In a remarkable decision addressing the reach of search warrants aimed at personal data stored by a third party in the cloud, a court ruled last week that an internet service provider (“ISP”) can be compelled to produce personal information located outside of the U.S. The decision by Magistrate Judge James Francis (S.D.N.Y.) denied Microsoft Corporation’s motion to quash a warrant requiring production of customer email content and related data stored on a server located in Dublin, Ireland. If adopted by other courts, the ruling could have far-reaching implications not only in the context of overseas cloud storage, but the privacy of personal data stored on third- party servers generally.
The specific issue addressed by the court concerns application of the infamously antiquated Stored Communications Act (“SCA”) of 1986, which allows the U.S. government to obtain information by subpoena, court order, or warrant from third parties such as ISPs. On December 4, 2013, the court approved the government’s request for a SCA search warrant to Microsoft seeking virtually all content and data associated with a particular email account. Microsoft produced all relevant information stored on its domestic servers, but moved to quash the warrant to the extent it sought information stored at its datacenter located in Dublin, arguing that U.S. courts are not authorized to issue extraterritorial search warrants. Notably, it is not clear from the decision whether the owner of the subject email account is a U.S. resident.
The crux of the issue before the court was whether a search warrant issued under the SCA should be treated as a search warrant in the conventional sense, which is restricted to the seizure of property within the United States, or as a subpoena, which can be enforced extraterritorially. The court concluded that, for purposes of extraterritorial enforcement, SCA search warrants should be treated like subpoenas, requiring the recipient to produce information even if it is located abroad.
In reaching the decision, the court engaged in a thorough examination of the SCA’s text, structure, and legislative history, including the practical implications of restricting SCA search warrants to U.S. soil. But the court did not separately address application of the Fourth Amendment’s search-and-seizure requirements to warrants for personal email data.
Instead, in examining the structure of the SCA, the court made the remarkable observation that “the Fourth Amendment . . . might not apply to information communicated through the internet.” For this sweeping proposition, the court cited a single academic article, concluding that “there were no constitutional limits on an ISP’s disclosure of its customer’s data.” Relying on another academic article by the same author, the court also found that “no . . . search has occurred” until the data in question is “exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer.”
These determinations are arguably contrary to other cases, such as the Sixth Circuit’s decision in United States v. Warshak, 631 F.3d 266, 288 (6th Cir 2010). There, the court held that “if government agents compel and ISP to surrender the contents of a subscriber’s emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.” Emphasizing the “fundamental similarities” between modern day emails and traditional forms of communication such as letters, the court made clear that internet users enjoy a “reasonable expectation of privacy in the contents of emails ‘that are stored with, or sent or received through, a commercial ISP.’” In other words, the Warshak court held that the Fourth Amendment trumps the SCA where such data is at stake.
This apparent tension between the Microsoft ruling and Warshak also brings to mind Justice Sotomayor’s observation in United States v. Jones that reasonable expectations of privacy may be the wrong lens through which to view these issues in the internet age:
More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. . . . This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.
The Microsoft decision has the potential to significantly expand the power of the U.S. government to obtain digital information from sources outside of the U.S., and in turn raises the specter of a fundamental conflict with foreign data-protection laws. And the decision could have even broader implications by virtue of its apparent holding that there are no constitutional limits on law enforcement collection of personal data through ISPs. Of course, whether other courts will follow suit remains to be seen.