Microsoft Ireland: Setting the Table

In the summer of 2016, the US Court of Appeals for the Second Circuit released its highly-anticipated decision in Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14-2985, 2016 WL 3770056 (2d Cir. July 14, 2016). In what has come to be known widely as the “Microsoft Ireland” case, the Second Circuit unanimously rejected the notion that the Government could obtain the contents of emails stored overseas by securing a warrant under the Stored Communications Act (SCA). In doing so, the court reasoned that Congress––at the time it enacted the SCA as part of the broader Electronically Stored Communications Act (ECPA) in 1986––did not intend the SCA's warrant provisions to apply extraterritorially, and thus the Government could not lawfully compel Microsoft to turn over information that was stored exclusively on servers at Microsoft's Dublin-based data center.

The panel's decision in Microsoft Ireland offers one of the first answers to perhaps the most significant regulatory question of the Internet era: how should the limits of governmental access to personal data stored in the cloud be defined? In the short term––that is, until the Supreme Court weighs in on the matter or Congress decides to amend the SCA––Microsoft Ireland's holding not only safeguards data stored abroad, but it avoids an international conflict whereby the US Government could obtain data stored in Ireland via a domestic US court-authorized search warrant in violation of Irish data protection law. Such a holding would have forced Microsoft and a number of other multinational digital companies (e.g., Facebook and Twitter) into a difficult position: turn over data in violation of Irish law, or risk contempt sanctions for failing to comply with a US court order.

That said, the panel's decision stands to have a meaningful impact on the manner in which nations manage data stored in the cloud. In particular, the Second Circuit's emphasis on where the data is located, as opposed to the location of the service provider or the targets of an investigation, may fuel a drive toward data localization. Indeed, data localization efforts of this nature have increased in the wake of Edward Snowden's revelations, and some scholars argue that while localization, in theory, may serve to protect users' privacy by limiting who may access their data, the reality of such a trend may ultimately result in unforeseen and potentially harmful consequences. To be sure, some countries' laws are less protecting of privacy than US law, and imposing additional constraints on the US Government's investigatory efforts may detrimentally impact national security because federal authorities––under the Second Circuit's framework––would be unable to collect data from servers stored in foreign countries, such as Russia or China, by using a SCA warrant, even when a crime is committed on US soil.

Absent Congressional action or Supreme Court involvement, Microsoft Ireland stands as one of the most significant decisions of the Internet Age, impacting not only where companies will choose to store their data, but how privacy and security-related concerns will continue to play out in the international arena.

Microsoft Ireland: Factual and Legislative Overview

Factual Background

Microsoft Ireland has its genesis in a December 4, 2013, search warrant (the “Warrant”) issued by Magistrate Judge James C. Francis IV of the US District Court for the Southern District of New York.1 The Warrant, issued pursuant to Section 2703 of the SCA of 1986 (SCA or the Act), directed Microsoft Corporation (“Microsoft”) to provide law enforcement with certain electronic information associated with the account of a Microsoft customer suspected of drug trafficking, the identity of whom was unknown at the time.2 In particular, the Warrant compelled Microsoft to seize and produce “[t]he contents of all e-mails stored in the account, including copies of e-mails sent from the account,” as well as other “non-content” information, including, among other things, “the user's name and country,” that were “stored at premises owned, maintained, controlled, or operated” by Microsoft.3

Two weeks after the Warrant was issued, Microsoft filed a motion to quash, arguing that the district court lacked the authority to mandate the production of the customer's content information because the data, which was stored in Ireland, fell outside the SCA's exclusively domestic reach.4 In a Memorandum and Order dated April 25, 2014, Judge Francis rejected Microsoft's contention, concluding that Microsoft was obligated to produce the customer's content because the “structure of the SCA” and “legislative history” of the statute, taken together, evidenced that Congress, at the time it enacted the SCA, intended the SCA's warrant provisions to require the disclosure of information “regardless of where that information was stored.”5 Microsoft subsequently filed an appeal with the US Court of Appeals for the Second Circuit, which reversed Judge Francis's decision, holding that the SCA does not apply extraterritorially and thus cannot be used to compel the production of data stored abroad.

The US Legislative Scheme

The Electronic Communications Privacy Act

Before delving into the diverging analyses espoused by the district and appellate courts in this case, it is useful to first provide an overview of the SCA and its place within the broader Electronic Communications Privacy Act (ECPA).6 Passed in 1986, ECPA amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the “Wiretap Act”), updating and clarifying privacy protections “in light of dramatic changes in new computer and telecommunications technologies.”7 At its core, ECPA protects “electronic communications” from unauthorized interception and regulates law enforcement's access to such communications.8 Additionally, ECPA protects and regulates stored electronic and wire communications and transactional records.9 This portion of the statute is known as the SCA.

The Stored Communications Act

Enacted as Title II of ECPA,10 the SCA was considered to be “remarkably forward looking for its time” and was passed by Congress, in large part, as a response to the Supreme Court's 1976 decision in United States v. Miller.11 In Miller, the Supreme Court established what has become known today as the “third party doctrine,” holding that individuals lack a reasonable expectation of privacy under the Fourth Amendment in information disclosed to institutional third parties, “even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.”12 Congress––in an effort to limit Miller's practical reach––accordingly designed the SCA to protect electronic communications, implementing provisions that, inter alia, criminalized unauthorized access to individuals' stored communications,13 restricted service providers from voluntarily disclosing their customers' communications,14 and regulated the government's ability to obtain user data.15

Stored Communications Act: Section 2703

For purposes of this discussion, Section 2703 of the SCA––which regulates the government's access to electronic communications––is particularly salient. Under Section 2703, the government may obtain information from electronic communication service (ECS) providers via three distinct avenues: administrative subpoenas,16 court orders,17 and warrants.18 With an administrative subpoena, the government may collect basic subscriber and transactional information, including a customer's name, address, telephone or IP number, telephone records, and payment information.19 Markedly, the government need not demonstrate probable cause in order to obtain an administrative subpoena, nor must it provide notice to the ECS customer that his or her information has been collected.20

The second data-procurement option available to law enforcement under the SCA, that is, applying for a court order, requires law enforcement to submit a statement of “specific and articulable facts showing … reasonable grounds to believe that the contents or records [sought] … are relevant and material to an ongoing investigation.”21 If a court deems this standard to be satisfied, it may grant the government access to additional noncontent information and, most significantly, the contents of e-mails that have been stored in a user's account for more than 180 days.22 A court order, unlike an administrative subpoena, requires that notice be given to the customer before the government can obtain the information.23

Lastly, an SCA warrant––which is the decree at issue in Microsoft Ireland––permits the government to obtain electronic communications that have been stored by an ECS provider for less than 180 days.24 A principal clause in the SCA warrant provision stipulates that federal courts, in issuing an SCA warrant, are to “us[e] the procedures described in the Federal Rules of Criminal Procedure,” and thus may only grant an application for an SCA warrant upon a showing of probable cause.25

Ireland-United States Mutual Legal Assistance Treaty

Had the government opted against using an SCA warrant, it could have obtained the sought after e-mail contents through the use of a Mutual Legal Assistance Treaty (MLAT). Dating back to the 1970s, the United States has entered into dozens of MLATs with a number of countries around the world, all of which provide for varying degrees of “bilateral, mutual assistance in the gathering of legal evidence for use by the requesting state in criminal investigations and proceedings.”26

In 2001, the United States signed an MLAT agreement with Ireland (the “Ireland-U.S. MLAT”).27 As is the case with most MLATs, Ireland and the United States agreed to “provide mutual assistance in criminal proceedings and investigations, including the production of ‘documents, records, and articles of evidence’; and the execution of requested ‘searches and seizures.’”28 To set the MLAT process in motion, the government must submit a request to the Irish government describing the nature of the evidence and the purpose for which it is sought.29 After Ireland processes the request under Irish law, it may execute the request by issuing “a subpoena, search warrant, or any other necessary order.”30

Microsoft's Data Storage Protocols

Microsoft's Web-Based E-mail Service

Because Microsoft Ireland centers on Microsoft's data-storage procedures, it is helpful to provide a brief overview of the company's web-based e-mail service and the manner in which it responds to law enforcement requests. For nearly twenty years, Microsoft has provided users with free access to its “web-based e-mail” service.31 Though the service has existed under various domain names over the years––including Hotmail.com, MSN.com, and Outlook.com—the service itself has operated in essentially the same fashion:32 users simply type the website into the address bar of their computer, and, after entering their user name and password, are free to send and receive e-mail correspondence and store messages in personalized folders.33

Per its standard protocol, Microsoft stores the contents of each customer's e-mails, “along with a variety of non-content information related to the account and to the account's e-mail traffic,” on the “cloud,”34 which is essentially a network of shared computers or “servers” that provide services to clients.35 The servers, in turn, are housed in any one of the 100-plus datacenters operated by Microsoft and its subsidiaries around the globe.36 These datacenters are “critical” to Microsoft's operation in that they function as a “centralized location where computing resources (e.g., host computers, servers, peripherals, applications, data bases, and network access) … are maintained in a highly controlled physical environment (temperature, humidity, etc.).”37

Notably, when a user enters his or her physical location upon subscribing to the service, Microsoft's system “automatically determines, based on the user's country code,” where to “migrate[]” the user's data.38 By prioritizing user-data propinquity, Microsoft is thus able improve its users' experiences by decreasing “network latency,”39 or the “delay” that is “inherent in web-based computing services …”40 It should be noted, though, that Microsoft “does not verify user identity or location” before making the transfer; rather, “it simply takes the user-provided information at face value, and its systems migrate the data according to company protocol.”41

Microsoft's Global Criminal Compliance Team

As an international corporation, Microsoft employs a Global Criminal Compliance (GCC) team to handle all of the company's law enforcement data requests.42 Operating out of California and Washington state, the GCC team responds to such requests by using a “database program” that first “determine[s] where the data for the target account is stored and then collects the information remotely from the server where the data is located, whether in the United States or elsewhere.”43

In the instant case, the GCC team's analysis revealed that while the “non-content” information sought by the government was stored on servers located in the United States, the corresponding “content information”––that is, the e-mail messages stored in the account––was stored on servers located at Microsoft's datacenter in Dublin, Ireland, which is operated by a wholly owned Microsoft subsidiary.44 Critically, per the procedures that Microsoft had in place at the time of these proceedings,45 the content information was deleted from domestic servers altogether once it was transferred outside of the United States.46

Acting on this discovery, Microsoft agreed to turn the domestically stored noncontent data over to law enforcement, but moved to quash the Warrant “to the extent that it directe[d] the production of information stored abroad.”47 Microsoft's argument rested on the notion that the government sought the drug trafficking suspect's e-mail under Section 2703(a) of the SCA, which––as outlined––stipulates that data be collected via “the procedures described in the Federal Rules of Criminal Procedure.”48 Fed.R.Crim.Proc. 41 (“Rule 41”), in turn, governs the issuance and execution of search warrants. Pertinently, Rule 41 prohibits federal courts from issuing “warrants for the search and seizure of property outside the territorial limits of the United States.”49 In light of this prohibition, Microsoft maintained that the Warrant must be quashed because the court––under the SCA's incorporation of Rule 41––lacked the authority to compel the production of the contents stored on Microsoft's Dublin-based servers.50

