A different take on the Second Circuit's Microsoft warrant case

I've been thinking more about the Microsoft warrant dispute, a case I have blogged about several times before (1, 2, 3, 4). In this post, I want to offer a different way of thinking about the case. The parties may have fundamentally misunderstood what the case is about. The upshot is that Microsoft shouldn't win on the argument it has made, but it might have a winning argument that has gone unmentioned in the briefing. This post will explain my thinking.

1. Have the Parties Misframed the Issue?

Microsoft is challenging a federal search warrant for e-mails that Microsoft has stored on a server in Ireland. According to Microsoft's brief, the issue is whether the Stored Communications Act (SCA) applies to data stored overseas. Microsoft argues that the SCA regulates data and is being impermissibly applied extraterritorially, so the warrant should not be allowed. The United States responds that the SCA applies and the warrant should be enforced because the SCA regulates providers inside the U.S.. If you accept this framing, which side should win depends on whether the territorial SCA regulates providers (in this case inside the U.S.) or regulates data (in this case outside the U.S.).

I think this framing may be based on a mistaken view of the SCA. The SCA does two main things. First, it places a burden on the government to obtain certain legal process to compel disclosure, see 18 U.S.C. § 2703. Second, it limits when providers are allowed to disclose customer information, see 18 U.S.C. § 2702. But here's the key: The statute does not appear to compel providers to hand over information in response to orders. The orders themselves may require disclosure. And § 2702 permits disclosure when the government has sufficient process under § 2703. See 18 U.S.C. § 2702(b)(2). But the SCA itself does not impose a burden on providers to disclose information in response to court orders beyond what the court orders themselves say.

Look closely at the language of 18 U.S.C. § 2703. Without § 2703, the government could require the provider to disclose contents with any kind of order to compel. A subpoena would be enough. But thanks to § 2703(a), the government has to use a search warrant. The text imposes a limit on the government:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.

The government needs a warrant, not some lesser form of compulsion, to require disclosure.

Why does this matter? If the SCA doesn't impose an independent duty on providers to comply with anything, then the extraterritorial application of the SCA—the focus of the briefs—becomes irrelevant to whether Microsoft has to comply with the warrant.

Whether the SCA applies would still have some relevance. It would determine things like whether Microsoft can be held liable for complying with the warrant and whether Microsoft can be reimbursed for the cost of compliance. If the SCA applies, Microsoft cannot be sued under § 2703(e) and it has a right to reimbursement under § 2706. If the SCA doesn't apply, Microsoft does not have that statutory immunity or right to reimbursement. But if the SCA does not impose a requirement on providers to comply with court orders, then whether the SCA applies is irrelevant to whether Microsoft has to comply with the government's warrant.

2. If the Parties Misframed the Issues, Different Legal Questions Should Control

If this reading of the statute is correct, the source of any obligation on Microsoft is the search warrant instead of the SCA. The key question in the case is not whether the warrant here should be allowed, or whether it is enforceable, but rather whether the warrant obtained in this case requires Microsoft to retrieve information that is located offsite—in this case, it turns out, in Ireland.

Figuring out what the search warrant requires involves two different steps. First, what kind of search does the warrant authorize? And second, whatever the warrant authorizes generally, what does it require of Microsoft specifically?

On the first question, what does the warrant authorize, the issue is hard because the warrant in this case is pretty odd. The Fourth Amendment says that warrants must specify a place to be searched and property to be seized there. The warrant in the Microsoft case describes the "place" to be searched as the named MSN e-mail account, which is stored at premises owned or controlled by Microsoft. It describes the property to be seized as the contents of the account. This strikes me as a weird way to draft a warrant. But putting the oddity of the warrant language aside, I would think the court needs to consider this question: Does the warrant authorizing the search of the "place" described by the warrant authorize the retrieval of information from offsite that is accessible by Microsoft?

This issue is different from the argument Microsoft makes in its brief. Microsoft argues that retrieving data from abroad is a Fourth Amendment search abroad, and therefore that retrieving data from abroad is an impermissible extension of the SCA. But the important question is not whether retrieving evidence remotely is in some academic sense an "application" of the SCA, or the metaphysical question of where that application of the SCA is occurring. Instead, the issue should be whether the warrant obtained in this case actually authorizes that retrieval.

There's a second question. Assuming the warrant commands someone to pull the data remotely from Ireland, does it command Microsoft to help? The warrant tells law enforcement, not Microsoft, that it can execute the warrant. The Supreme Court's decision in United States v. New York Telephone makes clear that a federal court issuing the warrant could also issue an All Writs Act order requiring the provider to help execute the warrant. As far as I can tell, though, there was no All Writs Act order obtained in this case. And absent that, I'm not sure the government has obtained a court order needed to force Microsoft to do anything at all.

