A Win for Microsoft in Ireland?

It’s been quite a while since my last post, but this past week has been just brimming with legal news surrounding computer laws, so I felt compelled to comment. The Ninth Circuit issued two highly controversial opinions interpreting the CFAA, (one seems to criminalize password sharing; the other criminalizes visiting a website once they specifically tell you not to), and the Second Circuit issued a win for Microsoft in the Microsoft-Ireland case. Although all of these rulings are very interesting, and I have plenty to say, I’ll be limiting my commentary to the Microsoft ruling. As you may recall, I covered this case in a previous post, and the Second Circuit has apparently completely disregarded my very sound legal advice! So let’s try again.

Background

Since I’ve discussed this previously, I’ll keep the background brief. Microsoft was issued a warrant for the content of an email account whose data was stored in Ireland. Microsoft objected, claiming that you can’t issue warrants to search extraterritorially (outside the US). The government responded by saying that the warrant wasn’t being applied extraterritorially; it was being served to Microsoft, located in the US. Who wins? The district court sided with the government (adopting the opinion of the initial magistrate); the Second Circuit sided with Microsoft. (It’s unclear whether the government will try to appeal to the Supreme Court, but I suspect they will.)

That’s the short version. The long version is very long, and implicates a number of fascinating questions about computer searches and seizures, international law, and statutory interpretation. The Second Circuit mostly foregoes the first two, focusing on the appropriate statutory interpretation of the Electronic Communications Privacy Act (ECPA), the law that authorized the “warrant” the government issued. ECPA can be thought of as the Fourth Amendment for email, and while frequently criticized, ECPA has been the law for 30 years. (That fact also serves as the law’s most frequent criticism; email in the 80’s hardly reflects the modern world.)

Focusing Overseas

Putting aside the standard ECPA talking points, the Second Circuit opinion is mostly an issue of statutory construction. Specifically, does ECPA, as written, apply to data stored overseas? To figure this out, the Second Circuit (rightly) invokes the presumption against extraterritoriality, a judicial creation that says that courts should presume that laws don’t apply overseas unless Congress explicitly says that they do. This inquiry is fairly open and shut: Congress was silent on extraterritorial application of ECPA, and specifically invokes FRCP 41, which limits traditional warrant execution to within the United States. Not much to rebut the presumption.

But this is actually getting ahead of ourselves. After all, what does it mean for an Act to “apply overseas”? Just about every Act of Congress arguably has some impact abroad, albeit often a minuscule one; surely we can’t be talking about those applications? Indeed we aren’t. The Supreme Court likes to avoid these nitpicky points by identifying the “focus” of the law at issue. If the focus of the law occurs abroad, the presumption against extraterritoriality kicks in; if the focus is domestic, the presumption remains dormant.

It is in this focus analysis that I think the Second Circuit makes its principle misstep. The Second Circuit held that the focus of ECPA was in protecting the privacy of emails, itself a reasonable, if vague, conclusion. The government’s competing argument was that ECPA is really about disclosure, and that the disclosure in this case took place domestically. While I generally think the government’s argument makes more sense from a pure interpretative perspective, (the SCA is structured entirely around disclosure), my criticism here is entirely based on the ramifications of the Second Circuit’s opinion. ECPA is certainly intended to protect privacy, (by regulating disclosure, but I digress), but this interpretation may ultimately work against Microsoft, perhaps even in this very case.

What applies where?

Now for some tricky logical loops. The Second Circuit says that ECPA protects privacy, and that it does not overcome the presumption against extraterritoriality. So ECPA protects privacy in America; ECPA does not apply overseas. This is not a good thing for people concerned with protecting privacy, because now the government can fall back on their generalized subpoena powers. Without ECPA protecting this foreign email account, the only bar on disclosure is the Fourfth Amendment and generalized subpoena law. And as the Second Circuit admits, the subpoena power allows for mandating the disclosure of documents stored overseas (although it imposes a rather perplexing caveat that there must be no expectation of privacy in them). Without ECPA providing this statutory privacy right to the extraterritorial email, there is nothing that allows for Microsoft to resist disclosure. Because ECPA is not about disclosure.