Microsoft Ireland: Magistrate Memorandum and Order

SCA Language Ambiguity

Magistrate Judge Francis was not persuaded by Microsoft's “simple, perhaps deceptive[]” argument.51 While acknowledging that Microsoft's analysis vis-à-vis the SCA's application to foreign-stored data was “not inconsistent with the statutory language,” Judge Francis found Section 2703(a)'s cross-reference to Rule 41 to be ambiguous “in one critical respect.”52 Specifically, Judge Francis explained that the pertinent provision could be read to mean––as Microsoft contended––that Section 2703(a) incorporates Rule 41 in its entirety, including the Rule's limitations on the territorial application of search warrants.53 Just as plausibly, however, the language could intimate “that while procedural aspects of the application process are to be drawn from Rule 41 (for example, the presentation of the application based on sworn testimony to a magistrate judge), more substantive rules,” including the warrant's territorial scope, “are [to be] derived from other sources.”54 “In light of this ambiguity,” Judge Francis opined, “it is appropriate to look for guidance in the statutory structure, relevant legislative history, [and] congressional purposes in order to define the territorial scope of the statute.55

SCA Statutory Structure

Relying heavily on the writings of nationally recognized legal scholar, law professor, and former Department of Justice Prosecutor Orin S. Kerr, Judge Francis proceeded to engage in a lengthy review of the SCA. In doing so, he reasoned that the SCA warrant was, in part, akin to a “conventional” Fourth Amendment warrant in that the SCA requires the government to submit an application to a neutral magistrate, who is authorized to “issue[] the order only upon a showing of probable cause.”56 Conversely, however, Judge Francis explained that the SCA warrant is “like a subpoena” insofar as its “execut[ion]” does not trigger a physical search by law enforcement; instead, an SCA warrant simply requires that an Internet Service Provider (ISP), like Microsoft, submit the requisite information to the government independently.57 In other words, the SCA warrant was, in Judge Francis's estimation, a “hybrid: part search warrant and part subpoena.”58

Judge Francis's statutory interpretation thus supported the government's position that an SCA warrant “does not implicate the principles of extraterritoriality” because a subpoena, unlike a traditional warrant, “requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.”59 Quoting Professor Kerr, Judge Francis clarified that this reading is consistent with the view that, “in the context of digital information, ‘a search occurs whendata is exposed to possible human observation, such as when it appears on a screen,’” not “‘when it is copied by the hard drive or processed by the computer.’”60 Based on this understanding, Judge Francis resolved that the relevant place of seizure was the location where the government would review the content, not the place of storage. Thus, because Microsoft had the ability to obtain and view the e-mail content sought by the government on computers located within the United States, taken together with the soi-disant “hybrid nature” of an SCA warrant and its dearth of territorial restrictions, Judge Francis concluded that, based upon the statutory structure of the SCA, “no extraterritorial search [had] occurred.”61

SCA Legislative History

While conceding that the legislative history of the SCA is “scant,” Judge Francis nevertheless inferred that Congress “appear[ed] to have anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to Section 2703(a) by producing information within its control, regardless of where that information was stored.”62 To support this contention, Judge Francis pointed to two House Committee reports, one issued at the time of the SCA's enactment in 198663 and another published on the heels of the Patriot Act of 2001.64 The 1986 report, in pertinent part, declared that “the controls in Section 201 of [the SCA] regarding access to stored wire and electronic communications are intended to apply only to access within the territorial United States.”65

In Judge Francis's view, this statement––though perhaps perspicuous on the surface–was “ambiguous” for two reasons: For one, the House, “in support of its observation that the ECPA does not regulate activities outside the United States,” cited Stowe v. Devoy, a 1978 opinion issued by the US Court of Appeals for the Second Circuit.66 In Judge Francis's words, Stowe held “that telephone calls intercepted in Canada by Canadian authorities were admissible in a criminal proceeding [in the United States] even if the interception would have [otherwise] violated Title III of the Omnibus Crime Control Act of 1968 [had the interception] occurred in the United States or been performed by United States officials.”67 According to Judge Francis, this holding “suggest[ed] that Congress was addressing not the reach of government authority, but rather the scope of the individual rights created by [ECPA].”68

Second, Judge Francis found that the Committee, in referring to “access” of electronic communications under the SCA, “did not make clear whether it meant access to the location where the electronic data was stored or access to the location of the ISP in possession of the data.”69 This ambiguity, taken together with the Committee's reference to Stowe, indicated––in Judge Francis's judgment––that Congress did not intend to limit the SCA's application to domestically stored data only.70

The second House report relied upon by Judge Francis spoke to the Committee's interpretation of Section 108 of 2001's Patriot Act, which amended Section 2703 of the SCA by “provid[ing] for nationwide service of search warrants for electronic evidence,” thus annulling Rule 41's requirement that “the ‘warrant’ be obtained ‘within the district’ where the property is located.”71 According to the Committee, the amendment sought to “address the investigative delays caused by the cross-jurisdictional nature of the Internet” by “authorize[ing] [a] court with jurisdiction over [an] investigation to issue [a] warrant directly” to law enforcement, regardless of where in the ISP in possession of the information was headquartered.72

Notably, Judge Francis found this language to be “significant” in that “it equate[d] ‘where the property is located’ with the location of the ISP, not the location of any server.”73 Such language, in his opinion, demonstrated that Congress “anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.”74

Warrant Territoriality: Practical Considerations

After interpreting both the statutory structure and legislative history of the SCA, Judge Francis turned to the “substantial” burden that would be placed on both the government and law enforcement if Microsoft's interpretation of the SCA were to prevail.75 For one, Judge Francis propounded that a criminal could potentially “evade an SCA warrant by the simple expedient of giving false residence information, thereby causing the ISP to assign his account to a server outside the United States.”76 Additionally, without the ability to rely on an SCA warrant, law enforcement would be forced to obtain data stored abroad pursuant to the Ireland-US MLAT.77 Once again quoting Professor Kerr, Judge Francis noted that the MLAT “process generally remains slow and laborious, as it requires the cooperation of two governments and one of those governments may not prioritize the case as highly as the other.”78 By the same token, because only approximately sixty countries have entered into MLAT agreements with the United States, there is the possibility that, absent an ability to rely upon the SCA, information stored on foreign servers could “be completely unavailable to American law enforcement …”79 In sum, Judge Francis found that these “practical implications … [made] it unlikely that Congress intended to treat a Section 2703(a) order as a warrant for the search of premises located where the data is stored.”80

American Jurisprudential Principle of Extraterritoriality

The final portion of Magistrate Judge Francis's analysis focused on the “presumption against territorial application,” a time-honored principle in American jurisprudence that provides, “[w]hen a statute gives no clear indication of an extraterritorial application, it has none.”81 For its part, Microsoft relied heavily on this principle, arguing that because “[f]ederal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States,” the Warrant, “to the extent that [it] … require[d] acquisition of information from Dublin,” was “unauthorized and must be quashed.”82

Though Microsoft cited a host of cases in support of the proposition that the court lacked the authority to enforce the Warrant,83 Judge Francis found them to be “inapposite” because the opinions “refer[red] to conventional warrants,” not SCA warrants.84 For Judge Francis, the cases cited by Microsoft were extraneous because an SCA warrant does not purport to regulate any foreign conduct whatsoever. In particular, he noted that the SCA does not “criminalize conduct taking place in a foreign country[,] involve the deployment of American law enforcement personnel abroad[,] [or] require even the physical presence of service provider employees at the location where data are stored.”85 Judge Francis thus found that an SCA warrant imposes obligations only on the service provider within the United States, and thus cannot be said to violate the presumption against extraterritoriality or otherwise “limit the ability of law enforcement agents to obtain account information from domestic service providers who happen to store that information overseas.”86

Magistrate Opinion Conclusion

In conclusion, Judge Francis denied Microsoft's motion to quash. Shortly thereafter, the district court agreed to stay the execution of the Warrant pending review of Judge Francis's decision by a district judge.87 On July 31, 2014, Chief US District Judge Loretta Preska heard oral argument on Microsoft's objections and, on the same day, affirmed Judge Francis's ruling from the bench.88 Microsoft, however, refused to comply with the Warrant despite Judge Preska's ruling and was found in contempt of court.89 Though Microsoft was prepared to remain in contempt, Judge Preska eventually stayed the execution of the warrant pending Microsoft's appeal to the Second Circuit.90

Microsoft Ireland: Second Circuit Decision

Framing the Issue

On appeal, the three-judge panel of the Second Circuit framed the Microsoft Ireland issue as follows: “[W]hether Congress, in enacting the warrant provisions of the SCA, envisioned and intended those provisions to reach outside of the United States.”91 To answer this, the court engaged in a two-part inquiry: First, the court looked to whether “the relevant statutory provisions contemplate[d] extraterritorial application,” an inquiry that prompted the court to examine the plain language and legislative history of the SCA.92 Answering this question in the negative, the court then “assess[ed] whether [an] enforcement of [the] Warrant [would] constitute an unlawful extraterritorial application of the [SCA].”93 Answering this question in the affirmative, the court concluded that “[t]he SCA Warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer's e-mail account stored exclusively in Ireland.”94

Whether Section 2703 Contemplates Extraterritorial Application

“When interpreting the laws of the United States,” the court explained, “we presume that legislation of Congress ‘is meant to apply only within the territorial jurisdiction of the United States.’”95 Applying this “strong and binding” presumption to the SCA,96 the court found, “with relative ease,” that the SCA's provisions “do not contemplate or permit extraterritorial application.”97 In fact, the government conceded this very point during oral argument, stating that the text of the SCA provides for “no extraterritorial application … at all.”98

Notwithstanding the government's contention, the court embarked on a thorough review of the SCA, a discussion that focused most heavily on whether Judge Francis's “subpoena-warrant distinction” could be supported by the plain language and legislative history of the statute.99 For its part, the government urged the court to adopt Judge Francis's hybrid theory, arguing that the SCA treats “subpoenas, orders, and warrants” in essentially the same fashion; that is, they are all “equally empowered to obtain records … through a disclosure requirement directed at a service provider.”100 Thus, from the government's perspective, disclosures concomitant with an SCA warrant should not be restricted to domestically stored documents only, but rather to all records that are available to the recipient, regardless of their location.101

The Second Circuit, however, disagreed with this reading of the SCA and accordingly rejected the government's position. In doing so, the court focused on two primary aspects of the SCA: (1) the SCA's plain language and (2) the SCA's legislative history.