In short, I wonder if the parties have overlooked a big part of the case. Perhaps Microsoft should be arguing that the warrant itself doesn't force them to do what the government wants them to do—independently of the SCA. I don't know what the answer to that question should be. It's a pretty novel question not briefed by the parties. Either way, I'm left wondering if the big issue in this case has been left unaddressed by the parties.

3. If the Parties Framed the Issues Correctly, DOJ Has the Better Argument

The alternative reading is the one the parties assume: That § 2703 implicitly imposes a requirement on providers to execute warrants when the government obtains a warrant under 2703(a). When § 2703(a) says that the government "may require" the provider to disclose "only" when it has a warrant, the thinking goes, that compels the provider to disclose the information regardless of how the warrant is drafted. That's how most people who work with the SCA have assumed it works.

Under that alternative reading, the territoriality of § 2703 becomes really important. Because the SCA is the source of the claimed duty for Microsoft to gather evidence to execute the warrant, we need to say whether an application of the SCA is territorial to know how far that duty extends.

With the case so framed, I think the government has the better argument that Microsoft has to retrieve the e-mails from the Irish server. If you read § 2703 as imposing a legal duty on providers to disclose the information described in the warrant, it makes sense that the territorial scope of that duty to disclose is defined by where the provider is. That's because, by hypothesis, § 2703(a) imposes a duty on providers. As another circuit recently wrote, "What constitutes a territorial connection that brings an action within the reach of a United States statute must ultimately be determined by examining the focus of congressional concern in the particular statute." And if you assume that § 2703(a) imposes a burden on providers to gather evidence in response to a warrant, then the focus of congressional concern is on the providers doing the gathering. A territorial duty on providers is naturally imposed where the providers are located to respond to that duty, not where they happen to have placed their data.

Because the government and the provider are in the United States, it is a territorial application of the SCA for a U.S. warrant to compel Microsoft in the U.S. to gather the information regardless of where the information is located.

Microsoft's primary response is that the data should matter in determining territoriality because compliance in the U.S. effectuates a search and seizure overseas, making the application extraterritorial. I'm not convinced. First, I'm skeptical that Congress was focused on searches and seizures when it enacted the SCA. Searches and seizures are Fourth Amendment concepts, and the point of the SCA was mostly to provide for privacy protections where the Fourth Amendment did not.

More broadly, the Fourth Amendment discussion in the briefs seems somewhat misplaced. Microsoft did not include in the record information about where the owner of the account is located. Its briefing hints, however, that the account owner is a foreign citizen located overseas. If that's right, the account holder has no Fourth Amendment rights under United States v. Verdugo-Urquidez. That means that compliance with the warrant doesn't implicate the Fourth Amendment or raise any questions of what is a search or seizure. This case comes to the Second Circuit as a statutory case, not a Fourth Amendment case.

Concluding that the territoriality of the SCA is defined by provider location instead of data location makes practical sense, too. Data can be anywhere and nowhere. For example, a U.S. provider could take an e-mail and divide it into five pieces. Each individual "piece" would be meaningless zeros and ones; the e-mail would exist in readable form only when all five pieces were combined together. Imagine the U.S. provider stores the five pieces on five different servers: one in the U.S., one in France, one in Russia, one in Madagascar, and on on a ship in international waters. The provider could view the e-mail at the press of a button from its headquarters in the U.S.

If Microsoft is right that the location of the data is what matters, then what privacy protection would apply for such an e-mail? Would we just say that the e-mail is in no location, so it cannot be compelled at all? Alternatively, would we say that legal process has to be obtained from each place where parts of the e-mail are located? The government would need a U.S. warrant for the U.S. piece; it would need to pursue MLATs for the French and Russian pieces; it also would need to pursue the piece in Madacasgar through letters rogatory, as there is no MLAT between the U.S. and Madacasgar; and it also would need to do something else—storm the boat, maybe?—to get the piece from the ship in international waters. That's pretty unworkable. And what if the provider's network automatically moves the pieces around in unpredictable ways so the different pieces of data are in different locations at different times? How would the statute work then?

4. Conclusion

I'm still not sure which side I think should win. If we accept Microsoft's framing of the issues, which treats § 2703(a) as imposing a legal duty to disclose, then I think the government should win. But if we read § 2703(a) as not requiring provider disclosure, but instead look to the warrant as the source of any duty on Microsoft, then I'm not sure Microsoft has to do anything in response to this particular warrant. And if Microsoft wants to execute the warrant, or if the government gets an All Writs Act order mandating Microsoft's assistance, then I'm not sure complying with the warrant requires the remote retrieval of information from any site—whether from across town or across the Atlantic Ocean. It might or it might not. The parties have not briefed the question, and I'm not sure of the answer.