Microsoft Prevails in Case Involving Stored EmailsClosely Watched Case Could Have Expanded Government's Reach in Cloud Computing Age
Microsoft has prevailed after a U.S. appeals court reaffirmed the company does not have to turn over emails that are stored overseas to federal authorities investigating a crime. The closely watched case explored the territorial boundaries of U.S. law in the cloud computing age.
In a 4-4 decision on Jan. 24, the U.S. Second Circuit Court of Appeals found that the federal government cannot request through a warrant any emails maintained outside the U.S. The court denied rehearing the case, which the government sought, although federal officials could now petition the Supreme Court.
The case tested the limits of the Stored Communications Act, passed by Congress in 1986, which outlines how the government can obtain electronic communications. The law does not address communications stored in another country.
In denying the rehearing, Circuit Judge Susan L. Carney wrote that the SCA is long overdue for a revision given today's data storage landscape and the needs of law enforcement. But the act as written - and in line with Supreme Court precedent - would not apply to data stored outside the U.S.
"Although the realities of electronic storage have widely outstripped what Congress envisioned in 1986, we are not so far from the context of the SCA that we can no longer apply it faithfully," Carney writes.
The technology industry widely backed Microsoft's resistance to turning over the emails, with support coming from companies including Salesforce.com, HP, Cisco, eBay and Verizon Communications.
In a statement provided to Information Security Media Group, Microsoft Chief Legal Office Brad Smith called on Congress to modernize the law in order to keep people safe and ensure that governments respect each other's borders. "This decision puts the focus where it belongs, on Congress passing a law for the future rather than litigation about an outdated statute from the past," Smith writes.
The Electronic Frontier Foundation, which backed Microsoft in the case, agreed that the SCA has not kept up with the times. "The technical and business infrastructure of electronic communications and data storage has changed; indeed, in the United States, our legal and social understandings of privacy, including the Fourth Amendment, have changed as well," Lee Tien, the EFF's senior staff attorney, tells ISMG.
Microsoft: Go to Ireland
The case kicked off after a federal court magistrate in the Southern District of New York issued a warrant to Microsoft in December 2013 that required the company to turn over email and metadata concerning a suspect in a criminal investigation. The content was stored in Ireland, where Microsoft has run a data center since 2010, according to the Center for Democracy and Technology.
Microsoft could have easily accessed the suspect's emails from the U.S., just as anyone can access web-based mail from anywhere in the world. But Microsoft resisted the warrant, arguing that the government did not have the authority to seize data held outside the U.S. (see Microsoft to Appeal E-Mail Ruling).
As an alternative, Microsoft suggested the government should work with Ireland, requesting help through the Mutual Legal Assistance Treaty, which outlines procedures for cross-border law enforcement cooperation.
In 2014, a magistrate denied Microsoft's motion to vacate the warrant. Microsoft appealed, and in July 2016, the Second Circuit Court of Appeals found in favor of the company. But the government asked for the court to rehear the case, resulting in the latest decision.
Argument: Location Doesn't Matter
The four dissenting judges said that the location of the content did not matter because data can be accessed from anywhere. The warrant applies because Microsoft had access and controlled the data, writes one dissenter, Circuit Judge Dennis Jacobs.
The company "need only touch some keys in Redmond, Washington," Jacobs writes. "If I can access my emails from my phone, then in an important sense my emails are in my pocket, notwithstanding where my provider keeps its servers."
Carney disagreed that the instant nature of how the content could be accessed mattered in relation to the jurisdictional concern. "My dissenting colleagues take issue with the idea that 'privacy' can have a territorial locus at all when it comes to electronic data, given the ease with which the data can be subdivided or moved across borders and our now familiar notion of data existing in the ephemeral 'cloud.' But, mundane as it may seem, even data subject to lightning recall has been stored somewhere, and the undisputed record here showed that the 'somewhere' in this case is a data center firmly located on Irish soil."