Skip to content

Microsoft Corp. v. United States

February 23, 2017

MICROSOFT CORP. V. UNITED STATES: SHOULD CONGRESS REVISE THE STORED COMMUNICATIONS ACT?

By: Adam Frudden, Volume 101 Staff Member

On July 14, 2016, the Court of Appeals for the Second Circuit issued its ruling in the case of Microsoft Corp. v. United States.[1] The long-awaited decision pertaining to the scope of the Stored Communications Act (SCA) has led to demands for Congress to revise the SCA to better suit our current global society.[2]

I. PRIVACY LAW AND TECHNOLOGY

In 1890, Samuel Warren and Louis Brandeis wrote a revolutionary law review article addressing the proper amount of protection privacy should be granted by the law.[3] The article opined that while the right of privacy should extend to many forms of communications—“domestic or otherwise”—Congress had not yet clearly delineated the contours of the right.[4] At the time of the article, the legal system was struggling to determine the protections necessary to protect privacy in the light of new “inventions and business methods,” [5] because formulating appropriate laws “in advance of experience” is an impracticable task.[6]

Ninety-six years after The Right to Privacy was published, Congress passed the SCA in response to the rise of technology that stored data with and sent data through internet service providers (ISPs).[7] Congress feared that these new technologies were steadily eroding Americans’ privacy interests.[8] To alleviate the concern, the SCA mandated ISPs to comport with general non-disclosure obligations.[9] However, the SCA contained an exception that required ISPs to provide the United States government with data if the government obtained a warrant in accord with the Federal Rules of Criminal Procedure or the applicable state warrant procedures.[10]

As The Right to Privacy warned, providing adequate legal protection is a “difficult task” when Congress does not possess experience with the technology or business practices in question. In 1986, the World Wide Web and multinational ISPs did not yet exist.[11] Accordingly, the SCA did not address if the Act—or the warrant provision particularly—could be applied extraterritorially.[12] As international boundaries became irrelevant for electronic devices,[13] the SCA’s silence caused conflicting views on the scope of the SCA.[14]

II. MICROSOFT CORP. V. UNITED STATES

Microsoft Corporation, an ISP incorporated in the U.S., provides a free email service to the public.[15] Users registering for the service must enter a “country code” to indicate their place of residence.[16] Microsoft does not verify the accuracy of users’ selections.[17] A user’s data—including emails—is stored almost exclusively in the datacenter located nearest to where the user alleges they are situated.[18] If a user indicates they are located outside the U.S., Microsoft deletes almost all of the content affiliated with the account in the U.S.[19] Microsoft is, however, capable of attaining data stored abroad from within the U.S. using a database management program.[20]

One Microsoft email user was allegedly using the service to aid a narcotics trafficking scheme.[21] Due to the user’s location designation, almost all of the data associated with the account was stored in Ireland.[22] The U.S. government sought, and received, a warrant from a district court in New York directing Microsoft to “seize and produce” the data associated with the email account.[23] The government cited the SCA as their source of authority, arguing the SCA’s warrant provision entitles the government—armed with a warrant—to data regardless of location.[24] Microsoft supplied the minimal data stored in the U.S., but moved to quash the warrant with respect to data stored in Ireland.[25] Microsoft argued the SCA’s warrant provision could only be utilized to force companies to provide data located in the U.S.[26] The motion to quash was denied by the district court.[27] Microsoft appealed the district court’s decision.[28]

The Court of Appeals for the Second Circuit utilized the two-part approach articulated in Morrison v. National Australia Bank Ltd.[29] to determine the SCA’s warrant provision cannot be utilized to mandate ISPs to produce data located outside the U.S.[30] The court of appeals reasoned that the language in the SCA—including the warrant provision—did not explicitly designate for or implicitly infer extraterritorial application, falling short of the required “affirmative indication” necessary to allow extraterritorial application.[31]

