The surprising implications of the Microsoft/Ireland warrant case

The Justice Department filed a petition for rehearing last month in the Microsoft/Ireland warrant case. Although I'm skeptical that rehearing will be granted, the Justice Department's petition includes some fascinating updates about the practical effect of the Second Circuit's decision. I looked into the Justice Department's allegations on my own, and I was able to get a better sense of what was happening. At the very least, it suggests that the Microsoft case is having some surprising implications. And in some cases, the result seems to be a significant mess.

The Second Circuit's decision held that warrants for customer email are unenforceable when the provider opted to store emails on a server outside the United States. The statute only has territorial effect, the Second Circuit reasoned, and that means it doesn't apply to foreign-stored email. Treating the statute as a way to get email rather than a means of limiting access to email, the court ruled that the government couldn't use a domestic warrant to compel the disclosure of emails stored abroad.

But here's the twist. The court's decision assumed that Internet providers knew where its customer emails were located and that emails could be accessed from those places. The Second Circuit's opinion therefore left the government with some options. In particular, the government could pursue foreign legal process through Mutual Legal Assistance Treaties for email that was stored abroad.

It turns out that this assumption isn't necessarily right. And that is creating some significant headaches.

Here's what the Justice Department says in its petition for rehearing:

Unlike Microsoft, some major providers cannot easily determine where customer data is physically stored, and some store different parts of customer content data in different countries. Major U.S.-based providers like Google and Yahoo! store a customer's email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic. At least in the case of Google, the information is also currently beyond the reach of a Mutual Legal Assistance Treaty request or
any foreign law enforcement authority, because only Google's U.S.-based employees can access customer email accounts, regardless of where they are stored; indeed, Google cannot reliably identify the particular foreign countries where a customer's email content may be stored. Thus, critical evidence of crimes now rests entirely outside the reach of any law enforcement anywhere in the world, and the randomness of where within an intricate web of servers the requested content resides at a particular moment determines its accessibility to law enforcement.

The petition adds:

Major service providers like Google and Yahoo!, who store different pieces of information for a single customer account in various datacenters at the same time, and routinely move data around based on their own internal business practices, are now disclosing only those portions of customer accounts stored in the United States at the moment the warrant is served—even though, at least as to Google, the only employees who can access the entirety of a customer's account, including those portions momentarily stored overseas, are located in the United States. Yahoo! has informed the Government that it will not even preserve data located outside the United States in response to a Section 2703 request, thereby creating a risk that data will be moved or deleted before the United States can seek assistance from a foreign jurisdiction, much less actually serve a warrant and secure the data. In addition, some providers are apparently unable to tell the Government, in response to Section 2703 disclosure orders, where particular data is stored or whether it is stored outside the United States, further frustrating law enforcement's ability to access such data.

I looked into whether the Justice Department's claims are correct. Google and Yahoo! declined my request for comment, but I was able to patch together a picture from a range of different sources. Here's my best sense of what is happening.

First, the major domestic Internet providers aren't treating the Second Circuit's decision as just a decision from one circuit. They have all decided to treat the Second Circuit decision as the law in effect everywhere. Part of that is for a good practical reason: Internet communications nearly always cross state lines, so it's hard to have different rules for different circuits. And part of it is to put the burden on the government if it wants to challenge the providers' policies. The Justice Department can bring a legal challenge in a different circuit where the Microsoft decision is not binding, but the department has to go along with the providers' nationwide adoption of the Second Circuit's decision unless or until that happens.

Second, the Justice Department's factual assertions in its petition for rehearing are basically correct. The Microsoft case has revealed a significant division among service providers in terms of how their network architectures function. Some providers make a point of figuring out the country of origin of each user, and they try to store user emails in that country or region. Other providers don't. Some providers know in what country a particular user's email will be located, and that answer is reasonably stable over time. Other providers don't, and it isn't. Some providers can access email stored abroad from wherever it is located. Other providers can't.

These differences didn't matter before the Second Circuit's decision because domestic providers complied with domestic search warrants regardless of data territoriality. Microsoft then challenged compliance with domestic search warrants in a case where the location of the emails was known (Ireland) and the emails could be accessed from that location. The court's opinion assumed that technology was in place. And the decision is now working pretty much as expected for providers with that network architecture.

