The cloud has no borders.

Photographer: David Paul Morris/Bloomberg

Cloud-Storage Ruling for Microsoft Helps Criminals, Not Privacy

Noah Feldman is a Bloomberg View columnist. He is a professor of constitutional and international law at Harvard University and was a clerk to U.S. Supreme Court Justice David Souter. His books include “Cool War: The Future of Global Competition” and “Divided by God: America’s Church-State Problem -- and What We Should Do About It.”
Read More.
a | A

In an important decision with immense consequences for data storage services and law enforcement, a federal appeals court has quashed a warrant for e-mails that Microsoft was storing on a server in Ireland. Unless Congress changes the relevant law, this ruling creates the incentive for criminals -- or anyone else who wants privacy protection from government surveillance -- to make sure their data is held outside the borders of the U.S.

The reasoning of the 2nd U.S. Circuit Court of Appeals in Manhattan arguably followed from Supreme Court precedent -- but it was probably a mistake nonetheless, and it isn’t really a win for privacy rights.

The facts of the case were simple and not very detailed, because of the need to protect privacy. All we know is that the federal government went to a magistrate judge in Southern District of New York and asked for a warrant to make Microsoft disclose the e-mails of a suspect in a narcotics investigation. The government met the standard for probable cause, and the judge issued the warrant in 2014.

Microsoft appealed, saying it shouldn’t have to comply under the relevant federal law, the Stored Communications Act passed in 1986. It gave the government its customer’s metadata -- such as who certain e-mails were addressed to -- which it had on hand in the U.S. But Microsoft explained that the actual content of the customer’s e-mails were stored on a server in Dublin. The company maintained that a U.S. warrant could not obligate it to hand over material located abroad.

The objection wasn’t based on technical capacity. Microsoft could retrieve the e-mails remotely at the touch of a button. It was based on interpretation of the federal law.

Microsoft, like other e-mail providers, makes its decisions about location of storage on various grounds. The e-mails might be in Dublin because the customer lives in Ireland. They might be there because he or she gave an Irish address to Microsoft. Or the e-mails might be on the Dublin server because Microsoft had an independent business reason to keep them there. It’s generally fastest and easiest to keep e-mails on servers near where the user lives. But data that can be accessed anywhere can be stored anywhere.

At first blush, Microsoft’s argument seems pretty weak. As the government maintained, the warrant wasn’t telling Microsoft to go abroad and get information from outside the U.S. It was just telling Microsoft to provide the e-mails wherever they might be, assuming they were in Microsoft’s control, which they were.

Closer examination shows why Microsoft’s claim wasn’t unreasonable. As a matter of law, U.S. warrants ordinarily don’t reach abroad. By complying with the subpoena, Microsoft would have created a precedent that might have allowed the government to issue warrants for customers’ e-mails located any place on earth.

The appeals court issued an opinion ruling for Microsoft on Thursday. It first had to decide whether to analyze the case as a request for materials abroad, or as a request for materials under Microsoft’s control, as the government urged.

The court chose the former option. It reasoned that the federal law governing warrants from e-mail service providers did not contemplate the possibility of data on servers abroad, because in 1986, the idea of remote storage in the cloud wasn’t on Congress’s mind, or anyone’s.

Then the court said it would follow the presumption against extraterritoriality, emphasized by the Supreme Court strongly in recent years including in a racketeering decision this term. This fancy sounding legal principle states simply that the courts won’t treat U.S. laws as applying outside the borders of the U.S. unless Congress had said so clearly.  

Something is wrong with this picture -- namely that the circuit court was ignoring the reality of cloud-based technology, in which location is of secondary importance. Under the court’s holding, tomorrow I could advertise an e-mail service in which all e-mails would be stored on foreign servers -- and would therefore be exempt from federal warrants. Many customers might be willing to accept a short delay in access in exchange for such a legally powerful guarantee. The customers might be criminals -- or they might just be ordinary people who fear government overreach.

The Second Circuit said that the answer was for Congress to change the law. In a concurring opinion, Judge Gerald Lynch urged just that. And he added the case would look different if we knew the Microsoft customer was an Irish citizen living in Ireland than it would look if we knew the customer was U.S.-based and that Microsoft had saved the e-mails abroad for business reasons.

Shifting the burden to Congress to change the law was basically a way for the court to duck responsibility for its counterintuitive reading of the law.

It’s true that a U.S. warrant shouldn’t be used to get material that originated and was maintained abroad.  That would represent a vast expansion of the warrant power.

But the simpler solution would have been for the court to instruct the magistrate to find out whether these e-mails were being stored abroad because the user was a foreign national or because Microsoft found cheap servers in Ireland. It makes no sense for data created by U.S. nationals in the U.S. to be exempt from a warrant just because the data storage accidentally has taken place abroad.

This isn’t a win for privacy. A warrant issued on probable cause is an ordinary and constitutional tool of law enforcement. It shouldn’t be quashed because of an accident of modern technology. Stay tuned for more court decisions -- and for a bipartisan initiative to change the law.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Noah Feldman at nfeldman7@bloomberg.net

To contact the editor responsible for this story:
Tobin Harshaw at tharshaw@bloomberg.net