Plain Language of the SCA

First, the court pointed to the plain language of the SCA, observing that a “warrant,” as traditionally understood in the Fourth Amendment context, is “moored to privacy concepts applied within the territory of the United States” whereas subpoenas “may require the production of communications stored overseas.”102 In the court's opinion, the fact that Congress created a “pyramidal structure governing conditions under which service providers must disclose stored communications to the government” signaled that the legislature was aware of the legal distinction between warrants and subpoenas.103 Specifically, the court explained that Section 2703 does not use “warrant” and “subpoena” interchangeably, but rather uses each instrument to both signal and provide varying levels of protection to distinctive forms of stored communications.104 Given the plain language of the statute, the court saw “no reasonable basis … from which to infer that Congress used ‘warrant’ to mean ‘subpoena.’”105

Moreover, the court found that the SCA's plain language lacked an “affirmative indication” that Congress intended the law to apply extraterritorially.106 As a case in point, the court highlighted the language in Section 2703(a), which permits state courts to issue an SCA warrant by means of its own warrant procedures.107 “We think it particularly unlikely,” the court emphasized, “that[] if Congress intended SCA warrants to apply extraterritorially, it would provide for such far-reaching state court authority without at least addressing the subject of conflicts with foreign laws and procedures.”108 Accordingly, the court concluded that there was no textual support for the proposition that Congress “intended to jettison the centuries of law requiring the issuance and performance of warrants in specified, domestic locations, or to replace the traditional warrant with a novel instrument of international application.”109

Legislative History of the SCA

The court's review of the SCA's legislative history likewise led it to conclude that the statute carries no force outside of the United States. In this regard, the court took special notice of the post-Patriot Act congressional report relied upon by Magistrate Judge Francis, and, in doing so, found that Congress said “nothing about the need to cross international boundaries,” but instead spoke to “discrete objects located within the United States.”110 For the court, the “Committee's discussion reflect[ed] no expectation that the material to be searched and seized would be located any place other than where the service provider was located,” that is, “within the United States.”111 Thus, the court repudiated Judge Francis's reading of the SCA's legislative history, concluding that “Congress did not intend the SCA's warrant provisions to apply extraterritorially.”112

Discerning the “Focus” of the SCA

After concluding that the SCA does not “contemplate or permit extraterritorial application,” the court turned next to the question of whether the case at bar involved a prohibited application of the statute. To that end, the court sought to determine whether the “domestic contacts presented by the case” fell within the “focus” of Section 2703.113 In other words, it was clear to the court that the dispute unquestionably involved a certain degree of contact with the United States, as Microsoft is headquartered in the United States and the SCA is a domestic statute.114 Thus, if the court deemed these domestic contacts to fall within the focus of the SCA, then the application of the Warrant would not be unlawfully extraterritorial. On the other hand, if the court found the domestic contacts to be “merely secondary … to the statutory ‘focus,’” then Section 2703's application to the case would be extraterritorial and therefore precluded.115

In ascertaining the “focus” of Section 2703, the court once again looked to the text and plain meaning of the SCA. Echoing its aforementioned analysis of the subpoena-warrant distinction, the court opined that the “most natural reading” of Section 2703 “suggest[ed] a legislative focus on the privacy of stored communications.”116 Specifically, the court explained that the SCA's cross-reference to the Federal Rules of Criminal Procedure, coupled with its place in the broader ECPA, suggested “privacy as a key concern,” the “overall effect” of which was “the embodiment of an expectation of privacy in [stored] communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government's (and other third party) access to priority stored communications.”117

Having concluded that user privacy stood at the forefront of the SCA's focus, the court thus found “unpersuasive the government's argument … that the SCA's warrant provisions … be read to focus on ‘disclosure’ rather than privacy …”118 To buttress its position, the court quoted several congressional passages that were written at the time of the SCA's enactment, all of which “expressed a concern that developments in technology could erode the privacy interest that Americans traditionally enjoyed in their records and communications.”119 Taken as a whole, the court concluded that, “[a]lthough Congress did not overlook law enforcement needs in formulating the statute,” its “impetus and focus” were the “Act's privacy protections …”120

Extraterritoriality of the Warrant

Once the court established that the SCA focuses principally on user privacy, it had “little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the [SCA].”121 Indeed, the court deduced from the SCA's privacy-oriented structure that “the invasion of the customer's privacy,” that is, the seizure of the customer's e-mail communications, must necessarily take place under the SCA “where the customer's protected content is accessed,” regardless “of the customer's location and regardless of Microsoft's home in the United States.”122 To hold otherwise, in the court's view, would not only ignore “the powerful clues in the text of the statute, its other aspects, its legislative history, and the use of the term of art ‘warrant,’” but also would infringe upon “the interests of comity” that “ordinarily govern the conduct of cross-boundary criminal investigations.”123

Accordingly, the court held that because “the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer's electronic communications stored on servers located outside the United States,” the “SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer's e-mail account stored exclusively in Ireland.”124

Second Circuit Judge Gerald E. Lynch Concurrence

In a well-reasoned concurrence, Judge Gerald E. Lynch wrote separately to explain why the “government's arguments are stronger” than the majority acknowledged and to further “emphasize the need for congressional action to revise a badly outdated statute.”125 For Judge Lynch, the issue facing the court was “not actually about the need to enhance privacy protections for information that Americans choose to store in the ‘cloud,’” but rather “whether Microsoft [could] thwart the government's otherwise justified demand for the e-mails … by the simple expedient of choosing … to store them on a server in another country.”126 In other words, the “dispute here is not about privacy, but rather the international reach of American law.”127 This question, that is, “[w]hether American law applies to conduct occurring abroad,” was not—in Judge Lynch's view––for the courts to decide; instead, the court did “its best to understand what Congress ha[d] intended,” but until Congress provides an indication as to whether the SCA is to have application beyond American borders, the SCA can only be applied as it is currently constructed, that is, domestically.128

Moreover, Judge Lynch explained that the dispute did not––as Microsoft so strongly advocated––“involve[] a government threat to individual privacy.”129 To the contrary, the government, in submitting an application for an SCA warrant based on probable cause, “complied with the most restrictive privacy-protecting requirements of the Act.”130 In this sense, had the government merely sought e-mails that were stored on Microsoft's servers in Redmond, Washington, “there would be [no] constitutional obstacle to the government's acquiring them by the same means that it used in this case.”131

Building on this notion, Judge Lynch explained that, for now, the court's holding affords an “absolute protection” to “foreign customers[] and those Americans who say they reside abroad;” a ruling that, in essence, means the government “can never obtain a warrant that would require Microsoft to turn over those emails, however certain it may be that they contain evidence of criminal activity, and even if that criminal activity is a terrorist plot.”132 Judge Lynch noted that this understanding holds true regardless of whether the government procures an SCA warrant or subpoena, as the majority's holding “strongly suggests” that “the use of the SCA to compel the disclosure if any e-mail-related records stored abroad is impermissibility extraterritorial, regardless of the category of information or disclosure order.”133 Such a holding, in Judge Lynch's view, “should [not] be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy.”134

Judge Lynch further underscored the fact that, in determining the “focus” of the SCA, the court was unable to assess “whether the customer is a United States person or not …”135 This fact “should matter” because, as Judge Lynch explained:

The case looks rather different … if the American government is demanding from an American company emails of an American citizen resident in the U.S., which are accessible at the push of a button in Redmond, Washington, and which are stored on a server in Ireland only as a result of the American customer's misrepresenting his or her residence, for the purpose of facilitating domestic violations of American law, by exploiting a policy of the American company that exists solely for reasons of convenience and that could be changed, either in general or as applied to the particular customer, at the whim of the American company.136

In such a scenario, Judge Lynch opined that “it would be remarkably formalistic to classify such a demand as an extraterritorial application of what is effectively the subpoena power of an American court.”137 Thus, had the identity of the suspect been known, it would have been “at least equally plausible,” in Judge Lynch's opinion, “that the invasion of privacy occur[red] where the person whose privacy [was] invaded customarily resides.”138

In conclusion, Judge Lynch––despite ultimately agreeing with the disposition of the case––stressed his “skeptic[ism] of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling.”139 Accordingly, he called on Congress to revise the SCA, with a view to:

maintaining and strengthening the Act's privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.140

Microsoft Ireland: What it all Means

Pros and Cons: An Overview

Depending on whom you ask, Microsoft Ireland stands as a decision to be celebrated or criticized. For supporters of the Second Circuit's decision, it “represents an important victory for individual privacy,”141 a win “against government surveillance,”142 and a “refreshing ruling for the right to be left alone.”143 On the other side of the aisle, the “surprise ruling” is “concerning,”144 “undermines public safety,”145 and signifies “a harbinger of conflicts to come.”146 Nevertheless, both supporters and critics alike agree that Microsoft Ireland and its data-location-centric test carry critically important legal and policy ramifications for the future of the global Internet and cloud computing. To explore these implications more fully, the ensuing section provides an overview of the arguments both for and against the Microsoft Ireland decision. Before doing so, however, a brief primer on “cloud computing” and the current state of the Internet is necessary.

Defining the “Cloud”

For some, Microsoft Ireland is better characterized as “the Microsoft cloud case.”147 Just a few years ago, the concept of data storage––and, for that matter, law enforcement access to data––was rooted in the “personal computing model” (PC model) whereby users accessed, stored, and managed their data “on a local machine,” such as “a cell phone or computer.”148 Under the PC model, e-mail “existed in two locations, known to both users;” while intermediaries “may have stored the e-mails briefly,” the user was ultimately responsible for storing and maintaining the inbox, much like physical mail.149

Today, however, the PC model has been rendered all but obsolete with the advent of cloud computing, as users are now able to outsource their storage and processing to companies like Microsoft, which stores the data on its own network of servers.150 Cloud computing, as explicated by the National Institute of Standards and Technology (NIST), thus provides users with “ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources … that can be rapidly provisioned and released with minimal management effort or service provider information.”151 As a result, “everyday processes and information that [were] typically run and stored on local computers––email, documents, calendars––”can now, thanks to the cloud, “be accessed securely anytime, anywhere, and with any device through an Internet connection.”152 Markedly, the ability to store data in the cloud––as explained by IBM Cloud Data Services Specialist, Kenneth Henry––“allows a person using a cellphone in Starbucks to have the same amount of power and compute over their data as a Fortune 500 company.”153

Though cloud computing may seem esoteric to the layman,154 the fact of the matter is that some 70 percent of “online Americans use webmail services, store data online, or use software programs such as word processing applications[,] the functionality of which is located on the web.”155 Leading services in this realm include Apple iCloud, Google Drive, and Dropbox, all of which provide businesses and consumers alike with ready access to cloud computing technology.156 Indeed, Microsoft Ireland centered on whether the government could access the contents of a Microsoft customer's e-mails that had been sent via Microsoft's web-based e-mail service, MSN. By utilizing a “public cloud” model called “Software as a Service,”157 Microsoft is able to store its customers' emails on Irish data servers, which customers can then retrieve simply logging into their accounts at MSN.com.158

In no uncertain terms, the cloud has revolutionized the global economy, as transatlantic data transfers are now the norm.159 With access to virtually unlimited remote storage and processing power, companies both large and small have increased their business efficiencies while dramatically cutting IT costs.160 Handheld computers with greater computing power than Apollo 11 are now commonplace.161 The fusion of the cloud with the “Internet of Things” (IoT) has fashioned an intelligent, globally connected network paradigm that has revolutionized the way in which we share and access information.162 Thus, it is no surprise that Microsoft Ireland, as the first case to address the legal corollaries attendant to the location of data in the cloud, is considered by so many to be of such critical importance.