That was probably slightly headache inducing, but the general idea is that ECPA actually serves as a restraint on the government’s subpoena power, not a facilitation for it. Without ECPA, the government has very few restrictions on their right to demand information from companies like Microsoft. The Fourth Amendment thus far is a fairly weak restraint with regard to US persons (outside of the Sixth Circuit), and the Fourth Amendment doesn’t apply at all to foreign persons. So rather than use ECPA, which at least required the equivalent of a probable cause warrant, the government can now effectively just demand Microsoft to hand it over.

The Second Circuit attempts to address this somewhat, by claiming that ECPA only applies domestically, but that ECPA’s grant of privacy rights somehow vest automatically when communications are requested in the US, regardless of where they were originally located. This is an odd argument. For one, this is a bit of a have-your-cake-and-eat-it too type argument, as the Second Circuit is applying the logic of the government when determining who gets these rights, but the logic of Microsoft when applying those rights. But more fundamentally, even if requesting email data somehow conferred privacy rights, those privacy rights can’t vest in the US until the email data is actually in the US, meaning that ECPA suddenly applies again, and we’ve just wasted a bunch of time. Either the act grants privacy to the entire world, or only in the US; it can’t be both.

This actually isn’t a completely new argument either; Orin Kerr, one of the foremost experts in computer crime law, has discussed this potential interpretation in the past, and seems to share my skepticism that this is an overall positive outcome. He gives the Second Circuit a bit more credit, though, reading this as creating a “privacy is in the eye of the privacy violator” rationale, where the thing ECPA regulates is actually invasions of privacy, not privacy per se. I am skeptical that such an argument could ever be workable, as it seems to defy logic and the Second Circuit’s own rationales. This also would suggest that ECPA doesn’t prevent Microsoft from disclosing your data to someone outside of the country, as the invasion of privacy is happening extraterritorially. (Something Congress definitely intended for ECPA to cover.) I just can’t make sense of this logic.

Indeed the more rational voice seemed to be the concurring opinion of Justice Lynch, which agreed, somewhat begrudgingly, with the majority, but wrote separately to identify how there were no good outcomes in this case. As I discussed in my previous post on the topic, just about any way you swing this sword, someone is going to be hurt. The only logical solution is for Congress to clarify ECPA (which is occurring, albeit not on this issue), as there is only so much interpretative work courts can get away.

Moving Forward

So I think this was a bad outcome, and arguably no outcome presented a “good” outcome, what happens next? There are several options. 1. The government may appeal, and the Supreme Court could weigh in on this issue, although I’m not sure they could wave their hands and find a magic solution that resolves all of these issues. 2. The government may think this means what I think it means, accept the judgement, and try their hand at using the subpoena power to reach the same email address. While I am sure that would be just as heavily litigated, it also would be supported by this case. 3. Congress steps in. This is the option everyone wants, as ECPA really should specify how its application is determined, procedures for requesting data located extraterritorially, and when those procedures can be used. Most people agree that a US person shouldn’t be able to avoid US law enforcement by storing their emails abroad, the issue is distinguishing that case from the foreign person storing emails abroad with which the US has no legitimate interest. (And the more controversial case of foreign person storing emails abroad, but which the US asserts a legitimate interest.) I’ve also mentioned in the past the potential for this type of ruling to lead to data localization laws in the US, and while I highly doubt this would ever occur, the encryption debate should highlight Congress’s increasing worry over the role that technology can play in subverting law enforcement.

Final Thoughts

I’ve mentioned before that I view this case, and indeed many modern computer issues as really being about the ambiguous and overlapping rules of data governance. Basically, when do countries get to assert that their laws apply to data, and why? The problem thus far has been that just about everyone appears to be able to assert a legitimate claim to regulate data, and a world where everyone’s laws apply is fundamentally unworkable. To resolve this, we need to clarify when countries can assert an interest in data, how to handle competing interests to that data, and how to handle the companies that are the rope in this increasingly literal game of tug-of-war.  

Until next time.

-Scott

2 thoughts on “A Win for Microsoft in Ireland?

  1. Well, that was headache-provoking, especially for those of us who are non-lawyers as well as non-Americans.

    You said: “Most people agree that a US person shouldn’t be able to avoid US law enforcement by storing their emails abroad, the issue is distinguishing that case from the foreign person storing emails abroad with which the US has no legitimate interest. (And the more controversial case of foreign person storing emails abroad, but which the US asserts a legitimate interest.)”

