A statutory fix for the Microsoft problem—tentative draft #1

|The Volokh Conspiracy |

epa04855933 (FILE) A file image dated 05 March 2013 showing the Microsoft logo at Microsoft stand at the CeBit trade fair, Hanover, Germany. Microsoft announced on 21 July 2015 a revenue loss of 2.1 billion dollars bringing its revenue to 22.2 billion dollars for the fourth quarter. EPA/MAURITZ ANTIN
(EPA/MAURITZ ANTIN)

The Second Circuit heard argument last week in the Microsoft warrant case. The big question in the case is how U.S. privacy law should deal with government access to contents stored on foreign servers, either belong to U.S. citizens or foreigners. Press reports suggest that the Second Circuit realized what a lot of us have been saying: This is a problem for Congress, not the courts.

What would a statutory fix look like? This post offers a framework to try to solve the territoriality problem exposed by the Microsoft case. To be extra clear, I'm not saying it is "the answer." But I hope it's at least a starting point for discussion.

The basic idea of my approach is for the government to use U.S. warrants to compel contents held for U.S. citizens and permanent residents or those physically inside the U.S., but to have foreign legal process used instead, where feasible, to access contents held by foreign residents outside the U.S. My approach has three steps:

1) Upon receiving a warrant for contents under the Stored Communications Act, a provider can move to set aside the warrant on the ground that the account is not controlled by a U.S. person (as defined in 50 U.S.C. 1801(i)) or a person currently located inside the United States. The provider must support its motion with evidence from its records of the account —or other information, if available—as to the identity or location of the person who controls the account.

2) The government can then oppose the motion to set aside the warrant. The government must support its opposition with evidence either that (a) contrary to the provider's position, the account is controlled by a U.S. person or a person located inside the United States, or that (b) the account is controlled by a non-U.S. person located outside the United States but that the alternative of proceeding through a Mutual Legal Assistance Treaty (MLAT) would be futile. Proceeding through an MLAT would be futile if there is no Mutual Legal Assistance Treaty with the country in which the data is stored, or because the government can that show proceeding under the MLAT would seriously jeopardize the investigation under the specific circumstances of the case.

3) The court should rule in camera based on the motion, opposition, and supporting documents. If the court is persuaded that the account is controlled by a U.S. person, or a person physically located inside the U.S., the court should deny the motion to set aside the warrant. Similarly, if the court is persuaded that account is controlled by a non-U.S. person outside the United States but that there is no workable MLAT alternative—either because there is no MLAT procedure with the country where the data is stored, or the MLAT procedure is sufficiently broken that relying on it would be futile under the circumstances—then the motion should be denied. If the court is persuaded that the account is held by a non-U.S. person outside the U.S. and there is a workable MLAT alternative, then the court should grant the motion to set aside the warrant.

Here's my thinking. The providers need to be able to tell European customers and governments that their communications won't be accessible using a U.S. warrant. They know which of their accounts are European government accounts, and normally they have a good idea about which of their customers are European. Because there are functioning MLAT procedures with those countries, the providers won't have to comply with warrants to disclose contents from such accounts. On the other hand, the government wants to get warrants for U.S. persons or people in the U.S., and they don't want to be completely stymied by the possibility of storage in a country with no workable legal process alternative. (Rogatory letters can work in some jurisdictions where MLATs are not available, but generally not well.) So in those cases, the government could rely on a traditional U.S. search warrant. My hope is that perhaps this kind of procedure could give each side what it needs.

My approach is somewhat similar to the LEADS Act proposed by Senators Coons and Hatch. But I think my approach is better. The LEADS Act tries to achieve a similar goal with this language:

A warrant issued under [the SCA] may require the disclosure of the contents of a wire or electronic communication, regardless of where such contents may be in electronic storage or otherwise stored, held, or maintained by the provider, if the account-holder whose contents are sought by the warrant is a United States person. A court issuing a warrant pursuant to this subsection, on a motion made promptly by the service provider, shall modify or vacate such warrant if the court finds that the warrant would require the provider of an electronic communications or remote computing service to violate the laws of a foreign country.

This language strikes me as vague and a somewhat awkward fit with the problem. First, is the first sentence supposed to imply that no such authority exists if the account holder is not a U.S. person? What if the person is not a U.S. person but lives in the U.S.—why shouldn't a U.S. warrant be sufficient? (Imagine an undocumented immigrant commits a crime in the U.S.: Why should accessing the immigrant's U.S.-based e-mail account be beyond the U.S. warrant authority?) What if the account holder is foreign but there is no realistic MLAT alternative? And why should a violation of foreign law be the test, assuming that a U.S. court can tell that the disclosure would violate foreign law?

Returning to my proposal, several details need to be addressed. Among them:

(a) What is the burden at each stage? I would think the law should presume that accounts accessible in the U.S. by U.S. providers belong to a U.S. person or person located in the United States. But I'm not sure what standard should overcome that presumption. A preponderance of the evidence? Probable cause? Clear and convincing evidence?

(b) What is the standard for futility? I was thinking something like the 18 U.S.C. 2705(a)(2) standard, but I'm not sure.

(c) Should the law provide for appellate review of the judge's decision? Probably not, I think, as the expected gains from appellate review are probably outweighed by the delay of the added litigation.

(d) What about the reverse problem, when foreign governments want access to communications held by foreign citizens located abroad that happens to be stored in the U.S.? Should U.S. providers be permitted to respond to those court orders in some circumstances? Current law allows disclosure for non-content information but not content information. Is that the right balance to strike, or should the law allow disclosure for both or ban disclosure for both?

(e) Under my tentative proposal, the location of the data is irrelevant. The framework applies regardless of whether the data is stored on a U.S. server or abroad. I wonder, though: Would it be better to have framework apply only when no copy is inside the U.S. at the time the warrant is served on the provider? Or is it better to keep data location irrelevant? If the data location is irrelevant, an MLAT would need to be obtained even if the data is in the United States. But this might be odd in practice. At the end of the MLAT process, the foreign government would obtain the foreign court order. But because the data is in the U.S., it's not clear that a foreign court order would be binding on anyone inside the United States. Should the law make the foreign court order binding on U.S. providers when obtained pursuant to the MLAT? Or should the rule be that the provider needs to comply with the U.S. warrant when accompanied by the proper MLAT foreign process?

All just tentative thoughts. Feedback very welcome.