Microsoft Ireland: The Arguments For

Safeguarding Privacy while Respecting Foreign Laws

Supporters of the court's decision in Microsoft Ireland are quick to note that the US government sought to obtain data in a manner that violated Irish law, namely the Irish Data Protection Acts and the EU Data Protection Directive.163 Indeed, Irish Minister of State for European Affairs and Data Protection, Dara Murphy, openly objected to the United States' disregard for Irish law,164 and the Irish government––in a “rare move for a nation state”––filed an amicus curiae brief in the case, noting that it “would be pleased to consider, as expeditiously as possible, a request” under the US-Ireland MLAT agreement.165 Yet the American government, as mentioned, opted against using the MLAT process, which would have required it to seek authorization from an Irish judge in order to obtain the data stored at Microsoft's Dublin-based datacenter.166

In holding that the government cannot use the SCA to obtain data stored overseas, the Second Circuit avoided––at least for the time being––creating a situation whereby companies would be forced to violate the laws of a foreign nation in order to comply with US law. Notably, an eschewal of this scenario takes on heightened significance in light of the fact that Ireland is currently home to a number of datacenters owned and operated by several major American tech companies, including, among others, Amazon, Google, and Apple.167

Had the Second Circuit ruled in favor of the government in Microsoft Ireland, it is likely that these companies would have been forced to comply with SCA warrants similar to the one levied against Microsoft. Such an open indifference toward Irish law, as Microsoft noted in its appellate brief, would not only have violated the “Golden Rule” of international relations, but would have further incentivized other countries to treat the United States in the same way that the United States treated Ireland, namely: “raid … offices in [foreign] jurisdictions and order them to download U.S. citizens' private e-mails [sent] from computers located in [the U.S.]”168 In fact, Edward Snowden echoed similar concerns in a 2014 interview with The Nation, stating:

So the question becomes what does, for example, the government in the Democratic Republic of Congo or China do the next time they've got a dissident Nobel Peace Prize nominee and they want to read his e-mail, and it's in an Irish data center? They're going to say to Microsoft, “You handed this stuff over to the DOJ; you're going to hand the same thing over to us.”169

Incentivizing unilateral access to data in such a manner may have yielded a “race to the bottom in terms of privacy protections,” as it would have been “increasingly difficult for the United States to protect its citizens' … data from the reach of foreign jurisdictions if at the same time it was unilaterally compelling production of data via the kind of broad-reaching warrant authority claimed” in Microsoft Ireland.170

Supporters of Microsoft Ireland maintain that the decision represents a sign of respect for European data privacy law, which, unlike American law, holds that “[e]veryone has the right to the protection of personal data concerning him or her” and that “data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”171 Additionally, European law prohibits ECS providers from “transfer[ring] personal data outside of the EU unless they can guarantee equivalent levels of protection to those outlined in the [European Data Protection Directive].”172 Notably, the European Court of Justice invalidated the US-EU Safe Harbor Agreement in October 2015 on the basis that the “law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.”173

For some, indifference toward foreign legislation only serves to augment the global apprehension concerning US government surveillance that developed in the wake of Edward Snowden's revelations in the summer of 2013.174 European Commission spokeswoman for justice, Mina Andreeva, responded to Magistrate Judge Francis' lower court decision by stating that “data should not be directly accessed by or transferred to U.S. law enforcement authorities outside formal channels of co-operation, such as the mutual legal assistance agreements or sectoral EU-US agreements authorising such transfers,” and that “companies operating on the European market need to respect the European data protection rules––even if they are located in the US.”175 Ms. Andreeva'a sentiments paralleled those made by German Chancellor Angela Merkel, who––a few months prior to Judge Francis's ruling––“proposed building up a European communications network to help improve data protection and avoid emails and other data automatically passing through the United States.”176

With the Second Circuit's reversal of Magistrate Judge Francis, foreign countries may read Microsoft Ireland as a sign that the United States is willing to work in concert with other nations, as opposed to unilaterally, when seeking to procure data stored abroad. This methodological change may thus incentivize foreign leaders to enter into agreements with the United States in order to create a legal framework for addressing cross-border data requests, a negotiation process that would allow for the implementation of legal and policy objectives that are of particular importance to each country. In fact, the United States and the European Union approved a new international framework on July 12, 2016, to replace the recently invalidated Safe Harbor agreement.177 Entitled the “Privacy Shield,” the directive allows US organizations to join a program whereby they can “legally process personal data of EU citizens” so long as they commit to seven “Principles” for assuring the adequate protection of data, namely: notice, choice, accountability, security, purpose limitation, access, and recourse.178

Protecting the US Tech Industry

The second major benefit discussed by supporters of Microsoft Ireland is that an alternative ruling would have created a “huge competitive disadvantage” to the US tech industry––a scenario that would have added to the “severe damage” inflicted upon American tech companies following Snowden's revelations.179 Specifically, Snowden––who had been working as a technical specialist for the National Security Agency (NSA)––revealed that the NSA had been relying extensively on American tech companies to effectuate sweeping surveillance programs that surreptitiously collected personal data of individuals and dignitaries both at home and abroad.180As Verizon Communications, Inc. (“Verizon”) explained in its amicus curaie brief, these revelations “heightened foreign sensitivities about the U.S. government's access to data abroad, generated distrust of U.S. companies by foreign officials and customers, and led to calls to cease doing business with U.S. communications companies and cloud service providers,” thus forcing US companies into “a competitive disadvantage with respect to their foreign competitors.”181 Brazil, for example, responded to Judge Francis's ruling by informing Microsoft that it would “not be renewing its license agreement” with the company “and would be adopting an in-house system” in order to “prevent possible espionage.”182

Post-Snowden, American tech companies sought to ease the fears of customers outside the United States by entering into contracts that “promis[ed] not to share data with other governments.”183 European competitors, however––in an effort to prevent customers from retreating back to US companies––broadcasted that US authorities retained the ability to collect data from US companies irrespective of where the data was stored.184 Scholars thus argue that if the Second Circuit had compelled Microsoft to comply with the Warrant, foreign citizens seeking to safeguard their privacy may have chosen to “stay away” from American companies, as the companies would have been legally required to turn over foreign citizens' data.185 Such a development would have likely cornered US companies into a considerable commercial disadvantage in the global economy.186 Indeed, “the largest global technology companies are currently U.S.-based,”187 all of which rely “on the ease of electronic information transfer between stat servers around the world without jurisdictional hindrance.”188 Therefore, had Microsoft Ireland come out the other way, it is likely that foreign retaliation against the US government's access would have caused devastating economical losses to American companies.189

A Plea to Congress: Revise ECPA

As Judge Lynch stressed in his concurrence, Congress needs “to revise a badly outdated statute.”190 This point was reiterated by Microsoft President Brad Smith, who stated that the “decision means it is even more important for Congress and the executive branch to come together to modernize the law.”191 The hope, then, is that Microsoft Ireland will serve as a powerful impetus for legislative reform and signal to Congress that it, not the courts, should decide whether ECPA is capable of protecting individuals' privacy in the technology-driven world of the twenty-first century.192 By refusing to stretch the SCA to heights it was never intended to reach, the Second Circuit affirmatively put Congress on notice of the SCA's outdated efficacy.

As it happens, two recently proposed bills are making their way through the Senate that, if implemented, would serve as a viable starting point for revising the SCA. The first, entitled the Law Enforcement Access to Data Stored Abroad (LEADS) Act, would codify the data-centric test outlined in Microsoft Ireland by precluding “the use of U.S. warrants to obtain communications content stored outside the [United States] unless the content is in the account of an American.”193 The LEADS Act would further refine the MLAT process by “require[ing] the Department of Justice to create an online intake form through which foreign governments could request mutual legal assistance,” thus modernizing the MLAT process “so that countries can more easily obtain evidence abroad through their respective treaties.”194

The second bill is entitled the International Communications Privacy Act (ICPA). Introduced in May of 2016, the bipartisan ICPA embraces Judge Francis's approach to the collection of data, authorizing law enforcement to obtain the data of US citizens and other persons located within the United States regardless of where the data is stored so long as a warrant is obtained.195

Microsoft Ireland: The Arguments Against

The Dangers of Data Localization

Impact on Security and Privacy

By and large, those who take issue with the Second Circuit's decision express deep concerns about the potential for a global uptick in “data localization” laws. The concept of data localization is best understood, in short, as measures specifically designed to “encumber the transfer of data across national borders.”196 Such measures take a variety of forms, including: “rules preventing information from being sent outside the country; rules requiring prior consent of the data subject before information is transmitted across national borders; rules requiring copies of information to be stored domestically; and even a tax on the export of data.”197

Critics caution that the Second Circuit's emphasis on data location may provide a strong incentive for countries to implement “data localization” laws as a means of both ensuring and controlling foreign government access to sought-after data,198 a development that has been described as a threat that might “break” the Internet.199 In particular, it is argued that if such laws are “aggressively enforced,” data and Internet “nationalism” will be “bolster[ed] … at the expense of global economic growth,” leading to a restriction in cloud computing options and a reduction in “the free flow of data for legitimate legal, business, and scientific purposes.”200

For example, following the Snowden revelations, Russian President Vladimir Putin signed Federal Law No. 242, which “prohibit[s] the storing of Russians' personal data outside the Russian Federation.”201 Similarly, Brazil recently considered passing legislation “that would give the executive branch the power to force Internet companies ‘to install or use structures for storage, management, and dissemination of data in the country.’”202 Other countries, including China, South Korea, Germany, and France, have proposed data localization laws.203 The Microsoft Ireland opinion, then, seemingly plays right into these countries' understanding of sovereignty. As one scholar explained, “if you're Brazil or Russia, you are thinking: ‘yes, sovereignty turns on location of the data, which is why we are asking these foreign Internet firms to store data locally.’”204

Despite the fact that these countries peddle their data localization initiatives in the name of protecting privacy and security, evidence suggests that such efforts “are likely to undermine, not strengthen, the privacy and security of information.”205 For one, storing data in designated physical sites creates a “static” system of “data pooling” that is easier “to penetrate,” thus “creat[ing] [an] easy target[] for hackers.”206 In other words, by forcing data into a centralized location, service providers are “unable to take advantage of the Internet's distributed infrastructure,” thereby diminishing their ability to store data across multiple servers in different locations.207 As a result, users' data is amalgamated in one place, thus “offer[ing] a tempting jackpot, an ideal target for criminals.”208 Indonesia, for instance, is home to some of the world's most restrictive data localization laws.209 According to experts, “[c]yber security is notoriously weak” throughout the country, a development that has led to the nation being described as a “hacker's paradise.”210

By the same token, data localization may compromise user privacy. It is well known that privacy in the twenty-first century is essentially a double-edged commodity: On one hand, the monetization of “metadata” has come to define the marketing industry,211 as the Googles of the world have turned user-generated metadata into an advertising tool that allows companies to pitch their products to a targeted audience.212 On the other hand, many customers are aware of this phenomenon, and thus tend to buy devices and products from companies that have strong privacy policies in place.213 The definition of “privacy,” then, is––to put it bluntly––whatever companies like Microsoft and Apple say it is. Indeed, Judge Lynch took note of this very fact in his concurrence, explaining: “[T]he customer's privacy … is absolute as against the government; her privacy is protected against Microsoft only to the extent defined by the terms of her (adhesion) contract with the company.”214

All this is to say that private companies, “[b]y embedding strong privacy and security features into their communication systems, … can simultaneously limit governments' means of accessing data illegally or through broad surveillance laws.”215 The Apple-FBI encryption dispute following the mass shootings in San Bernardino, California, is one such example of this phenomenon at play.216 There, Apple's built-in password mechanism was such that the terrorist's iPhone was programmed to automatically erase the phone's data after ten incorrect password attempts.217 The government thus sought Apple's help in unlocking the phone, but Apple refused on grounds that doing so would have required the company to write new software, hence undermining the security of its devices.218 Apple's cold-shoulder subsequently led the Department of Justice to apply for an order under the All Writs Act of 1789 “compelling Apple to provide ‘technical assistance’ to the warrant-execution effort.”219 The US District Court for the Central District of California granted the order, but, once again, Apple refused to comply.220 On March 28, 2016––the day before oral argument was scheduled to take place––the government dropped its case against Apple,221 opting instead to purchase a $1.3 million “secret” hacking tool in order to access the phone's data.222

The Apple-FBI showdown illustrates the impact that strong privacy policies can have on preserving freedom of expression;223 indeed, Apple argued that compelling it to write new software amounted to a violation of the company's First Amendment rights, a position that has some support in judicial precedent.224 With data localization laws, however, governments are afforded a “stronger legal claim over data” by virtue of the data's specified domestic location, and thus are able to more readily “manipulate and control” citizens' communications via legal means.225 Private companies, as a result, become “more vulnerable to censorship and surveillance demands” for information from law enforcement, hence “risking the safety and privacy” of the native population, especially “minority groups, journalists, and activists.”226

