On February 27, 2018, the Supreme Court heard arguments in United States v. Microsoft Corp., a case that will decide whether a digital communications provider has to comply with a U.S. search warrant for user data that is stored outside of the U.S. U.S. v. Microsoft could have major consequences for digital privacy and international data sharing, especially for the cloud-computing industry.
This dispute began in 2013 when U.S. prosecutors served Microsoft a warrant in Redmond, Washington, for emails and information associated with an account involved in a criminal investigation. Microsoft turned over the data that was stored on American servers, but it refused to give the actual content of the emails because they were stored at a data center in Ireland.
The Justice Department maintains a U.S. warrant is sufficient to obtain the content of the emails; no need to trouble Ireland. The warrant is valid because Microsoft could obtain the data from the U.S. In other words, the government claims that copying or moving the content of the emails that are stored in Ireland isn’t even a search and seizure—only directly giving the emails to the US government is.
Microsoft argues that data physically stored in another country falls outside of the DOJ’s jurisdiction, even if, as the DOJ claims, an employee in the U.S. is the one obtaining the data. While Microsoft admits that employees in the U.S. can access data stored in servers in another county, they claim that it’s not as simple as pressing a button. Further, Microsoft argues that Congress, not the courts, should decide the issue.
Other constituents have weighed in. Privacy advocates argue if the U.S. can use a U.S. warrant to seize data held in another country, other countries will in turn use their own laws to seize data stored in the U.S. As Microsoft has previously warned, this could put Americans’ emails (and other data) at risk of seizure by foreign governments.
The Trump administration has declared that if Microsoft wins, U.S. law enforcement will lose the ability to obtain evidence related to significant crimes, like terrorism and child pornography. The concern is that companies could move their data beyond the reach of U.S. authorities by simply storing it outside of the U.S. Some companies separate files into multiple pieces, which are then stored in different places, even different countries. The government argues that a Microsoft win might make it challenging to say, obtain both the emails and the corresponding photos in a child pornography case, if the two are stored in different countries.
In February, a bipartisan group of senators introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would allow cross-border data warrants for access to digital information, provided that the partner countries meet certain privacy and human rights standards. Microsoft, Facebook, Google, and Apple all support this legislation.
The CLOUD Act would clarify that a warrant issued under the Stored Communications Act does apply to data overseas, but at the same time it would allow companies like Microsoft to challenge warrants if they violate the laws of the country that the data is located in.
Justices Ruth Bader Ginsberg and Sonia Sotomayor focused on this, questioning the Justice Department as to why the court should rule on this case when Congress is considering passing the CLOUD Act rendering the issue moot.
Some civil liberties advocates are disappointed by the CLOUD Act and are similarly discouraged that companies like Microsoft are supporting it. For example, the Electronic Frontier Foundation (EFF) finds the CLOUD Act concerning because it seems to allow the U.S. government to compel a service provider to hand over data stored in another country, without having to follow that country’s rules. Also troubling to the EFF is that the bill would allow the US president to enter into an executive agreement with other countries to allow foreign governments to seize data hosted in the U.S., without following its privacy laws, provided that they were not targeting a U.S. person or a person located within the U.S.
As the dispute over access to digital data continues, it is time for companies to consider their data storage practices. Microsoft has already changed the way that it stores customers’ communications. Microsoft’s former policy was to store email content in the data farm closest to the customer’s self-declared country of residence at the time of creating the email. Now, Microsoft uses the customer’s most frequent location.