Catch Me If You Can, But Not When I am In “The Cloud”

Nearly all Internet users interact with “the cloud” every day, but most never consider what‑or where‑“the cloud” is. The “where” of data is not a straightforward inquiry.

The Supreme Court has announced that it will hear a major digital privacy case, United States v. Microsoft Corp., which will determine whether law enforcement officials can demand user data stored by technology companies in other countries on October 16, 2017.

Back in December of 2013, federal investigators acquired a warrant under the Stored Communications Act (SCA) for the content associated with a Microsoft Network (MSN) email address to investigate drug trafficking. Microsoft handed over responsive data stored in the United States. However, Microsoft refused to retrieve the information from the server in Ireland for lack of the jurisdiction of the warrant.

The lower court denied Microsoft’s motion to quash the warrant. The court argued that letting Microsoft withhold the data stored in Ireland would allow criminals to evade the SCA warrant by forcing the government to rely solely on Mutual Legal Assistance Treaties (MLATs) to obtain information stored abroad. Many countries have no MLAT with the United States.

The case was then escalated to the Second Circuit Court of Appeals. The Second Circuit held that the government cannot compel Internet Service Providers (ISPs) to turn over data stored overseas, even with a warrant. Judge Lynch concurred and stressed what the case was not about: privacy. According to Judge Lynch, the case boiled down to a dispute over the “international reach of American law.”

The SCA was enacted to extend to electronic records privacy protections analogous to those provided by the Fourth Amendment. As the term is used in the Constitution, a warrant is traditionally attached to privacy concepts applied within the territory of the United States. Federal Rule of Criminal Procedure requires that the “warrant” be obtained “within the district” where the property is located. It is worth noting that the SCA was passed as part of the Electronic Communications Privacy Act, with the word “privacy” in its very title.

For parties on both sides of the privacy debate, a Supreme Court ruling on the scope of the SCA warrants could have significant ripple effects, from potentially hindering law enforcement investigation capabilities to calling into question international data transfer treaties and the business value of U.S. tech companies.

The Department of Justice argued that affirming the Second Circuit ruling would severely limit the ability of law enforcement to conduct criminal investigations on not only foreign suspects, but American ones as well. However, if the Supreme Court permits the production of this data, we will see other nations reciprocating by serving U.S. companies present in their jurisdictions search warrants for the production of data stored in the U.S. And such a move could prove controversial, given that U.S. companies might be inclined to honor warrant types of searches from Russia, China, and others, who may request data on dissidents or other politically sensitive persons.

For now, Microsoft’s overseas customers can be confident that their data is being protected against unwanted collection by U.S. authorities. But if such confidence is taken away, those consumers might look elsewhere for their tech-related needs. However, Judge Lynch from the Second Circuit doubted the privacy interests would be better protected by the business decision of a private corporation than by the traditional constitutional safeguard of a search warrant.

Many commentators have concluded that the very idea of online being located in a particular physical place is becoming rapidly outdated. In sum, data is what Jennifer Daskal calls “un-territorial.”

When courts must apply old laws to modern technology, they face a choice: they can treat technology as they would anything else, or they can acknowledge its unique qualities and consider adapting their application of existing laws accordingly.

Microsoft is not the first time the Supreme Court has to grapple with legal wrinkle created by new technology. In Olmstead v. United States, the Supreme Court held that a wiretap did not constitute a search by applying the trespass test under the Fourth Amendment. It was not until Katz v. United States, decided nearly forty years later, that the Court created the expectation-of-privacy test appropriate for modern technology.

Alternatively, if Congress thinks the Supreme Court got it wrong, Congress can fix it because it is not a constitutional question, but a question of statutory interpretation. But Congress can be a wild card these days. It is difficult to see Congress agreeing on privacy issues that are so fraught at both ends of the aisle.

In either scenario, another forty years would be too long to wait.