Impact on Technological Innovation

Second, data localization may stymie technological innovation. In recent years, the growth and promise of the IoT has become intrinsically intertwined with cloud computing. This is because IoT devices, standing alone, generally carry “limited storage and processing capacity,” thus leading to “consequential issues regarding reliability, performance, security, and privacy.”227 To combat these shortcomings, the IoT has turned to the cloud and its “virtually unlimited capabilities in terms of storage and processing power,” a synthesis essentially “hides all the complexity and the functionalities” that are necessary for IoT functionality.228 For instance, the fusion of cloud computing and IoT devices in the healthcare industry has “enable[d] cost effective, efficient, timely, and high-quality ubiquitous medical services” without the need for “expertise in, or control over, the technology infrastructure,” a development that continues to transform the entire healthcare field.229

As the world continues to rely on IoT devices, the technological exacerbation caused by data localization laws will only intensify. Cloud computing relies on the free-flow of data, and by “staunch[ing]” data at national borders,” data localization will force IoT devices to rely on “expensive and cumbersome national infrastructures,” a dependence that may “erode[] the promise” of the IoT.”230

Data Territoriality and its Impact on Law Enforcement Investigations

Consider the following scenario:

Twenty years ago, a kidnapper might have confessed to a crime by writing in his diary. The police, with cause and a warrant, might search the suspect's apartment for that admission. Today, the same admission is just as likely to be stored online, far from the reach of the police. Instead of seeking access to the suspect's apartment, the police would seek access to his e-mail account, which may or may not be managed within their jurisdiction. Increasingly, the evidence that law enforcement officers seek is stored on servers controlled by a foreign company, and that company would assert that the data is in another jurisdiction.231

Microsoft Ireland embodies this problem. For some critics, the court's data-centric test “makes little sense in the era of the cloud” because the “physical location of the data” can “change at different points in time,” thus shielding US law enforcement from access to data that it would otherwise have a right to acquire.232 Importantly, the target in Microsoft Ireland was not an American citizen, but the point is well taken. Theoretically, a US citizen could commit a crime on American soil, but his or her data might be stored abroad. Under Microsoft Ireland, the government would, as it stands today, be forced to go through the MLAT process, a lengthy and complex undertaking that takes, on average, about ten months to complete.233

The crux of the problem, at least for some, is that the court's assumption in Microsoft Ireland vis-à-vis the location of data––that is, that the data is both immobile and unabridged in a specific location––misconstrues the inherently mobile nature of cloud-based storage.234 Oftentimes, when data is stored in the cloud, “it does not reside in a single fixed, observable location;” instead, data is frequently “moved around for technical processing or server maintenance reasons,” in many instances without the users knowledge.235 It is therefore conceivable that, under Microsoft Ireland, courts may be forced to accept “arbitrary outcomes,” for example, if law enforcement seeks information related to an exclusively domestic investigation, yet is prevented from accessing the target's data because it was circuitously stored abroad.236

This scenario becomes more problematic if the service provider segments users' data and distributes it onto various servers in different locations or jurisdictions. In other words, some companies structure their networks around state lines––for example, Microsoft's country-specific cloud in Germany; however, other companies like Facebook and Google––both of which were notably absent from the Microsoft Ireland amicus filings––“structure their network largely independent of state lines,” storing “data [either] in the U.S. or ‘somewhere in the network.’”237 Under the latter storage method, data is often “copied or divided up into multiple parts and stored in multiple places––some territorially and some extraterritorially.”238 With Gmail, for instance, a given e-mail message may be stored in several data centers far from the user's location while the attachment to the message could be stored in several other data centers.239 Thus, depending on the specific kind of cloud service offered, law enforcement may only have access to bits and pieces of content.240

As it happens, a federal magistrate judge in the US District Court for the Eastern District of Pennsylvania tackled this very issue in a February 2017 case centering on Google's refusal to comply with an SCA warrant compelling it to turn over email data stored abroad.241 There, the court rejected Google's reliance on Microsoft Ireland “because of the changeable and divisible nature of Google's cloud technology,” a dispositive fact that, for the court, made “Google's case … easily distinguishable from the facts in [Microsft Ireland], wherein all the relevant user data of a presumably Irish citizen was located exclusively in one data center in Ireland and remained stable there for a significant period of time.”242 The court accordingly refused to extend Microsoft Ireland's data-centric rationale to the case at bar, concluding that Google's decision to make its users' data a “moving target … create[d] an insurmountable obstacle for the Government to overcome in the MLAT process,” hence making it “impossible for the Government to obtain the sought-after user data …”243 As a result, Google was ordered to comply with the SCA warrant, a mandate that required Google to “gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.”244

3. Alternative Data-Procurement Methods

Without the ability to acquire data via an SCA warrant, some have argued that the government may seek to employ alternative data-procurement means. Executive Order (EO) 12333, for example, permits the government to engage in foreign surveillance simply by seeking approval from the attorney general or NSA director.245 Unlike the Foreign Intelligence Surveillance Act (FISA), EO 12333 does not carry a notice requirement, nor does it mandate that Congress be informed of initiatives taken under the order.246 Additionally, “[p]rocedural protections, including protections for U.S. citizens, seem to be weaker under EO 12333 than FISA.”247 In fact, the NSA recently acknowledged that EO 12333––not FISA––is “the foundational authority by which NSA collects, retains, analyzes, and disseminates foreign signals intelligence information.”248

Scholars thus argue that, in the wake of Microsoft Ireland, the government may adopt the position that data stored on foreign servers is exclusively extraterritorial, and thus subject to EO 12333.249 In 2013, for example, it was revealed that the NSA had been intercepting Google and Yahoo! Internet traffic from servers located outside the United States under its MUSCULAR/TURMOIL program.250 This program, which “allegedly collected up to 180 million user records (including those of Americans) per month abroad,” operated by tapping fiber-optic cables in foreign territories, thus allowing the NSA to collect “huge volumes of both interdomain and intradomain telecommunications (including Internet, telephony, facsimile, and VoIP traffic) generated by hundreds of different automated systems.”251

Similarly, there are strong reasons to believe that the government has been diverting traffic outside of the United States to foreign soil by “deliberately manipulating … the Internet's core protocols,” thus allowing the government to intercept data of US persons under the authority of EO 12333.252 Edward Snowden alluded to this fact in 2015 interview with HBO's John Oliver:

EO 12333 is what the NSA uses when the other authorities aren't aggressive enough or aren't catching as much as they'd like … When you send [a picture] through Gmail, for example, that's stored on Google's servers. Google moves data from datacenter to datacenter invisibly to you, without your knowledge. Your data could be moved outside the borders of the United States, temporarily. When [the picture] was passed by Gmail, the NSA caught a copy of that.253

Thus, due to the heightened weight assigned to the location of data by Microsoft Ireland, the executive branch could conceivably seek to get its hands on data stored abroad by using the authority and power granted to it under EO 12333.

Looking Forward: Recommendations and Proposals for Reform

Fifteen years ago, renowned inventor and self-identified “futurist” Ray Kurzweil––now Google's Director of Engineering––penned an essay entitled “The Law of Accelerating Returns,” a brilliant exposition delineating the rate of technological progress. Grounded in his core thesis that “fundamental measures of information technology follow predictable and exponential trajectories,”254 Kurzweil explains that the “paradigm shift rate”, that is, the rate of technological progress relative to human history, is––quite literally––growing exponentially, meaning that “we won't experience 100 years of progress” in the twenty-first century; instead, the growth rate “will be more like 20,000 years of progress.”255

ECPA was enacted in 1986. As Kurzweil's model illustrates, Congress could not possibly have envisioned how the statute would apply to electronic communications in the year 2017. Fortunately, Microsoft Ireland all but obligates Congress to begin the reformation process.

Proper reform requires balancing a litany of (sometimes conflicting) factors, taking into consideration the various interests related to national security, domestic law enforcement investigations, individual privacy, and the law of foreign countries. Understanding the distinctions among various cloud computing types bears on this issue as well, as the nature of cross-border data transfers fluctuates with each model.256 Similarly, future legislation should explicitly demarcate its extraterritorial application while underscoring the importance of reciprocity; that is, the statute should not only define the United States' ability to access data stored abroad, but should delineate other countries' access to data stored in the United States as well.

Most critically, though, future legislation should avoid the dire mistaking of tying its application to technology-specific considerations, an approach that has unfortunately been adopted time and time again by both Congress and the judiciary alike. Avoiding this misstep is important because history has shown that attempts to define a particular law so that it dovetails with the most advanced technology in place at any given time inevitably generates an outcome whereby the law becomes outdated at the very moment it comes into force. To illustrate this point, consider ECPA: its application is rooted entirely in the manner in which communications are “transmitted” or “stored,”257 not the privacy interest at stake, hence the battle in Microsoft-Ireland vis-à-vis the location of the data as opposed to the target's expectation of privacy in the contents of the emails. The same can be said for the Supreme Court's landmark 2012 opinion in United States v. Jones, where the Court held that the government violated the Fourth Amendment by placing a physical GPS device on the bottom of the defendant's vehicle without a warrant or consent, but only because the government “physically occupied private property for the purpose of obtaining information.”258 Thus, had the government virtually tracked Jones's car for 28 days without a warrant, then––under the Majority's opinion––no violation would have occurred because there would not have been an impermissible physical intrusion.259

All this is to say that, in order to promulgate meaningful reform, any future legislation should first specify the privacy interest it seeks to address irrespective of the pertinent technology that governs the interest. Two proposed bills, in fact, attempt to do just that: The ECPA Amendments Act of 2015 and the Email Privacy Act––which are nearly identical in text––would, inter alia, place communications providers under the same legal requirement; “eliminate the current 180-day rule found in the SCA and require a warrant for emails no matter how long they have been stored or whether they have been opened; and remove the reliance on the definition of ‘electronic storage,’ which has confused the lower courts.”260

ICPA likewise offers a balanced approach as well. The proposal does away with the data-location-centric test established in Microsoft Ireland, but makes clear that law enforcement may only access data belonging to a US person or entity.261 The proposal would also reform the MLAT process by prioritizing accessibility, transparency, and accountability.262 It further expresses that data providers should not be subject to data localization laws, a vital recognition that underscores the importance of safeguarding privacy and encouraging innovation.263 On the whole, ICPA respects foreign law by prohibiting the collection of foreign citizens' data absent an explicit authorization from the citizens' home state, yet ensures American law enforcement are not at the mercy of private companies and their respective data storage practices.

In terms of adding additional safeguards, any future legislation would be well served to codify the Sixth Circuit's holding in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). There, the court held that the government must obtain a warrant based on probable cause before accessing e-mails stored with cloud service providers, and that a failure to do so violates the Fourth Amendment.264 The proposal should also require the government to notify customers that their data has been or will be collected, as doing so affords individuals an opportunity to secure adequate legal counsel.

Conclusion

Going forward, there are sure to be significant knock-on effects that stem from Microsoft Ireland's emphasis on where data is stored in the cloud. On one hand, it represents a sign of respect to other nations that the United States is perhaps wiling to dial back its efforts to unilaterally collect data on foreign citizens, a gesture that could bode well for the implementation of transatlantic treaties and agreements. On the other hand, the court's emphasis on data location may fuel data localization initiatives that could hinder technological development while simultaneously jeopardizing privacy. Most importantly, though, Microsoft Ireland challenges Congress to end its thirty-year reformation hiatus and engage in a concerted effort to revise the severely outdated electronic communications framework. Until then, impending legal and policy decisions will determine whether Microsoft Ireland is a victory for privacy, a threat to the global Internet, or somewhere in between.

