The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Crime

More on the Microsoft warrant case: A reply to Jennifer Daskal

|

Over at Just Security, Jennifer Daskal has responded to my recent post offering a different take on the Microsoft warrant case. Jennifer disagrees with my arguments, so I thought I would post her commentary together with my reply.

In my earlier post, I had argued that the parties in the case appeared to have misframed the issues because SCA itself doesn't compel Microsoft to do anything. Any duty on Microsoft came from the warrant rather than the SCA. Daskal begins her response:

[T]his argument, while clever, flies in the face of long-standing assumptions about how the SCA works.

True! As my post says, the way the parties have framed the issue is "how most people who work with the SCA have assumed it works." That includes me. But that assumption was always just a casual one. The issue never came up before, as no provider had publicly argued that it didn't have to comply with a facially-valid search warrant for e-mail contents. The new argument focuses attention on an aspect of the statute previously overlooked.

Daskal next argues that my position is wrong for two reasons. Here's her first argument:

Without the SCA, there would be no authority to issue the kind of warrant at issue in the Microsoft case-directing a third party to do something, and to do so outside a law enforcement official's presence.

I disagree. Courts had approved no-presence warrants executed by third-party communications providers before the enactment of the SCA. The issue came up often in the 1970s, before Smith v. Maryland and the Pen Register Statute, when the government would use the Rule 41 warrant authority to force the phone company to install pen registers. Courts held that the Rule 41 authority permitted warrants to be issued for this purpose even though the third party conducted the surveillance and even though the government was not physically present. See United States v. New York Telephone, 434 U.S. 159 (1977) (holding that Rule 41 allows direction to execute warrant to third party if a supplemental order is obtained under the All Writs Act); Application for an Order Authorizing an In-Progress Trace of Wire Communications over Telephone. Facilities, 616 F.2d 1122, 1130-32 (9th Cir. 1980) (holding that the traditional in-presence rule was not violated by Rule 41 warrant requiring telephone company to install surveillance tool without officers physically present at the phone company because "use of electronic surveillance . . . is to a large extent sui generis" and physical presence could make no difference to how the warrant is executed). See also Application of U.S. in Matter of Order Authorizing Use of a Pen Register, 538 F.2d 956, 960 (2d Cir. 1976) (holding that either Rule 41 authorizes a federal court to issue a warrant ordering the implementation of a pen register or else such power exists "as a matter of inherent judicial authority").

It's true 18 U.S.C. 2703(g) says that the in-presence rule of 18 U.S.C. 3105 need not be followed when agents obtain SCA warrants. But I don't think this means that the SCA has to apply for that kind of warrant to be authorized. On this issue, a page of history is worth a volume of logic. The SCA was passed in 1986, but 2703(g) was not enacted until 2002. That section was not thought to be needed as part of the original SCA because the 1970s-era pen register cases had allowed remote third party warrants that operated just like 2703(a) warrants.

What changed? In 2001, a district court in Minnesota handed down an unpublished decision holding (contrary to the 1970s cases) that third party surveillance orders violated the in-presence rule of 18 U.S.C. 3105. See United States v. Bach, 2001 WL 1690055 (D.Minn. December 14, 2001). That one case mattered because it was decided just three months after 9/11 and two months after the Patriot Act. At the time, Congress was very solicitous of ways it could remove needless outdated limitations on sensible surveillance practices. Clarifying that the in-presence rule didn't apply to remote provider warrants was low-hanging fruit, as no one thought it made sense to impose an in-person presence requirement for 2703(a) warrants. So Congress quickly and uncontroversially passed 2703(g) in 2002. Importantly, though, Congress was just reasserting the old understanding of the law. It was just responding to an aberrant district court opinion - which, ironically, was reversed by the 8th Circuit just a few days before 2703(g) went into effect - instead of adopting a new standard.

In light of this history, I don't see 2703(a) and 2703(g) as establishing an independent warrant authority to overcome an otherwise-existing ban on third-party non-presence warrants. And even if it is so read, I'm not sure why that would mean that 2703(a) imposes a duty on providers. Again, it's the warrant that imposes the duty, not the statute.

Daskal makes a second argument for why my proposed reading is wrong:

Moreover, the SCA talks in terms of "require[d] disclosure." It specifies that the government "may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication . . .pursuant to a warrant issued using the procedures described by the Federal Rules of Criminal Procedure." In presuming an authority to require, it assumes an obligation to comply.

I think Daskal has left out the critical word from the statutory text, though: "only." Without the SCA, the government could require disclosure with a mere subpoena. Section 2703(a) changes that rule by stating that the government "may require the disclosure . . . only pursuant to a warrant" (emphasis added). The word "only" is important, as it signals that 2703(a) is a limit on what procedures the government can use. Of all the options, only a warrant will do. And that's a limit on the government, not a duty on providers.

Daskal's next argument is very interesting and helpful:

Somewhat surprisingly, Kerr also suggests that Microsoft wins under his novel approach. According to Kerr, the warrant is directed at the government and doesn't actually compel Microsoft to do anything. But Kerr seems to have overlooked Attachment C of the warrant, which explicitly tells Microsoft that it is "required to disclose" the specified data. In fact, the district court issued a contempt order based on Microsoft's failure to do so.

This is great. Yes, I had overlooked Attachment C. On its face, Attachment C does tell Microsoft that it has to gather the information here. So on this view, perhaps Microsoft should lose the case because the warrant clearly contemplates Microsoft handing over all e-mail contents in its possession. That would include e-mails from overseas.

