The US Department of Justice is attempting to take its long-running legal battle with Microsoft over access to emails stored on foreign servers to the Supreme Court. After several delays, the Justice Department tonight filed a petition asking the Supreme Court to take its case. An appeals court previously ruled in favor of Microsoft, finding the the Justice Department couldn’t use a warrant to obtain messages from one of the company’s overseas data centers and would have to request the data through an international treaty process instead.
If the Supreme Court agrees to hear the case, its decision will have wide-ranging effects on the way the tech industry stores user data and the way law enforcement accesses it, both in the US and abroad.
But if the Supreme Court doesn’t take the case, the appeals court ruling will stand, and the tech industry’s lobbying effort to get Congress to change a 31-year-old law will accelerate.
“It seems backward to keep arguing in court when there is positive momentum in Congress toward better law for everyone. The DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans,” Microsoft president and chief legal officer Brad Smith said in a statement.
How did we get here?
The battle between Microsoft and DOJ has been raging since 2013, when the company challenged provisions of the Electronic Communications Privacy Act governing law enforcement access to user data.
The Justice Department was investigating a drug case, and wanted access to a suspect’s emails, so it served Microsoft with a warrant for the data. However, Microsoft has data centers all around the world, and some of these emails happened to be stored on a server in Ireland—beyond the reach of a US-issued warrant.
To get access to data that’s stored in other countries, US law enforcement is supposed to go through the tedious Mutual Legal Assistance Treaty, or MLAT, process. It takes roughly 10 months to get data this way, and the Justice Department didn’t want to wait that long.
Microsoft fought the warrant, arguing that ECPA doesn’t apply to international data. ECPA became law in 1986, before lawmakers or the public had any concept of how reliant we would all become on cloud storage, and doesn’t clearly state how data stored in another country ought to be acquired.
After losing its case in a lower court, Microsoft appealed to the Second Circuit, which ruled last July that the Justice Department couldn’t justify its use of a warrant to acquire data stored overseas with ECPA. The Second Circuit declined in January to re-hear the case, but called on Congress to step in and fix the broken provisions of ECPA.
The legal standards at play in the case have been “left behind by technology” and are “overdue for a congressional revision,” Second Circuit Judge Susan L. Carney wrote in the decision.
The Justice Department indicated that it might appeal the case to the Supreme Court—it had asked the Supreme Court twice for more time to file a petition requesting that the Court hear the case.
Why does this case matter?
Even though the internet feels like an ephemeral tangle of bits that vanishes when you lock your phone screen, all that data has to live somewhere. Server farms all over the world play host to your sleeping emails, messages, and Snaps. (This is why everyone says that annoying thing about how the cloud doesn’t exist, it’s just other people’s computers.)
The outcome of Microsoft’s case will shape the future of law when it comes to the cloud—and not just in the US. The case has international implications, and that’s why many other tech companies are watching closely to see how it turns out.
There are lots of good reasons to scatter data around the globe: whenever an earthquake finally heaves Silicon Valley into the ocean, you’ll presumably still want to be able to check your DMs. Server farms also take up a lot of space and can benefit from the surrounding climate. Ireland’s cool and misty weather makes it particularly hospitable for server farms, and Google’s not the only company storing data there.
But while this kind of data distribution is healthy for the survival of infrastructure, it causes problems for law enforcement agencies that want to read through a suspect’s emails.
Crazy shit has started to happen as law enforcement agencies demand that tech companies hand over data stored in other countries. If the US can snatch foreign data with impunity, other governments will want to do the same—and companies like Microsoft won’t have good legal standing to refuse. That’s very bad news for US consumers’ privacy.
In an effort to protect their own citizens’ data, some governments are considering proposals that would order companies to store data locally. This kind of data localization is intended to evade overreaching law enforcement agencies from other countries—Ireland, for instance, doesn’t want US courts to access its citizens’ data without its say-so—but it doesn’t really take into account the way data is transmitted and stored on the modern web.
“By using a U.S. warrant to seek digital information overseas, law enforcement effectively sidesteps the host of international agreements that already govern how it may access evidence located abroad,” Microsoft’s Smith testified before a subcommittee of the Senate Judiciary Committee in May. “The short-circuiting of these agreements risks undermining the international collaboration that is a cornerstone for the protection of public safety.”
Allowing US agencies to enforce warrants outside US borders would sow distrust among international users, tech companies argue. Other companies would gain an advantage if they were seen as more privacy-protective.
Conflicting laws also put tech employees in the awkward position of having to decide which country’s laws they’re going to break.
“Those conflicts put technology companies in the impossible position of choosing which country’s law to obey and which to violate,” Smith testified. “While this may seem trivial to some, I can attest that the threat of significant fines or imprisonment—in the United States and in other countries where we operate—are very real.”
If the Supreme Court agrees to hear the case, it could reverse the Second Circuit decision and order Microsoft to comply with the warrant, a move that Microsoft and other major tech companies believe would be devastating for their businesses.
What happens now?
The Supreme Court now gets to decide whether or not it wants to hear the case. It gets between 7,000 and 8,000 petitions per term and only hears about 80 cases, according to SCOTUSblog, so it might pass on this. But Microsoft’s case raises the kind of unresolved legal issue that could be appealing to the court.
Whether or not the Supreme Court takes up the case, tech lobbying efforts on ECPA are going to intensify.
Tech giants like Apple, Amazon, and Google, as well as civil liberties organizations like the Electronic Frontier Foundation, supported Microsoft’s lawsuit in the Second Circuit. These companies would much rather see the issue decided by Congress than the courts. Microsoft and Google have put forth proposals for how they’d like to see Congress update the 31-year-old legislation.
Since the Second Circuit declined to re-hear the case earlier this year, tech companies have upped their lobbying efforts, pressing Congress to undertake a revision of ECPA. Letting the Supreme Court handle it is risky; a negative SCOTUS decision would push the industry back to where it started in 2013.
“At its heart, the case illustrates how technology has evolved over the past three decades—but the law has not,” Smith said during his Senate testimony in May. He cautioned lawmakers about the dangers of a “quick fix” legislative solution that might give US law enforcement easy access to data, a move that would upset other governments and could lead to the balkanization of the internet.
Yesterday, Google also came out firmly in favor of an ECPA revision. Like Microsoft, Google asserts that countries should be able to make requests for user data if the user is within that country’s jurisdiction or if the crime occurred within its borders—even if the data is stored in another country.
Tech’s best hope so far is legislation drafted by Senators Orrin Hatch, Chris Coons, and Dean Heller called the International Communications Privacy Act, or ICPA. The proposed legislation dovetails with the tech industry’s wishlist—it would maintain a warrant requirement for access to the content of messages, clarify the process for law enforcement to access data stored abroad, and opposes data localization requirements.
But even if ICPA becomes law, it’s only the beginning—the next step will be working on international agreements to get other countries on board with the kind of controlled data sharing Microsoft envisions (the US and UK have already negotiated an agreement but other nations will likely want to do the same).
“The next step would be for the United States and foreign governments to sign new agreements that could provide an alternative to the MLAT process,” Google senior vice president and general counsel Kent Walker wrote. “It’ll require action here in Washington and in capitals around the world. However, we can’t accept the complexity of action as a reason for inaction in addressing an important and growing problem.”