Footnotes

1.

In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev'd and remanded sub nom. Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14-2985, 2016 WL 3770056 (2d Cir. July 14, 2016) [hereinafter Microsoft I].

2.

Ibid., 468. The individual, an Irish citizen, has since been identified. According to a June 2016 report from the Times of London, the suspect is 28-year-old Gary Davis, an Irish man suspected of being an administrator of the dark web drug marketplace known as the “Silk Road.” He is currently fighting extradition to the United States to face criminal charges. See Rogan.

3.

Microsoft I, 15 F. Supp. 3d 467.

4.

In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 13-MJ-2814, 2014 WL 4629624, *1 (S.D.N.Y. Aug. 29, 2014), rehearing en banc denied, No. 14-2985, 2017 WL 362765 (2d Cir. Jan. 24, 2017) [hereinafter Microsoft II].

5.

Microsoft I, 15 F. Supp. 3d 472 (internal citation omitted).

6.

18 U.S.C. §§ 2510–2712.

7.

Dombrow (quoting S. Rep. No. 99–541, 1 [1986]).

8.

Fishman and McKenna.

9.

Ibid., § 25:5 (emphasis added).

10.

18 U.S.C. §§ 2701–2712.

11.

Schlabach, (citing United States v. Miller, 425 U.S. 435 [1976]).

12.

Miller, 425 U.S. 443.

13.

18 U.S.C. § 2701.

14.

Ibid., § 2702.

15.

Ibid., § 2703.

16.

Ibid., § 2703(c)(2).

17.

Ibid., § 2703(d).

18.

Ibid., § 2703(a).

19.

Ibid., § 2703(c)(2)-(3). The government can also obtain this account information using a court order or warrant.

20.

Ibid.

21.

Ibid., § 2703(d).

22.

Ibid., § 2703(d).

23.

Ibid., § 2703(b)(1)(B). But see 18 U.S.C. § 2703(b)(1)(B) (allowing delayed notice for maximum of ninety days “upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result.”)

24.

Ibid., § 2703(a).

25.

Ibid.

26.

In re Premises Located at 840 140th Ave. NE, Bellevue, Wash., 634 F.3d 557, 564 (9th Cir. 2011).

27.

Treaty Between the Government of the United States of America and the Government of Ireland on Mutual Legal Assistance in Criminal Matters, U.S.-Ire., Jan. 18, 2001, T.1.A.S. 13137 [hereinafter Ireland-U.S. MLAT].

28.

Ibid., Art. I(2)(b), (f).

29.

Ibid., Art. 4.

30.

Ibid.

31.

Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14-2985, 2016 WL 3770056, *8 (2d Cir. July 14, 2016) [hereinafter Microsoft III].

32.

Microsoft I, 15 F. Supp. 3d 467.

33.

Ibid.

34.

See Part VI.B., infra, for a more detailed discussion regarding cloud computing.

35.

Microsoft III, 2016 WL 3770056, *9.

36.

Ibid., *9–10.

37.

Ibid., *9 n. 3.

38.

Ibid., *11 (internal quotations and brackets omitted).

39.

“Microsoft explains network latency as ‘the principle of network architecture that the greater the geographical distance between a user and the datacenter where the user's data is stored, the slower the service.’” Microsoft III, 2016 WL 3770056, *2 n. 5.

40.

Ibid., *2.

41.

Ibid., *3.

42.

Day.

43.

Microsoft I, 15 F. Supp. 3d 468.

44.

Microsoft III, 2016 WL 3770056 *3.

45.

Ibid.

46.

Microsoft I, 15 F. Supp. 3d 467 (emphasis added).

47.

Ibid., 468.

48.

Ibid., 470.

49.

Ibid.

50.

Ibid.

51.

Ibid.

52.

Ibid.

53.

Ibid.

54.

Ibid., (citing, inter alia, In re Search of Yahoo, Inc., No. 07–3194, 2007 WL 1539971, at *5 [D. Ariz. May 21, 2007] [finding that “the phrase ‘using the procedures described in’ the Federal Rules remains ambiguous”]).

55.

Ibid., 471.

56.

Ibid.

57.

Ibid.

58.

Ibid.

59.

Ibid. 472 (emphasis added. Citing Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 [2d Cir.1983]).

60.

Ibid. (quoting Kerr, Searches and Seizures). It should be noted, however, that Professor Kerr later changed his perspective on this issue. See Kerr, Fourth Amendment (rejecting his earlier views about whether copying data constituted a seizure for purposes of the Fourth Amendment).

61.

Microsoft I, 15 F. Supp. 3d 472.

62.

Ibid. 474.

63.

ISPs did not exist in 1986. The first ISP, “The World,” began offering dial-up Internet service to customers in 1989. See 10 Early ISP's and What Has Become of Them.

64.

The Patriot Act of 2001 is formally entitled the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.” Microsoft I, 15 F. Supp. 3d 474.

65.

Ibid. (quoting H.R. Rep. 99–647, 32–33 [1986]).

66.

Ibid., 473.

67.

Ibid. (citing Stowe v. Devoy, 588 F.2d 336, 340–41 [2d Cir.1978]).

68.

Ibid., As an aside, it is worth pointing out that Magistrate Judge Francis's interpretation of Stowe's significance is open to debate, as Stowe seemingly speaks directly to the reach of government authority under the Wiretap Act. There, Canadian officials, acting pursuant to Canadian law, obtained authorization to intercept telephone communications of Roger Stowe (“Stowe”), a Canadian citizen. While Stowe was in New York, Canadian officials––by means of a wiretap installed in Canada––intercepted Stowe's communications, which revealed that he planned on smuggling hashish from the United States into Canada. Sometime thereafter, Stowe was arrested by New York law enforcement on separate drug smuggling charges. At Canada's request, an extradition hearing was subsequently held in New York, during which the wiretap communications obtained by Canadian officials were introduced into evidence. After Stowe was certified as extraditable, he filed an appeal with the Second Circuit, arguing that because the Canadian surveillance would have violated the Wiretap Act it should have been excluded at his extradition hearing. The court, however, found Stowe's reliance on the Wiretap Act to be “misplaced,” explaining that “[u]nless a contrary intent appears, federal statutes apply only within the territorial jurisdiction of the United States.” Thus, because the Wiretap Act “ha[d] no application outside of the United States,” coupled with the fact that “Canadian authorities … scrupulously follow[ed] their own prescribed procedures,” Stowe's claim was without merit. Notably, the court makes no reference to Stowe's “individual rights” under the Wiretap Act; instead, the court held, quite clearly, that the Wiretap Act had no force outside of the United States. See Stowe, 588 F.3d 336, 340–42.

69.

Microsoft I, 15 F. Supp. 3d 473 (emphasis added).

70.

Ibid., 474.

71.

Ibid., 473 (quoting H.R. Rep. 107–236(I), 58 [2001]).

72.

Ibid., 473–74 (quoting H.R. Rep. 107–236(I), 58 [2001]).

73.

Ibid.

74.

Ibid., 474.

75.

Ibid.

76.

Ibid.

77.

Ibid.

78.

Ibid. (quoting Kerr, The Next Generation). Ireland, though, has never refused an MLAT request from the United States. See Lillington.

79.

Ibid.

80.

Ibid., 475.

81.

Ibid. (quoting Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869, 2878 [2010]).

82.

Ibid.

83.

See, for example, United States v. Odeh, 552 F.3d 157 (2d Cir. 2008); United States v. Verdugo–Urquidez, 110 S.Ct. 1056 (1990); In re Warrant to Search a Target Computer at Premises Unknown, 958 F.Supp.2d 753 (S.D. Tex. 2013).

84.

Microsoft I, 15 F. Supp. 3d 476.

85.

Ibid., 475.

86.

Ibid., 477.

87.

Microsoft II, 2014 WL 4629624, *1.

88.

Ibid.

89.

Battey.

90.

Ibid.

91.

Microsoft III, 2016 WL 3770056, *8.

92.

Ibid., *9.

93.

Ibid., *8.

94.

Ibid., *19.

95.

Ibid., *9 (quoting Morrison, 561 U.S. 255).

96.

Ibid., *8.

97.

Ibid., *9.

98.

Ibid., *9 n. 19.

99.

Ibid., *12.

100.

Ibid., *13.

101.

Ibid.

102.

Ibid., *11–12 (internal citation omitted).

103.

Ibid., *7, 12.

104.

Ibid., *12.

105.

Ibid.

106.

Ibid., *10 (quoting Morrison, 561 U.S. 255).

107.

Ibid.

108.

Ibid. (internal quotations omitted).

109.

Ibid., *13.

110.

Ibid., *11–12.

111.

Ibid., *12.

112.

Ibid., *14.

113.

Ibid.

114.

Here, it is curious that the court makes no reference to the target suspect, and specifically whether knowledge of the suspect's citizenship would have had any bearing on the “domestic contacts” involved in the case.

115.

Ibid.

116.

Ibid., *15.

117.

Ibid. Emphasis added.

118.

Ibid., *16.

119.

Ibid. (quoting, inter alia, S. Rep. No. 99–541, at 3 (“With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information.”); H.R. Rep. No. 99–647, at 19 (1986) (“[M]ost important, if Congress does not act to protect the privacy of our citizens, we may see the gradual erosion of a precious right”).

120.

Ibid., *17.

121.

Ibid.

122.

Ibid.

123.

Ibid., *18.

124.

Ibid., *19.

125.

Ibid.

126.

Ibid., *20–21.

127.

Ibid., *21.

128.

Ibid.

129.

Ibid.

130.

Ibid.

131.

Ibid., *20.

132.

Ibid. Emphasis in original.

133.

Ibid., *20 n. 2.

134.

Ibid., *27.

135.

Ibid., *24.

136.

Ibid., *24–25.

137.

Ibid., *25.

138.

Ibid., *25 n. 7.

139.

Ibid., *26.

140.

Ibid.

141.

Fisher.

142.

Solove.

143.

Fein.

144.

Daskal, “Three Key Takeaways.”

145.

Barrett.

146.

Harkness and Jaffee.

147.

Svantesson and Gerry.

148.

Kattan; Woods, “Against Data Exceptionalism.”

149.

Woods, supra note 148, 740.

150.

Kattan, supra note 148, 619.

151.

Mell and Grance.

152.

Kattan, supra note 148, 622 (internal quotations omitted).

153.

Interview with Kenneth Henry, Cloud Data Services Specialist, IBM (September 2, 2016).

154.

When I asked a good friend of mine—a gainfully employed millennial who uses modern technology regularly—how he would define cloud computing, his response was, “A bunch of 1s and 0s in the sky?”

155.

Schwartz, “Information Privacy in the Cloud.”

156.

Ibid., 1633.

157.

As information privacy expert Paul Schwartz explained, “[p]ublic clouds are based on three different service models:” Software as a service (SaaS), Platform as a service (PaaS), and Infrastructure as a service (IaaS). Web-based e-mail is an example of SaaS; in SaaS, consumers access a provider's cloud applications “through a client interface,” such as MSN.com. Ibid., 1629.

158.