III. THE FUTURE FOR WARRANTS GRANTED UNDER THE SCA

In his concurring opinion in Microsoft Corp. v. United States, Judge Lynch postulated that a bright-line rule making ISPs’ data stored outside the U.S. unobtainable by the SCA’s warrant provision is not an ideal solution.[32] Judge Lynch argued that allowing ISPs to provide—at their discretion—users’ data “absolute” protection unnecessarily limits the U.S.’ ability to ensure its citizens’ safety.[33] If the ISP stores the data abroad, the U.S. government cannot obtain the data without the assistance of foreign governments.[34] Further, the U.S. does not have “formal tools” to obtain data from every country, allowing service providers and users the ability to make their data unobtainable by the U.S. government.[35] This data could be necessary to thwart terrorists plots or complex criminal schemes.[36]

Due to the perceived insufficiencies of the current SCA, Judge Lynch implored Congress to amend the Act.[37] Judge Lynch believes Congress is now well equipped to formulate a rule or standard that correctly balances the countervailing interests: effective law enforcement and safety[38] versus privacy interests and fostering mutually beneficial relationships with other nations.[39] This determination need not be “all-or-nothing,” but could include subtleties that allow the U.S. government to access data stored in foreign countries under certain circumstances.[40]

The author believes Congress should expand the scope of the SCA, allowing the SCA’s warrant provision to reach data stored in foreign countries if the user is a U.S. citizen—or in the process of acquiring U.S. citizenship—and resided within the U.S. for a significant duration in which the data was collected. While more changes are possibly warranted, this Post focuses exclusively on the “evil” that Microsoft Corp. v. United States exposed: ISPs possessing the ability to prevent the U.S. government from accessing its own citizens’ data with a warrant.

In balancing the countervailing interests, the author grants substantial weight to the resentment, and potential retaliatory responses,[41] likely to result from the violation of foreign governments’ and their citizens’ privacy rights. As Justice Lynch recognizes: “other countries have their own ideas, sometimes at odds with ours.”[42] Many countries grant their citizens positive liberties—“rights that the government must affirmatively protect”—that have in some countries been interpreted to “not only forbid the government from intruding on privacy, but also require the government to have laws against intrusions on one private party’s privacy by another private party.”[43] For instance, the Charter of Fundamental Rights of the European Union declares: “[e]veryone has the right to the protection of personal data concerning him or her.”[44] However, only allowing the U.S. government to access data of U.S. citizens located within the U.S. does not raise the same level of concerns. As Judge Lynch articulated: “[t]he case looks different . . . if the American government is demanding . . . emails of an American citizen resident in the U.S. . . . which are stored on a server [abroad] . . . only as a result of the American customer’s misrepresenting his or her residence.”[45] Further, this limited increase in scope prevents ISPs from absolutely protecting U.S. users’ data with a simple business decision—an “evil” that has become evident.

An alternative solution mentioned in Judge Lynch’s concurrence was to focus on the ISPs location.[46] Focusing exclusively on the user’s nationality and location is superior to focusing on the ISP’s location. An ISP’s location in the U.S. is not sufficient to reduce the concern of infringing on foreign governments’ rights, because U.S. ISPs serve primarily non-U.S. users.[47] Therefore, substantial foreign privacy rights would likely be violated if this was the determinative factor.