    You might find it of interest here that your third scenario ostensibly applies, i.e. a foreign person storing their emails abroad, but against which the U.S. asserts a legitimate interest. (I would dispute that the U.S. has a legitimate interest, but my opinion doesn’t count.)

    The party involved has come forward, and tweeted that the emails are his. The person in question is Gary Davis, who is an Irish citizen, resident in Ireland, whose emails were/are stored in a Microsoft datacentre located in Dublin, Ireland. (Twitter: @GaryDavisIRL).

    Mr. Davis is alleged by the United States to be involved in the operation of Silk Road. Mr. Davis is currently contesting extradition from Ireland to the United States in the Irish courts, which are expected to issue a ruling later this month.

    For the life of me, I cannot understand why in heaven’s name the DOJ wasted the better part of two years on this? The DOJ has apparently argued that the Mutual Legal Assistance process is too cumbersome, and takes too long. That’s just too bad — the United States entered into a treaty with Ireland and, instead of adhering to that treaty, the DOJ goes out of its’ way to circumvent the process that it it is legally bound to follow.

    All this clearly demonstrates to me (and to other non-Americans) is that the United States cannot be trusted to follow the rules and processes that it had agreed to, even via treaty — the word of the U.S. government simply cannot be trusted — it isn’t worth the paper it’s written on.

    Furthermore, the apparent rules under which someone can be deemed a person against which the United States can assert a legitimate interest are laughably overbroad. In comments made to the Washington Post, Jessica Tillipman, assistant dean and lecturer at the George Washington University Law School, stated:

    “You have U.S. statutes where there are extraterritorial provisions that can reach foreign citizens if they violate certain laws,” Tillipman explained. For most of those laws, there has to be “a jurisdictional hook,” she explained, an aspect of the crime that took place within the United States’ jurisdiction: A phone call that included a person in the United States, for example, or a visit to the country, or, as has happened, an e-mail that passed through a server in the country. “There has to be some sort of touch point for the United States,” Tillipman said.

    An email that passed through a server in the country? I understand that something like 80% of Internet traffic worldwide goes through the U.S. at some point. What Dean Tillipman is saying here is that, in essence, because of these “jurisdictional hooks” that United States law effectively applies all over the planet. Is it any wonder at all, that there are moves afoot to ‘Balkanize’ the Internet, by routing traffic so that it does not touch U.S. servers?

    Given the DOJ’s shenanigans, it is little wonder that the Irish government was up in arms over the prospect of its’ sovreignty being violated; the same goes for the rest of the EU.

    95% of the world’s population are NOT American, and frankly, I would argue that a majority of them very likely both hate and resent America’s overweening arrogance in this regard. I suppose this should not come as any surprise, really — after all, America has appropriated to itself the right to rendition, kidnap, invade, bomb, or kill anyone they choose, without any repercussions whatsoever. (And then Americans wonder why they are held in such low esteem.)

    • Thanks for your comment. I would just add two quick thoughts:

      1. I mostly avoided discussion of the MLAT, which as you rightly point out would provide an alternate (and legally uncontroversial) avenue for accessing the email account. While it is true that in this instance the MLAT would have proved quicker than multi-year litigation, this case is mostly about setting precedent. However, I wouldn’t characterize the US govt.’s activities here as nefariously as you have; the MLAT is one mechanism for accessing this data, but it is not exclusive. At least not in this case.

      2. I agree that the potential rules for a national govt. to assert an interest are broad, but this arises more from the practicalities of the Internet than anything specific to US policy. The US can certainly assert jurisdiction over US persons, US-stored data, and US-based data controllers, all within standard rules of jurisdiction (and notwithstanding the outcome in this case). By contrast, the EU in some ways takes an even more expansive interpretation of jurisdiction, asserting the right to regulate anything that impacts the privacy of EU citizens, regardless of where the data is stored or where the data-controller is located. (For example, French courts have attempted to impose the EU “right to be forgotten” outside of just google.fr, to all google domains, effectively regulating what we in the US can read about.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s