Microsoft III, 2016 WL 3770056 *2. Organizations can deploy a cloud in at least two ways: (1) as a private cloud, that is, “implemented within an organization using that organization's infrastructure,” or (2) as a public cloud, that is, “an advertiser-supported or fee-based service offered over the Internet.” See Marti.

159.

Schwartz, supra note 155, 1629.

160.

Starr.

161.

Apollo 11 was the aircraft that carried the first men to the moon. See Rocket Evolution.

162.

Botta et. al. The Internet of Things is defined as an “ecosystem in which digitally networked physical devices talk to each other [and] register their geopositions in real time.” Wassom.

163.

Marca; Solove, supra note 142.

164.

Schultheis.

165.

Brief of Ireland.

166.

Solove, supra note 142.

167.

O'Dwyer.

168.

Brief for Appellant 3, Microsoft III, No. 14-2985 (2d Cir. 2015), available athttp://digitalconstitution.com/wp-content/uploads/2014/12/Microsoft-Opening-Brief-120820141.pdf.

169.

Heuvel and Cohen.

170.

Farrell.

171.

Battey, supra note 89, 282–83 (quoting Treaty of Lisbon Amending the Charter on Fundamental Rights of the European Union art. 8(1), (2), Mar. 30, 2010, 2010 O.J. (C 83) 389).

172.

Ibid., 286.

173.

Court of Justice of the European Union, Press Release No. 117/15 (October. 6, 2015).

174.

O'Dwyer, supra note 167.

175.

Microsoft ‘Must Release’ Data Held on Dublin Server, BBC (Apr. 29, 2014), http://www.bbc.com/news/technology-27191500.

176.

Ibid.

177.

Goldstein et. al.

178.

Ibid. 18.

179.

Solove, supra note 142; Joesph Marks, Can the US demand emails stored in Ireland?, Politico EU (Sept. 8, 2015, 1:52 PM), http://www.politico.eu/article/can-us-demand-emails-stored-in-ireland-cloud-congress-technology-courts-servers-internet-security/.

180.

Greenwald and MacAskill.

181.

Brief of Verizon Communications Inc., as Amicus Curiae Supporting Appellants at 10, Microsoft III, No. 14-2985-cv (2d Cir. 2015). Snowden revealed that Verizon had been giving the NSA information on all foreign and domestic telephone calls in its systems on an “ongoing, daily basis.” See Greenwald.

182.

Battey, supra note 89, 287.

183.

Marks, supra note 179.

184.

Ibid.

185.

Solove, supra note 142.

186.

Reforming the Electronic Communications Privacy Act.

187.

For example, US firms operate “9 out of the 10 most popular websites in India, 7 out of 10 in Brazil, 9 out of 10 in the United Kingdom, and 7 out of 10 in Germany.” Woods, supra note 148, at 741.

188.

Schultheis, supra note 164, 688.

189.

Ibid.

190.

Microsoft III, 2016 WL 3770056 at *19.

191.

Smith.

192.

Solove, supra note 142.

193.

Schultheis, supra note 164, 689.

194.

Ibid.

195.

Hatch.

196.

Chander and Lê.

197.

Ibid.

198.

Farrell, supra note 170, 2.

199.

Chander & Lê, supra note 196, 713.

200.

Daley et al.

201.

Ibid.

202.

Woods, supra note 148, 752.

203.

Sargsyan.

204.

Woods, “Reactions to the Microsoft Warrant Case.”

205.

Chander and Lê, supra note 196, 713.

206.

Shah.

207.

Chander and Lê, supra note 196, at 719.

208.

Ibid.

209.

Ibid.

210.

Ibid.

211.

Metadata is often defined as “data about data.” In the ISP context, metadata includes, among other things, Internet protocol (IP) addresses, e-mail addresses, things we “like” on the Internet, and user location. Aggregating and analyzing metadata allows companies to compile detailed profiles vis-à-vis individuals' Internet behavior. See generally Schneier.

212.

Klein.

213.

Sargsyan, supra note 204, 2221.

214.

Microsoft III 2016 WL 3770056 at *11 (emphasis added).

215.

Sargsyan, surpa note 204, 2223.

216.

See “Breaking Down Apple's iPhone Fight With the U.S. Government.”

217.

Ibid.

218.

Ibid.

219.

Specifically, Apple was asked to “create a custom software solution that could be installed in the … phone despite its locked status, with the aim of (i) shutting down the auto-delete feature noted above and (ii) enabling the brute-force solution to be implemented electronically (and thus at high speed) rather than manually.” See Chesney.

220.

Pettersson.

221.

Yadron, “San Bernardino iPhone.”

222.

Yadron, “FBI confirms it won't tell Apple.”

223.

Sargsyan, surpa note 204, 2229.

224.

See Universal City Studios, Inc. v. Corley, 273 F.3d 429, 449 (2d Cir. 2001) (“[W]e join the other courts that have concluded that computer code, and computer programs constructed from code can merit First Amendment protection.”) (collecting cases). See also Zetter.

225.

Sargsyan, surpa note 204, 2226 (citing Chinese efforts to implement data localization efforts following the Snowden surveillance scandal).

226.

Ibid., 2229.

227.

Botta, supra note 162, 23.

228.

Ibid., 24.

229.

Ibid.

230.

Chander and Lê, supra note 196, 729.

231.

Woods, supra note 148, 745.

232.

Shah, supra note 206, 550.

233.

Woods, supra note 148, 749.

234.

Daskal, “The Un-Territoriality of Data.”.

235.

Ibid., 366–67.

236.

Ibid., 367.

237.

Woods, “Reactions to the Microsoft Warrant Case.”

238.

Daskal, supra note 229, 367.

239.

Barrett and Greene.

240.

Schwartz, “Microsoft, Ireland and a Level.”

241.

In re Search Warrant No. 16–960–M–01 to Google, No. 16-1061-M, 2017 WL 471564 (E.D. Pa. Feb. 3, 2017) [hereinafter “In re Google Search Warrant”].

242.

Ibid., at *11 n. 17.

243.

Ibid., at *12-14.

244.

Ibid., *14.

245.

Clopton.

246.

Ibid.

247.

Ibid.

248.

Arnbak and Goldberg.

249.

Clopton, supra note 245, 57.

250.

Arnbak and Goldberg, supra note 248, 323.

251.

Ibid., 346.

252.

Ibid., 347.

253.

See Timm.

254.

Kurzweil, “How My Predictions.”

255.

Kurzweil, “The Law of Accelerating Returns.”

256.

Schwartz, supra note 240.

257.

To wit, the following statements were set forth in the Senate Report at the ECPA was enacted:It does not make sense that a phone call transmitted via common carrier is protected by the current federal wiretap statute, while the same phone call transmitted via a private telephone network such as those used by many major U.S. corporations today, would not be covered by the statute … The Committee also recognizes that computers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information.S. REP. 99-541, 2, 1986 U.S.C.C.A.N. 3555, 3556, emphasis added.

258.

United States v. Jones, 565 U.S. 400, 404 (2012).

259.

Justice Alito, in his dissenting opinion, specifically addressed this issue, stating:Ironically, the Court has chosen to decide this case based on 18th-century tort law. By attaching a small GPS device to the underside of the vehicle that respondent drove, the law enforcement officers in this case engaged in conduct that might have provided grounds in for a suit for trespass to chattels … I would analyze the question presented in this case by asking whether respondent's reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove.Ibid., 418–19 (J. Alito, dissenting).

260.

Thompson and Cole.

261.

Raul and Akowuah.

262.

Ibid.

263.

Ibid.

264.

Warshak, 631 F.3d 274.

