. 14(1), (2). This raises the possibility that foreign law enforcement authorities would be required to oversee or even to conduct the acquisition of information from a server abroad. . . .

[A]s burdensome and uncertain as the MLAT process is, it is entirely unavailable where no treaty is in place. . . . [N]ot all countries have entered into such agreements with the United States. Moreover, Google has reportedly explored the possibility of establishing . . . server farms located at sea beyond the territorial jurisdiction of any nation. . . . Thus, under Microsoft's understanding, certain information within the control of an American service provider would be completely unavailable to American law enforcement under the SCA.
In re Warrant, supra. 
The judge also addressed the presumption against extraterritorial application of U.S. statutes, noting that “`[w]hen a statute gives no clear indication of an extraterritorial application, it has none’”. In re Warrant, supra (quoting Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010)). The SCA does not address extraterritorial application, and the judge pointed out that the “concerns that animate the presumption against” 
extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this instance, it places obligations only on the service provider to act within the United States.
In re Warrant, supra.  
So he found “[t]he practical implications thus make it unlikely that Congress intended to treat a § 2703(a) order as a warrant for the search of premises located where the data is stored.”  In re Warrant, supra.  The judge therefore held that 
[e]ven when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft's motion to quash in part the warrant at issue is denied.
In re Warrant, supra. 


No comments:

Post a Comment