It’s been quite a while since my last post, but this past week has been just brimming with legal news surrounding computer laws, so I felt compelled to comment. The Ninth Circuit issued two highly controversial opinions interpreting the CFAA, (one seems to criminalize password sharing; the other criminalizes visiting a website once they specifically tell you not to), and the Second Circuit issued a win for Microsoft in the Microsoft-Ireland case. Although all of these rulings are very interesting, and I have plenty to say, I’ll be limiting my commentary to the Microsoft ruling. As you may recall, I covered this case in a previous post, and the Second Circuit has apparently completely disregarded my very sound legal advice! So let’s try again.
Since I’ve discussed this previously, I’ll keep the background brief. Microsoft was issued a warrant for the content of an email account whose data was stored in Ireland. Microsoft objected, claiming that you can’t issue warrants to search extraterritorially (outside the US). The government responded by saying that the warrant wasn’t being applied extraterritorially; it was being served to Microsoft, located in the US. Who wins? The district court sided with the government (adopting the opinion of the initial magistrate); the Second Circuit sided with Microsoft. (It’s unclear whether the government will try to appeal to the Supreme Court, but I suspect they will.)
That’s the short version. The long version is very long, and implicates a number of fascinating questions about computer searches and seizures, international law, and statutory interpretation. The Second Circuit mostly foregoes the first two, focusing on the appropriate statutory interpretation of the Electronic Communications Privacy Act (ECPA), the law that authorized the “warrant” the government issued. ECPA can be thought of as the Fourth Amendment for email, and while frequently criticized, ECPA has been the law for 30 years. (That fact also serves as the law’s most frequent criticism; email in the 80’s hardly reflects the modern world.)
Putting aside the standard ECPA talking points, the Second Circuit opinion is mostly an issue of statutory construction. Specifically, does ECPA, as written, apply to data stored overseas? To figure this out, the Second Circuit (rightly) invokes the presumption against extraterritoriality, a judicial creation that says that courts should presume that laws don’t apply overseas unless Congress explicitly says that they do. This inquiry is fairly open and shut: Congress was silent on extraterritorial application of ECPA, and specifically invokes FRCP 41, which limits traditional warrant execution to within the United States. Not much to rebut the presumption.
But this is actually getting ahead of ourselves. After all, what does it mean for an Act to “apply overseas”? Just about every Act of Congress arguably has some impact abroad, albeit often a minuscule one; surely we can’t be talking about those applications? Indeed we aren’t. The Supreme Court likes to avoid these nitpicky points by identifying the “focus” of the law at issue. If the focus of the law occurs abroad, the presumption against extraterritoriality kicks in; if the focus is domestic, the presumption remains dormant.
It is in this focus analysis that I think the Second Circuit makes its principle misstep. The Second Circuit held that the focus of ECPA was in protecting the privacy of emails, itself a reasonable, if vague, conclusion. The government’s competing argument was that ECPA is really about disclosure, and that the disclosure in this case took place domestically. While I generally think the government’s argument makes more sense from a pure interpretative perspective, (the SCA is structured entirely around disclosure), my criticism here is entirely based on the ramifications of the Second Circuit’s opinion. ECPA is certainly intended to protect privacy, (by regulating disclosure, but I digress), but this interpretation may ultimately work against Microsoft, perhaps even in this very case.
What applies where?
Now for some tricky logical loops. The Second Circuit says that ECPA protects privacy, and that it does not overcome the presumption against extraterritoriality. So ECPA protects privacy in America; ECPA does not apply overseas. This is not a good thing for people concerned with protecting privacy, because now the government can fall back on their generalized subpoena powers. Without ECPA protecting this foreign email account, the only bar on disclosure is the Fourfth Amendment and generalized subpoena law. And as the Second Circuit admits, the subpoena power allows for mandating the disclosure of documents stored overseas (although it imposes a rather perplexing caveat that there must be no expectation of privacy in them). Without ECPA providing this statutory privacy right to the extraterritorial email, there is nothing that allows for Microsoft to resist disclosure. Because ECPA is not about disclosure.