Bibliography

“10 Early ISP's and What Has Become of Them.” Internet Service Provider Organization,
March
7
, 2011. http://www.internetserviceproviders.org/blog/2011/10-early-isps-and-what-has-become-of-them/.
“Breaking Down Apple's iPhone Fight With the U.S. Government.” New York Times,
March
21
, 2016. http://www.nytimes.com/interactive/2016/03/03/technology/apple-iphone-fbi-fight-explained.html?_r=0.
“Hatch, Coons, Heller Introduce Bipartisan International Communications Privacy Act.” Orrin Hatch for Senate,
May
25
, 2016. http://www.hatch.senate.gov/public/index.cfm/2016/5/hatch-coons-heller-introduce-bipartisan-international-communications-privacy–act.
“Microsoft ‘Must Release’ Data Held on Dublin Server.” BBC,
April
29
, 2014. http://www.bbc.com/news/technology–27191500.
18 U.S.C. §§ 2510–2712.
Arnbak, Axel, and Sharon Goldberg. “Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad.” Michigan Telecommunications and Technology Law Review 21 (2015): 317, 333.
Barrett, Delvin. “Microsoft Wins Appeals Ruling on Data Searches.” The Wall Street Journal,
July
14
, 2016. http://www.wsj.com/articles/microsoft-wins-appeals-ruling-on-data-searches–1468511551.
Barrett, Devlin, and Jay Greene. “U.S. to Allow Foreigners to Serve Warrants on U.S. Internet Firms.” The Wall Street Journal,
July
15
, 2016. http://www.wsj.com/articles/obama-administration-negotiating-international-data-sharing-agreements–1468619305.
Battey, Alexander D., Jr., “A Step in the Wrong Direction: The Case for Restraining the Extraterritorial Application of the Stored Communications Act.” Rutgers Computer & Technology Law Journal 42 (2016): 262, 276.
Botta, Alessio, et. al., “On the Integration of Cloud Computing and Internet of Things.”
2014 International Conference on Future Internet of Things and Cloud
23, 2014
.
Brief of Ireland, as Amicus Curiae Supporting Appellants at 4
, Microsoft III, No. 14–2985-cv (2d Cir. 2015); See also Microsoft ‘Must Release’ Data Held On Dublin Server, BBC (
Apr
.
29
, 2014), http://www.bbc.com/news/technology–27191500.
Brief of Verizon Communications Inc
., as Amicus Curiae Supporting Appellants at 10, Microsoft III, No. 14–2985-cv (2d Cir. 2015).
Chander, Anupam, and Uyên P. Lê. “Data Nationalism.” Emory Law Journal 64 (2015): 677, 680.
Chesney, Robert. “Apple vs FBI: The Going Dark Dispute Moves from Congress to the Courtroom.” Lawfare,
February
17
, 2016. https://lawfareblog.com/apple-vs-fbi-going-dark-dispute-moves-congress–courtroom.
Clopton, Zachary D. “Territoriality, Technology, and National Security.” University of Chicago Law Review 83 (2016): 45, 56.
Court of Justice of the European Union
, Press Release No. 117/15 (
Oct
.
6
, 2015).
Daskal, Jennifer. “The Un-Territoriality of Data.” Yale Law Journal 125 (2015): 326, 366.
Daskal, Jennifer. “Three Key Takeaways: The 2d Circuit Ruling in the Microsoft Warrant Case.” Just Security,
July
14
, 2016. https://www.justsecurity.org/32041/key-takeaways-2d-circuit-ruling-microsoft-warrant-case/.
Day, Matt. “Microsoft's Rivals Become its Allies in Overseas Email Warrant Case.” Seattle Times,
December
13
, 2014. http://www.seattletimes.com/business/microsofts-rivals-become-itsallies-in-overseas-email-warrant-case/.
Dombrow, Jennifer C. “Electronic Communications and the Law: Help or Hindrance to Telecommuting?” Federal Communications Law Journal 50 (1998): 685, 696.
Farrell, Henry. “Microsoft Just Won a Big Privacy Fight with the Government. Here's What That Means.” Washington Post,
July
15
, 2016.
Fein, Bruce. “Microsoft and Surveillance: A Refreshing Ruling for the Right to Be Let Alone.” Washington Times,
July
18
, 2016. http://www.washingtontimes.com/news/2016/jul/18/microsoft-and-surveillance-refreshing-ruling-right/.
Fisher, Felicity. “Victory for Digital Privacy in Microsoft Warrant Case: US Court Confirms that US Data Warrants Do Not Apply Overseas.” Fieldfisher,
July
18
, 2016. http://privacylawblog.fieldfisher.com/2016/victory-for-digital-privacy-in-microsoft-warrant-case-us-court-confirms-that-us-data-warrants-do-not-apply-overseas/.
Fishman, Clifford S, and Anne T. McKenna, Wiretapping and Eavesdropping: Surveillance in the Internet Age, 3rd ed. § 25:4, 2012.
Goldstein, Doron S., et al. “Understanding the Eu-Us ‘Privacy Shield’ Data Transfer Framework.” Journal of Internet Law 20, no. 1 (2016): 17.
Greenwald, Glenn and Ewen MacAskill. “NSA Prism Programs Taps in to User Data of Apple, Google and Others.” The Guardian,
June
6
, 2013, 15.23 EDT. https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa–data.
Greenwald, Glenn. “NSA Collecting Phone Records of Millions of Verizon Customers Daily.” The Guardian,
June
6
, 2013, 6.05 EDT. https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court–order.
H.R. Rep
. 99–647 (1986).
Harkness, Timothy P., and Peter Jaffee. “Microsoft v. United States: Court's “Privacy” Ruling Is Not Really About Privacy at All.” Lexology,
August
5
, 2016. http://www.lexology.com/library/detail.aspx?g=dd242259–8b4b-4c07-9eac–28c90920b51d.
Heuvel, Katrina vanden, and Stephen F. Cohen. “Edward Snowden: A ‘Nation’ Interview.” The Nation,
October
28
, 2014. http://www.thenation.com/article/186129/snowden-exile-exclusive–interview.
In re Premises Located at 840 140th Ave. NE., Bellevue, Wash., 634 F.3d 557, 564 (9th Cir. 2011).
In re Search of Yahoo, Inc., No. 07–3194, 2007 WL 1539971, at *5 (D. Ariz.
May
21
, 2007).
In re Search Warrant No. 16–960–M–01 to Google, No. 16–1061-M, 2017 WL 471564 (E.D. Pa.
Feb
.
3
, 2017).
In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev,d and remanded sub nom. Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14–2985, 2016 WL 3770056 (2d Cir.
July
14
, 2016).
In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 13-MJ-2814, 2014 WL 4629624, *1 (S.D.N.Y.
Aug
.
29
, 2014).
In re Warrant to Search a Target Computer at Premises Unknown, 958 F.Supp.2d 753 (S.D. Tex. 2013).
James Daley, M, Jason Priebe, and Patrick Zeller. “The Impact of Emerging Asia-Pacific Data Protection and Data Residency Requirements on Transnational Information Governance and Cross-Border Discovery.” Sedona Conference Journal 16 (2015): 201, 203.
Kattan, Ilana R. “Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud.” Vanderbilt Journal Entertainment & Technology Law 13 (2011): 617, 619.
Kerr, Orin S. “Fourth Amendment Seizures of Computer Data.” Yale Law Journal 119 (2010): 700, 704.
Kerr, Orin S. “Searches and Seizures in a Digital World.” Harvard Law Review 119 (2005): 531, 551.
Kerr, Orin S. “The Next Generation Communications Privacy Act.” University of Pennsylvania Law Review 162 (2014): 373, 409.
Kris, David. “U.S. Government Presents Draft Legislation for Cross-Border Data Requests.” Lawfare,
July
16
, 2016. https://www.lawfareblog.com/us-government-presents-draft-legislation-cross-border-data–requests.
Kurzweil, Ray. “How My Predictions Are Fairing.” Kurzweil Accelerating Intelligence,
October
1
, 2010.
Kurzweil, Ray. “The Law of Accelerating Returns.” Kurzweil Accelerating Intelligence,
March
7
, 2001.
La Marca, Lindsay. “I Got 99 Problems and A Warrant Is One: How Current Interpretations of the Stored Communications Act Offend International Comity.” Hofstra Law Review 44 (2016): 971, 992–93.
Lillington, Karlin. “Data Case Has Huge Implications for Personal Privacy.” The Irish Times,
January
14
, 2016. http://www.irishtimes.com/business/technology/data-case-has-huge-implications-for-personal-privacy-1.2495493.
Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (2d Cir.1983).
Marks, Joesph. “Can the US demand emails stored in Ireland?” Politico EU,
September
8
, 2015, 1:52 PM. http://www.politico.eu/article/can-us-demand-emails-stored-in-ireland-cloud-congress-technology-courts-servers-internet-security/.
Martin, Timothy D. “Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing.” Journal of the Patent & Trademark Office Society 92 (2010): 283, 287.
Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14–2985, 2016 WL 3770056, *8 (2d Cir.
July
14
, 2016).
Mell, Peter and Timothy Grance. National Institute of Standards & Technology, U.S. Department of Commerce, Special Pub. 800–145, The NIST Definition of Cloud Computing 2 (2011). http://csrc.nist.gov/publications/nistpubs/800–145/SP800–145.pdf.
Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869, 2878 (2010).
O'Dwyer, Davin. “Ireland's Data Centre Boom Set to Continue.” The Irish Times,
March
5
, 2015. Accessed April 30, 2017. http://www.irishtimes.com/business/technology/ireland-s-data-centre-boom-set-to-continue-1.2126081.
Peppet, Scott R. “Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent.” Texas Law Review 93 (2014): 85, 89.
Pettersson, Edvard. “Apple Slams U.S. Bid to Make It Crack iPhone in Court Papers.” Bloomberg Politics,
February
25
, 2016. https://www.bloomberg.com/politics/articles/2016–02-25/apple-says-u-s-can-t-force-it-to-unlock-terrorist-s-iphone–il2pjiw8.
Raul, Alan C, and Kwaku A. Akowuah. “Second Circuit Microsoft Ruling: A Please for Congressional Action.” Lexology.
August
8
, 2016. http://www.lexology.com/library/detail.aspx?g=13a9070c-3512–4443-ab26–4254babcfc34.
Reforming the Electronic Communications Privacy Act, Hearing Before the S. Comm. on the Judiciary, (Testimony of Victoria Espinel, President and CEO, bsa | The Software Alliance).
Rogan, Aaron. “US Sues Microsoft for Silk Road Suspect's Email.” The Sunday Times,
June
22
, 2016, 12:01am. Accessed April 30, 2017. http://www.thetimes.co.uk/article/us-sues-microsoft-for-silk-road-suspects-email–snq0tlqj0.
S. REP. 99–541, 2, 1986 U.S.C.C.A.N. 3555, 3556.
Sargsyan, Tatevik. “Data Localization and the Role of Infrastructure for Surveillance, Privacy, and Security.” International Journal of Communication 10 (2016): 2221.
Schlabach, Gabriel R. “Privacy in the Cloud: The Mosaic Theory and the Stored Communications Act.” Stanford Law Review 67 (2015): 677, 691.
Schneier, Bruce. “NSA Doesn't Need to Spy on Your Calls to Learn Your Secrets.” Wired,
March
25
, 2015. Accessed April 30, 2017. https://www.wired.com/2015/03/data-and-goliath-nsa-metadata-spying-your-secrets/#article–comments.
Schultheis, Ned. “Warrants in the Clouds: How Extraterritorial Application of the Stored Communications Act Threatens the United States' Cloud Storage Industry.” Brooklyn Journal of Corporate Financial & Commerical Law 9 (2015): 661, 680.
Schwartz, Paul M. “Information Privacy in the Cloud.” University of Pennsylvania Law Review 161 (2013): 1623, 1626–27.
Schwartz, Paul. “Microsoft, Ireland and a Level Playing Field for U.S. Cloud Companies.” Bloomberg BNA,
August
3
, 2016. http://www.bna.com/microsoft-ireland-level-n73014445770/.
Shah, Reema. “Law Enforcement and Data Privacy: A Forward-Looking Approach.” Yale Law Journal 125 (2015): 543, 549.
Smith, Brad. “Our Search Warrant Case: An Important Decision for People Everywhere.” Microsoft,
July
14
, 2016. http://blogs.microsoft.com/on-the-issues/2016/07/14/search-warrant-case-important-decision-people-everywhere/#sm.01xruge41cvjeu4115n2jd95fb7t5.
Solove, Daniel. “Microsoft Just Won a Big Victory Against Government Surveillance—Why It Matters.” LinkedIn,
July
15
, 2016. Accessed April 30, 2017. https://www.linkedin.com/pulse/microsoft-just-won-big-victory-against-government-why-daniel–solove.
Starr, Matthew. “CompTIA Signs on to Letter Supporting International Communications Privacy Act (ICPA).” CompTIA,
July
14
, 2016. https://www.comptia.org/about-us/newsroom/blog/comptia-blog/2016/07/14/comptia-signs-on-to-letter-supporting-international-communications-privacy-act-(icpa).
Stowe v. Devoy, 588 F.2d 336, 340–41 (2d Cir.1978).
Svantesson, Dan, and Felicity Gerry. “Access to Extraterritorial Evidence: The Microsoft Cloud Case and Beyond.” Computer Law & Security Review 31 (2015): 478.
Thompson, Richard M, and Jared P. Cole. Congressional Research Service, R44036, Stored Communications Act: Reform of the Electronic Communications Privacy Act (ECPA) (2015).
Timm, Jane C. “Snowden's Guide to How the NSA Sees Your Sexts.” MSNBC,
April
6
, 2015. http://www.msnbc.com/msnbc/edward-snowden-guide-how-the-nsa-sees-your–sexts.
Treaty Between the Government of the United States of America and the Government of Ireland on Mutual Legal Assistance in Criminal Matters, U.S.-Ire.,
Jan
.
18
, 2001, T.1.A.S. 13137 [hereinafter Ireland-U.S. MLAT].
United States v. Jones, 565 U.S. 400, 404 (2012).
United States v. Miller, 425 U.S. 435 (1976).
United States v. Odeh, 552 F.3d 157 (2d Cir. 2008).
United States v. Verdugo–Urquidez, 110 S.Ct. 1056 (1990).
Wassom, Brian. Augmented Reality Law, Privacy, and Ethics: Law, Society, and Emerging AR Technologies. Vol. 31, Waltham, MA: Syngress, 2014.
Woods, Andrew K. “Reactions to the Microsoft Warrant Case.” Lawfare,
July
15
, 2016. Accessed April 30, 2017. https://www.lawfareblog.com/reactions-microsoft-warrant–case.
Woods, Andrew K. “Against Data Exceptionalism.” Stanford Law Review 68 (2016): 729, 739.
Yadron, Danny. “FBI Confirms it won't Tell Apple How it Hacked San Bernardino Shooter's iPhone.” The Guardian,
April
28
, 2016. https://www.theguardian.com/technology/2016/apr/27/fbi-apple-iphone-secret-hack-san–bernardino.
Yadron, Danny. “San Bernardino iPhone: US Ends Apple Case After Accessing Data Without Assistance.” The Guardian,
March
29
, 2016. https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino–iphone.
Zetter, Kim. “Apple May Use a First Amendment Defense in that FBI Case, and it Just Might Work.” Wired,
February
25
, 2016. https://www.wired.com/2016/02/apple-may-use-first-amendment-defense-fbi-case-just-might-work/.
This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.