  1. 829 F.3d 197, 201 (2d Cir. 2016).
  2. See id. at 233 (Lynch, J., concurring).
  3. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890); see also Richard C. Turkington, Legacy of the Warren and Brandeis Article: The Emerging Unencumbered Constitutional Right to Informational Privacy, 10 N. Ill. U.L. Rev. 479, 482–83 (1990) (discussing how the Warren and Brandeis article has become one of the most influential legal publications ever written).
  4. Warren & Brandeis, supra note 3, at 213–14.
  5. Id. at 195 (citing Thomas M. Cooley, The Law of Torts 29 (2d ed. 1888)).
  6. Id. at 214.
  7. Microsoft Corp., 829 F.3d at 201; see Stored Communications Act, 18 U.S.C. §§ 2701–2712 (2012). “ISPs provide account holders the ability to send, receive, and store opened and unopened e-mails associated with the ISPs’ systems, which may also be thought of as the mail servers themselves.” Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 969 n.9 (quoting Kimberly S. Cuccia, Note, Have You Seen My Inbox? Government Oversteps the Fourth Amendment Again: Goodbye Telephones, Hello E-Mail, 43 Val. U. L. Rev. 671, 676 (2009)).
  8. Microsoft Corp., 829 F.3d at 219.
  9. Id. at 207.
  10. 18 U.S.C. § 2703(a)–(b) (2012); Microsoft Corp., 829 F.3d at 207–08. The government can also obtain user’s data without a warrant if it has been in the possession of an ISP for over 180 days and the government provides notice to the user. 18 U.S.C. § 2703(b)(1)(B); Microsoft Corp., 829 F.3d at 207–08.
  11. Microsoft Corp., 829 F.3d at 206; id. at 231 (Lynch, J., concurring).
  12. Id. at 209 (majority opinion).
  13. See Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373, 407 (2014) (“In today’s networked environment, company headquarters can be located in one country; employees with access to the data can be located in a second country; the data can reside in a third country; and the party seeking access to the company’s data could be located in a fourth country.”).
  14. See Microsoft Corp., 829 F.3d at 200–01 (describing Microsoft’s and the government’s conflicting views of the Act and ISPs reliance on the “worldwide networks of hardware . . . .”).
  15. Id. at 202.
  16. In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014).
  17. Microsoft Corp., 829 F.3d at 203.
  18. Id. at 202. Microsoft offers this feature to individuals living in over 100 different countries, with data centers stationed in over forty countries. Id.
  19. Id. at 203. Microsoft retains in the U.S. only: (1) “some non-content e-mail information;” (2) information associated with users’ online address books; and (3) minimal user-provided account information. Id.
  20. Id.; see also id. at 220 n.28 (“[M]essages stored in the ‘cloud’ have a discernible physical location.”).
  21. Id. at. 200.
  22. Id. at 220 n.28. It is unclear if the individual actually lived in or had ties with Ireland. Id. at 230 (Lynch, J., concurring).
  23. Id. at 200 (majority opinion).
  24. Id. at 201, 205.
  25. Id. at 200–01.
  26. Id. at 201 (“Microsoft and the government dispute the nature and reach of the Warrant that the Act authorized . . . .”).
  27. Id. at 201.
  28. Id. at 200.
  29. 561 U.S. 247 (2010).
  30. Microsoft Corp., 829 F.3d at 220 (citing Morrison, 561 U.S. at 266–67).
  31. Id. at 211, 215 (quoting Morrison, 561 U.S. at 265).
  32. Id. at 224 (Lynch, J., concurring).
  33. Id.
  34. See id. at 221 (majority opinion) (describing the process of obtaining data from foreign governments).
  35. Id.
  36. Id. at 224 (Lynch, J., concurring).
  37. Id. at 231.
  38. See id. at 221 (majority opinion) (describing the government’s concerns pertaining to enforcement of the law under the SCA).
  39. Id. at 225 (Lynch, J., concurring).
  40. Id. at 232.
  41. Rebecca Eubank, Note, Hazy Jurisdiction: Challenges of Applying the Stored Communications Act to Information Stored in the Cloud, 7 Geo. Mason Int’l Com. L. 161, 168 (2016).
  42. Microsoft Corp., 829 F.3d at 225 (Lynch, J., concurring).
  43. William McGeveran, Privacy and Data Protection Law 83 (Robert C. Clark ed., 2016). In contrast, the Bill of Rights in the United States Constitution only provides negative liberties, “prohibitions against certain actions by the government that intrude on individual freedom.” Id.
  44. 2012 O.J. (C 326) 397.
  45. Microsoft Corp., 829 F.3d at 232 (Lynch, J., concurring).
  46. Id.
  47. Kerr, supra note 13, at 373–74.
Posted in De Novo