Microsoft’s defiant stance against the US Justice Department’s attempts to get access to data stored on a server in Ireland notched up a significant victory yesterday, but the battle could now move on to the Supreme Court.
The case hinges on a drug trafficking investigation by the US authorities which resulted in a demand to have access to emails that were stored on a server in Ireland.
Microsoft rejected the demand, arguing that it set a precedent that would allow US intelligence agencies to demand access to data hosted outside of their territorial remit, with the resultant likely negative ramifications for global business in a post-Snowden, privacy-sensitive world.
A New York federal judge held Microsoft in contempt of court, but yesterday, only days after Microsoft’s Chief Legal Officer Brad Smith pledged the firm to keep on fighting, three judges at the Second District Court of Apeals came down against the Justice Department.
Their ruling finds that search warrants do have territorial limitations and that:
The Stored Communications Act does not authorize courts to issue and enforce against US-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.
Because Microsoft has complied with the warrant’s domestic directives and resisted only its extraterritorial aspects, we reverse the District Court’s denial of Microsoft’s motion to quash, vacate its finding of civil contempt and remand the cause with instructions to the District Court to quash the warrant insofar as it directs Microsoft to collect, import, and produce to the government customer content stored outside the United States.
Privacy campaigners were delighted with the decision, with the Electronic Frontier Foundation stating its was “groundbreaking” in its reach:
In our amicus brief supporting Microsoft in this case, we urged the court to reject the government's argument that the search warrant it obtained for email contents was like a subpoena that would require Microsoft to turn over information, regardless of where it was stored. The court recognized the vital privacy protections under the SCA [Stored Communications Act], and correctly ruled that the government can't use a US search warrant to force Internet service providers to reach email stored outside the US.
This seems unlikely to be the end of the matter however. A Justice Department statement suggests that the next move could be to appeal to the Supreme Court:
We are disappointed with the court’s decision and are considering our options.
Another option is that the Justice Department will ask Congress to bring about necessary legislative changes to address data sharing practices and obligations among law enforcement agencies, basing the request on national security grounds. That course of action will be heavily dependent on the outcome of the US Presidential Election, but a Justice Department spokesman said:
Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime.
While siding with Microsoft, the Appeal Court did argue that the law is out of date, with US Circuit Judge Susan Carney writing in an opinion:
When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user's interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users' 21st-century demands for access and speed and their related, evolving expectations of privacy.
Actually Microsoft itself would back an updating of existing legislation. Smith told the Irish Times newspaper that the ruling makes clear the need for change:
It makes it more important for the US government to modernise the law. We’ve been encouraging Congress to pass a new law. We have been encouraging new bilateral treaty negotiations. We’ve always said that the law can’t stand still, it does need to move forward. And now we hope that we can work with the US government to do that but in a way that’s also more sensitive to the needs of people across Europe.
In a separate opinion, another of the Appeal Court judges, U.S. Circuit Judge Gerard Lynch, argued that this case was not in fact about privacy at all, but about the long arm of the US law, a viewpoint that may yet come to shape the debate:
I do not believe that that is a fair characterization of the stakes in this dispute. To uphold the warrant here would not undermine basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country…the dispute here is not about privacy, but rather about the international reach of American law.
The other winner yesterday was the Irish government, which has been highly active in wooing US cloud services companies to set up in the Republic of Ireland. Had the Justice Department won the day and extended its reach to Ireland, that would have been a tick against setting up shop there. The Irish government had filed an amicus brief supporting Microsoft’s position.
Sometimes the law is an ass; sometimes it’s very smart.
Yesterday it was smart.
But I don’t believe for a moment that this battle is over.
Onwards to the Supreme Court.