That was probably slightly headache inducing, but the general idea is that ECPA actually serves as a restraint on the government’s subpoena power, not a facilitation for it. Without ECPA, the government has very few restrictions on their right to demand information from companies like Microsoft. The Fourth Amendment thus far is a fairly weak restraint with regard to US persons (outside of the Sixth Circuit), and the Fourth Amendment doesn’t apply at all to foreign persons. So rather than use ECPA, which at least required the equivalent of a probable cause warrant, the government can now effectively just demand Microsoft to hand it over.
The Second Circuit attempts to address this somewhat, by claiming that ECPA only applies domestically, but that ECPA’s grant of privacy rights somehow vest automatically when communications are requested in the US, regardless of where they were originally located. This is an odd argument. For one, this is a bit of a have-your-cake-and-eat-it too type argument, as the Second Circuit is applying the logic of the government when determining who gets these rights, but the logic of Microsoft when applying those rights. But more fundamentally, even if requesting email data somehow conferred privacy rights, those privacy rights can’t vest in the US until the email data is actually in the US, meaning that ECPA suddenly applies again, and we’ve just wasted a bunch of time. Either the act grants privacy to the entire world, or only in the US; it can’t be both.
This actually isn’t a completely new argument either; Orin Kerr, one of the foremost experts in computer crime law, has discussed this potential interpretation in the past, and seems to share my skepticism that this is an overall positive outcome. He gives the Second Circuit a bit more credit, though, reading this as creating a “privacy is in the eye of the privacy violator” rationale, where the thing ECPA regulates is actually invasions of privacy, not privacy per se. I am skeptical that such an argument could ever be workable, as it seems to defy logic and the Second Circuit’s own rationales. This also would suggest that ECPA doesn’t prevent Microsoft from disclosing your data to someone outside of the country, as the invasion of privacy is happening extraterritorially. (Something Congress definitely intended for ECPA to cover.) I just can’t make sense of this logic.
Indeed the more rational voice seemed to be the concurring opinion of Justice Lynch, which agreed, somewhat begrudgingly, with the majority, but wrote separately to identify how there were no good outcomes in this case. As I discussed in my previous post on the topic, just about any way you swing this sword, someone is going to be hurt. The only logical solution is for Congress to clarify ECPA (which is occurring, albeit not on this issue), as there is only so much interpretative work courts can get away.
So I think this was a bad outcome, and arguably no outcome presented a “good” outcome, what happens next? There are several options. 1. The government may appeal, and the Supreme Court could weigh in on this issue, although I’m not sure they could wave their hands and find a magic solution that resolves all of these issues. 2. The government may think this means what I think it means, accept the judgement, and try their hand at using the subpoena power to reach the same email address. While I am sure that would be just as heavily litigated, it also would be supported by this case. 3. Congress steps in. This is the option everyone wants, as ECPA really should specify how its application is determined, procedures for requesting data located extraterritorially, and when those procedures can be used. Most people agree that a US person shouldn’t be able to avoid US law enforcement by storing their emails abroad, the issue is distinguishing that case from the foreign person storing emails abroad with which the US has no legitimate interest. (And the more controversial case of foreign person storing emails abroad, but which the US asserts a legitimate interest.) I’ve also mentioned in the past the potential for this type of ruling to lead to data localization laws in the US, and while I highly doubt this would ever occur, the encryption debate should highlight Congress’s increasing worry over the role that technology can play in subverting law enforcement.
I’ve mentioned before that I view this case, and indeed many modern computer issues as really being about the ambiguous and overlapping rules of data governance. Basically, when do countries get to assert that their laws apply to data, and why? The problem thus far has been that just about everyone appears to be able to assert a legitimate claim to regulate data, and a world where everyone’s laws apply is fundamentally unworkable. To resolve this, we need to clarify when countries can assert an interest in data, how to handle competing interests to that data, and how to handle the companies that are the rope in this increasingly literal game of tug-of-war.
Until next time.