Second Circuit Rules FBI Warrant is Invalid Overseas
Thursday, August 4, 2016
Posted by: Jason Krause
The Second Circuit has reversed an order from the United States District Court for the Southern District of New York which would have compelled Microsoft to provide customer data that is stored outside of the United States. Observers say the opinion will help bolster the newly negotiated EU-US Privacy Shield agreement and provide more protections for international customers using American-based cloud services.
The suit began in 2013 when a federal magistrate in New York granted a search warrant to the Department of Justice under the Stored Communications Act (SCA) against Microsoft. The court issued the warrant for both personal user data and email content as part of an on-going investigation into narcotics trafficking. Microsoft challenged the warrant, and the District Court initially held Microsoft in contempt for, “refusing to execute the Warrant on the government’s behalf.”
The Department of Justice argued that the emails in question constitute a business record of Microsoft and therefore the company could access them by means of a search warrant no matter where Microsoft stores them. However, after engaging in a lengthy analysis on the origins, history, and statutory definition of a “warrant,” the Second Circuit ruled last month that the DoJ is not entitled to view the emails. “The SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States,” says the opinion.
This Warrant is No Good in Ireland
Jennifer Mozwecz, a vice chair of the ABA Privacy, E-Commerce, and Data Security Committee says that the ruling is significant because the US government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States with a simple warrant. “The decision does not say that there is no means to obtain data under the SCA, just not by a warrant,” says Mozwecz, a partner with Shams, Rodriguez & Mozwecz in Chicago. “That doesn’t mean there aren’t other avenues, but a warrant is no longer one of them.”
According to Mozwecz, European Union countries are looking for assurances that the United States will comply with the newly negotiated EU-US Privacy Shield agreement. The agreement is a replacement for the Safe Harbor data transfer agreement which was invalidated by the European Court of Justice last October over concerns that the United States government did not offer sufficient protections for European citizens. “(The ruling) provides some security to non-US citizens that their data is protected from US authorities when doing business with American companies,” says Mozwecz. “That gives more comfort to people using Google, Microsoft, or other products by US-based companies that the FBI can’t just ignore international borders when conducting an investigation.”
Defining the Cloud
The opinion also clarifies that if law enforcement wishes to issue a warrant on a cloud service provider, the warrant must be issued in the jurisdiction where the data is stored, not where the service provider is headquartered. According to the opinion, Microsoft currently makes “enterprise cloud service offerings” available to customers in over 100 countries through Microsoft’s “public cloud.” The service offerings are “segmented into regions, and most customer data is generally contained entirely within one or more data centers in the region in which the customer is located.” Microsoft disclosed all other responsive information, which was kept within the United States, and moved the magistrate judge to quash the warrant with respect to the user content stored in Ireland.
The company argued that the ability to keep customer data segregated and confined to specific geographic locations makes it possible for cloud service providers to assure customers that their data is subject to local laws, as it would be if it were stored on a personal computer. Because the SCA was written long before cloud computing became a reality, it makes no provisions to enable law enforcement to access data that is accessible online but stored via a cloud service.
According to Mozwecz, this situation will need to be addressed by Congress. As we have reported, the Stored Communications Act is part of the Electronic Communications Privacy Act (ECPA), which became law in 1986 and has not been updated to keep up with changes in communications technology. “Unfortunately, the laws in this area need a major overhaul and that will take serious legislative action,” says Mozwecz. “I don’t know if Congress has the will to make that happen at this point in time, though.”
The case is In re a Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp., No. 14-2985 (2d Cir. July 14, 2016) You can read the opinion here.