An ongoing legal battle between Microsoft and the Department of Justice (DOJ) over a warrant for customer emails has the potential to seriously threaten open Internet policies around the world. The dispute hinges on abstract legal and technical questions about digital ownership and territoriality, but the broad result will be "fundamental to the future of global technology," as Microsoft described it, because the court's decision could limit or expand the federal government's power to access personal data stored overseas.
The case arose in 2013, when a New York magistrate served a warrant to Microsoft to access the email communications of a suspected drug dealer. Microsoft proceeded to gather the needed data to comply with the warrant, as it usually did. In the course of its search, however, Microsoft discovered that only the relevant "metadata"—descriptive information that merely describes the content or context of data—was stored in the U.S. The actual content of the communications was stored overseas in a wholly-owned Microsoft subsidiary's servers in Ireland, well beyond the jurisdiction of a normal U.S. warrant.
Microsoft agreed to turn over the U.S.-stored metadata but disputed that the magistrate had authority to compel the seizure of data stored overseas. Microsoft argued that the emails in question are personal documents held on behalf of its customers, not corporate "business records" that DOJ can quickly seize through a warrant.
The feds, of course, have a different opinion. According to federal prosecutors, the Stored Communications Act (SCA) section of the larger Electronic Communications Privacy Act (ECPA) of 1986 makes no exception for the "territoriality" of the data. Microsoft employees in the U.S. can access and divulge the email communications, which are indeed business records, and the law compels that it must, the feds say. Companies cannot evade SCA obligations simply by storing data overseas.
Last year, U.S. Magistrate Judge James Francis agreed with the government, ruling that Microsoft must indeed turn over the emails. Microsoft suddenly found itself flanked by many organizations that are often among its top critics as the company proceeded to fight this ruling in two separate appeals courts. Privacy and civil liberties groups like the Electronic Frontier Foundation and American Civil Liberties Union filed amicus briefs to defend the technology giant's position, as did media outlets like the Guardian and NPR and major Internet service companies such as AT&T and Verizon. Whether motivated by company profits or the public interest, all of these groups are gravely concerned by the U.S. government's new assertion that, under the SCA, it has the authority to compel any data located anywhere in the world with a normal warrant.
Such an audacious federal power grab creates clear threats to civil liberties protections for U.S. and non-U.S. persons alike. Technology companies, already reeling from the economic blowback of the Edward Snowden revelations, are understandably reticent to further diminish their customer's trust and lose even more business to foreign competition. As the counsel for Microsoft argued to the U.S. Court of Appeals for the Second Circuit, the U.S. "would go crazy if China did this to us."
Indeed, even if the U.S. government were to win this case, they might lose in more subtle but perhaps more potent ways. The Obama administration frequently chastises the Chinese government for attempting to impose its illiberal Internet surveillance policies on the rest of the world. Should the U.S. government begin to assert the authority to extract foreign data, China and other countries will find it easy to argue that they have a right to do the same.
This kind of arrangement could seriously threaten liberal nations' open Internet policies. Citizens residing in such countries might no longer enjoy the full protection of existing national privacy or speech protections, since foreign nations could choose to extract whatever data they deem relevant to their law enforcement or national security interests. Internet freedom could suffer a kind of "race to the bottom" as more authoritarian power centers expand their spheres of influence in formerly liberal jurisdictions.
Interestingly, the Irish government does not believe that the U.S. government needs to risk establishing such an unstable global precedent to attain the information that it presently desires. In its amicus brief to the appeals court, the Irish government states that it is willing to share appropriate data with foreign law enforcement under already-existing "mutual assistance in law enforcement treaties" that facilitate criminal information-sharing among international powers. Microsoft itself has supported this option in its arguments. But even this remedy has drawbacks, as it could expose customers to foreign legal regimes even less protective of privacy and due process than the U.S.
Alternatively, if Microsoft and its short-term allies manage to convince the court that the DOJ cannot compel companies to divulge customer data stored overseas, then law enforcement may resort to issuing subpoenas to get the data instead. The subpoena process, while a bit more time-consuming for law enforcement, would forgo some of the due process and judicial review protections secured by the SCA.
The current legal battle between Microsoft and the DOJ is only one in a long line of incidents highlighting the outdated nature of current U.S. Internet and computer policy. Much of contemporary web policy is guided by outdated laws, drafted by non-technical policymakers well before the advent of our mature Internet infrastructure. Frictions frequently arise as the fast pace of technological development and norms clashes with the needs and interests of law enforcement.
The ECPA, for example, was passed in 1986, decades before cutting-edge developments in cloud computing and low-cost data storage shaped the course of modern telecommunications use. Much of the statutory language and assumptions buried in the SCA were intended to address an environment where U.S. computer users employ U.S. companies to manage personal data in U.S. data centers. It did not foresee the interconnected global "network of networks" that predominates contemporary computer usage.
It is an old adage that "hard cases make for bad law," but it is becoming more apparent by the day that bad computer law makes for unnecessarily hard cases. It is truly remarkable that the state of current U.S. Internet and data policies is so patchy and backwards-looking that a simple case of overseas data storage can send U.S. technology policy into such unchartered and potentially dangerous waters. The court is expected to issue a ruling sometime between October and next February; it's possible that this case could make it all the way to the Supreme Court. Unfortunately, even the sharpest legal minds may find it difficult to resolve such a complicated case informed by our inadequate and outdated data laws.