Perhaps, but I'm not so sure. While Attachment C talks about what Microsoft must do, the warrant itself isn't directed to Microsoft. The warrant is directed to "Any authorized law enforcement officer." And without an All Writs Act order, I'm not sure how the court has the authority to order Microsoft to do anything. Can a warrant require third-party action simply by adding language in the attachment that it is required? Maybe, but I'm not sure.

Daskal next argues that if the traditional understanding is right that the SCA (rather than the warrant) compels compliance, then forcing Microsoft in the U.S. to remotely retrieve data it has stored abroad is an extraterritorial application of the SCA. That's true, Daskal argues, because the broad focus of the SCA is on privacy. The privacy-related event occurs overseas, so it's the location of the data that should matter. She writes:

[T]he focus of congressional concern [in the SCA] is something other than the providers-namely the underlying privacy interests at stake. The legislative history is, after all, replete with references to the need to "ensure the continued vitality of the Fourth Amendment;" "protect privacy interests," and "strike a fair balance between the privacy interests of citizen and the legitimate needs of law enforcement needs." In fact, Kerr himself notes that "the point of the SCA was mostly to provide for privacy protections where the Fourth Amendment did not." The regulation of providers is thus a means of protecting the key underlying interest-the privacy of data.

Based on this understanding, the focus is on the data.

Our disagreement is about how to apply the "focus of congressional concern" test for territoriality. As I read the cases, the key question is the territoriality of the specific things that Congress decided to regulate, not the territoriality of the general policy goals that Congress was pursuing. Broad policy goals such as "protecting privacy interests" don't have an obvious territoriality. On the other hand, specific conduct that Congress prohibits does, and that seems to be the focus of the caselaw.

Consider the Supreme Court's decision in Morrison v. National Australia Bank, 561 U.S. 247 (2010). Morrison considered whether foreign plaintiffs could sue under U.S. securities laws that prohibited deceptive securities transactions when those transactions occurred on foreign exchanges. The Court concluded that the territoriality of the statute was defined by the location of the transactions that the statute itself directly regulated:

Those purchase-and-sale transactions are the objects of the statute's solicitude. It is those transactions that the statute seeks to "regulate," it is parties or prospective parties to those transactions that the statute seeks to "protect." And it is in our view only transactions in securities listed on domestic exchanges, and domestic transactions in other securities, to which § 10(b) applies.

Applying that approach to the SCA, it seems to me that the "focus of congressional concern" is not on the general privacy interests Congress cared about - wherever they may be- but on the actual acts that Congress regulated. And Congress regulated privacy by imposing restrictions on the government (in the U.S.) and, by hypothesis, on providers (also in the U.S.). The details of how the warrants would be executed were not addressed by the statute, so I am skeptical that the location of where the information was located should be considered the focus of congressional concern.

Daskal concludes:

Kerr also ends with a discussion of the practical considerations at stake. But while I share some of Kerr's concerns, he presents only one side of the issues. As I have written elsewhere and expand upon in a forthcoming post, both Microsoft's approach and the government's approach yield a range of potentially damaging policy consequences. No matter who wins, there will be a pressing need for congressional, executive, and international engagement. This case, whatever the outcome, should not be the last word.

I focused on one side because I see Microsoft's policy arguments as substantially weaker. The government-side policy interest is that, if Microsoft is right, a provider could pretty easily make e-mail beyond the reach of lawful access even with a warrant. That's a big deal. The Microsoft-side policy interests strike me as much more contingent, and therefore less substantial.

Here's my thinking. If the government is right, Microsoft says, foreign governments are going to be really upset and U.S. providers could lose a lot of global business. But this dynamic is contingent in two ways. First, as I noted in my earlier post, it looks like Microsoft may be able to avoid that harm by restructuring its network:

[Microsoft] could have designed their business so that if you sign up for an account from outside the U.S., your relationship is entirely with the company's foreign subsidiary and the data isn't directly accessible from inside the United States. For example, when you sign up for a Yahoo account from Europe using Yahoo.uk, Yahoo.fr, or a similar European-based service, your legal relationship is with Yahoo EMEA Limited in Dublin instead of Yahoo in the United States. My understanding is that Yahoo keeps its accounts local, apparently at least in part to limit the laws under which it can be accessed.

This difference creates the prospect that a Microsoft loss in the Second Circuit could be addressed, entirely or at least in part, by Microsoft rearranging its network. If the same case involved a Yahoo account instead of a Microsoft account, and the account was created by a person in Europe, U.S. authorities could not just go to Yahoo in California. They would have to get the information from Yahoo EMEA Limited in Dublin instead. Perhaps Yahoo in California would have a way of getting the information from Yahoo EMEA Limited in Dublin - I don't know their precise relationship - but it becomes a pretty different legal question at that point.

Second, my impression is that international opposition to U.S. access to data held abroad by U.S.-based providers, while very real, is also very contingent. It's largely about European reaction to the Snowden disclosures of NSA surveillance. Post-Snowden, Europeans oppose U.S. surveillance by a ratio of about 9-to-1. That NSA-driven anger bleeds into European suspicion of U.S. warrants signed by U.S. judges.

That may be a good reason to amend the SCA going forward. I've been arguing that Congress should amend the SCA to deal with territoriality since before the Microsoft litigation was public. And as I have stressed before, I agree with Daskal that there is a pressing need for reform no matter which side wins. But to the extent policy arguments guide interpretation of the current statute based on a what-Congress-could-have-meant theory, that opposition strikes me as too contingent on recent trends in global politics to be a sound basis for interpreting the existing SCA.