In particular, the court's opinion is creating a sensible structure for providers that store contents of communications in the country or region where individual users reside. No system is perfect. But for providers that aim for data localization—putting the data in the country or region of its users—domestic law enforcement can generally use warrants to get the emails of people in the United States but need to use mutual legal assistance to get emails of those abroad. That's a sensible result.

On the other hand, the Second Circuit's decision has created a mess with some providers that have different network architectures. At least one major provider has a very fluid approach to data location. Email contents go wherever is easiest for the network at that moment. When a warrant comes in, the provider can query its network to find out which contents from the account are located on servers in the United States at that instant. But the mix of contents inside and outside the United States at any given time is impossible to predict. Even individual email messages may be split up in different countries. For example, a particular email message might be on a server in the United States while its associated attachment is on a server abroad.

To make matters more complicated, the network is structured at one major provider so that only employees from inside the United States can query it. This means that if the government wants to get access to the contents of the account, there is no apparent way to get access to the subset of the contents that are foreign-stored at the time legal process is executed.

This is a pretty surprising result. If you're an FBI agent and you get a search warrant for a specific set of emails in a domestic suspect's account, the provider will send you only the subset of responsive emails that happen to be in the United States when the provider pressed the button to retrieve the account records as part of the warrant execution. The rest is out of reach, even with foreign legal assistance, as there is no one abroad to query the network pursuant to foreign legal process.

In the run-up to the Second Circuit's decision, a lot of folks pointed to the odd results that might follow from ruling for Microsoft. But here's what I (and others) missed: I didn't expect that major domestic providers would respond to a ruling that they can't be compelled to disclose foreign-stored emails pursuant to a warrant by refusing to disclose foreign-stored contents voluntarily when the target was domestic and the only reason that particular e-mail was foreign-stored at that instant was the fluid nature of the network's architecture.

I didn't expect that in part because domestic providers are still permitted to disclose the foreign-stored contents of communications under the Second Circuit's decision. Providers are not required to make those disclosures. But they can if they want to, because the statute's coverage acts as both a sword and a shield. On one hand, the statute is a sword that (at least as the Second Circuit reads it) forces providers to comply with legal process. On the other hand, the statute is a shield because it limits voluntary disclosure. The two go together. If a foreign-stored email is out of reach of the compelled disclosure rules, it also is out of reach of the voluntary disclosure limitations.

This means that a domestic provider with a network that moves contents around all the time can still disclose the contents of the account of a domestic person that happen to be domestic the moment the warrant comes in under the warrant while they can disclose the contents that happen to be stored abroad at that moment voluntarily. I assumed (perhaps naively) that major domestic providers would do that. But apparently that's not happening.

Why not? This is just speculation, so take it for what it's worth. One possibility is that the politics of the moment make the most pro-privacy approach the best course, even if it leads to weird results. Privacy is big business right now, especially in Europe. Perhaps providers figure that the safest political course is not to turn over what can't be forcibly compelled.

Another possibility, albeit a remote one, is a concern that voluntary disclosure might raise Fourth Amendment problems. The provider acting pursuant to legal process is a state actor, the Second Circuit's opinion says, and warrants can be executed only domestically. Perhaps providers fear that voluntary compliance raises Fourth Amendment issues.

But if that's a concern, I don't see it as a realistic one. First, the warrant requirement doesn't apply overseas. That means that the only Fourth Amendment limit is reasonableness. Although the standards of foreign-search reasonableness are murky, I would think that relying on a judicial finding of probable cause and particularity sufficient to issue a traditional search warrant (if the data were inside the United States) is reasonable. The sign-off of a domestic warrant is generally considered the gold standard for reasonableness even for foreign searches, see United States v. Barona, 56 F.3d 1087, 1101-03 (9th Cir. 1995) (Reinhardt, dissenting), and I would think that would suffice. Second, because the disclosure is voluntary, and not required by court order, it's not at all clear that the Fourth Amendment would apply in the first place under the state action doctrine.

I wonder whether the Justice Department will go into court to push this issue. In particular, it's an open question whether the department can get the full contents of domestic target accounts by issuing a warrant and a subpoena simultaneously. The warrant would be for the domestically-stored parts of the account, while the subpoena would be for the foreign-stored parts of the account. If the Justice Department tries this and providers object, you might see litigation on whether or in what circumstances the subpoena can be enforced.

Alternatively, all of this seems like an ideal subject for congressional attention. Stay tuned.

UPDATE: I have fiddled a bit with the post a bit since putting it up. Sorry for any inconvenience the edits may have caused.