United States v. Microsoft Corp.

LII note: The U.S. Supreme Court has now decided United States v. Microsoft Corp. .

Issues 

When served with a warrant under the Stored Communications Act, is an email service provider obligated to disclose communication information that they control but store outside of the United States?

Oral argument: 
February 27, 2018

This case asks the Court to decide whether an email service provider must comply with a warrant issued pursuant to the Stored Communications Act to disclose communication information if they exercise control over the information but physically store it outside the United States. This case implicates the presumption against application of U.S. law outside of U.S. borders, as well as the true focus of section 2703 of the Stored Communications Act. The Government argues that the focus of the statute is “disclosure” and the relevant conduct occurs in the U.S., and therefore the information must be disclosed. Microsoft argues that the focus is “privacy” and the relevant conduct occurs outside the U.S., and therefore outside the reach of the statute. This decision could impact international cooperation and comity due to potential conflict-of-laws issues, as well as other nations’ willingness to do business with U.S.-based carriers.

Questions as Framed for the Court by the Parties 

Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.

Facts 

Microsoft Corporation (“Microsoft”) is a United States corporation incorporated and headquartered in Washington state. Microsoft operates a web-based email service, known as “Outlook.com,” that allows customers to send and receive correspondence with other email accounts. Microsoft stores the contents of all users’ emails and certain information associated with each account—such as IP addresses, contact lists, and calendar entries—in a network of approximately one million servers located around the world. Microsoft generally stores every customer’s account information and content in a datacenter near that customer’s physical location. However, the customers’ locations are self-identified from a “drop-down” country code menu when customers create their account and are unverified. Based on each user’s country code, Microsoft’s system automatically determines the datacenter to which that account’s information storage is then migrated and transferred. Once the system completes the transfer, Microsoft deletes most information associated with the account, with three specific minor exceptions, from the corporation’s United States servers per company protocol. However, Microsoft is still able to collect all account data stored on any of its global servers through the use of a “database management program” that can be accessed from the company’s U.S. offices.

On December 4th, 2013, a Southern District of New York magistrate judge granted the United States’ (the “Government”) application for a warrant under section 2703 of the U.S. Stored Communications Act (“SCA”), codified at 18 U.S.C. § 2703, that was subsequently served on Microsoft. The warrant required Microsoft to disclose specific information stored in their servers related to a specific Outlook.com email account because the Government had established probable cause to believe the account was being used to further drug activity in the United States. Microsoft disclosed all requested information except for the contents of the emails because this information was located in a datacenter physically located in Dublin, Ireland. Microsoft argued that requiring a provider to disclose material stored abroad constitutes an unlawful extraterritorial application of § 2703. Microsoft consequently moved to quash the warrant with respect to this information, but the Court denied the motion, deciding that the SCA authorized the court to issue a warrant for “information that is stored on servers abroad” because Congress intended the Act’s warrant provisions to import obligations similar to those of a subpoena rather than a classic warrant. After the district court’s chief judge affirmed, Microsoft continued to withhold the information and the court held the company in civil contempt.

On appeal, the Court of Appeals for the Second Circuit reversed and vacated the finding of contempt after applying the two-step test for extraterritoriality outlined in Morrison v. National Australia Bank and concluding that the SCA does not explicitly or implicitly envision its warrant provisions applying overseas. . The Second Circuit focused on the SCA’s purpose of protecting the privacy of a user’s stored communications in finding that the SCA must be applied where the communication is stored, not where it will be handed over to the Government. Finally, the Second Circuit rejected the SCA warrant/subpoena comparison because, unlike in the case of a typical subpoena, the Government was not asking Microsoft for its own records, but for private information of which Microsoft is only a caretaker. The Government appealed, and the Supreme Court granted certiorari on October 16, 2017.

Analysis 

APPLICATION OF THE EXTRATERRITORIAL FRAMEWORK

The presumption against extraterritoriality means that “[a]bsent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” Courts have a two-step framework for determining for analyzing extraterritorial issues. First, a law applies extraterritorially if Congress clearly and explicitly states its intent that the law should apply extraterritorially. If such an intent does not exist and the statute does not apply extraterritorially, a court must determine whether the statute applies domestically. To answer this question, the Court determines the statute’s “focus”: if the conduct relevant to the statute’s “focus” occurs in the United States, even if other conduct occurs abroad, the statute has a domestic application and thus has a permissible extraterritorial effect.

The Government concedes that there was no explicit Congressional intent to permit the SCA to apply extraterritorially. The Government instead argues, under several theories, that the application of the SCA and § 2703 in this case is domestic and therefore immune to the presumption against extraterritoriality. First, the Government relies on Morrison v. National Australia Bank and RJR Nabisco, Inc. v. European Community in arguing that the test for extraterritoriality applies to specific provisions and not entire laws. The Government then pinpoints § 2703, which governs disclosure of electronic communications to domestic law enforcement, as the provision to be analyzed.

Microsoft disagrees with the Government’s provision-in-isolation approach, claiming it is contrary to standard statutory construction and the precedent the Government cites. Microsoft contends that not only does the SCA as a whole lack an explicit intention to be applied abroad, but also the language within the SCA itself precludes extraterritorial application. Microsoft argues that the warrant requirement in the SCA clearly prohibits its usage outside the U.S., as “a warrant is a dead letter outside the United States.” Microsoft also relies on local law enforcement’s ability to make use of the warrant provisions, contending that it is unlikely that Congress would intend to allow local police departments to seize materials located outside of the U.S. Microsoft also argues the lack of consideration or mention of foreign privacy laws show a purely domestic focus for any warrants issued.

DEFINING THE RELEVANT CONDUCT: WHAT IS A § 2703 WARRANT?

The Government argues that there is no search or seizure in complying with a warrant under § 2703. In making this argument, the Government contends that the § 2703 warrant more resembles a subpoena than a classic warrant. The Government argues that despite § 2703 using the word “warrant,” the term indicates the level of suspicion needed to search the records. The Government also points out that warrants generally apply to places and things, while § 2703 requires disclosures from people. Finally, the Government distinguishes normal warrants from § 2703 warrants by contrasting the different procedures for obtaining and executing them. If the Court accepts this hybrid-warrant classification, the Government argues, then the disclosure of records is neither a search nor seizure. Instead, the Government contends, as with regular subpoenas, it would be the mere production of business records when the emails are transferred to the U.S. Even should the Court reject this classification, the Government argues, the mere transfer of data already under Microsoft’s control still would not be considered a search or seizure. The Government does concede that a search would take place, but asserts that it would occur only in the United States once the data is given to law enforcement.

Microsoft argues that compliance with the warrant—which is not a subpoena—happens at the source of the data, or alternatively, that the Government’s claims that the data can be transferred without it being considered a search is misguided. First, Microsoft claims that the Government’s reliance on subpoena precedent is incorrect, as it would allow the SCA to facially apply extraterritorially even though the Government has already conceded that the SCA does not allow for extraterritorial enforcement on its face. Microsoft also points to statutory language, pointing out that other subsections deal with subpoenas and that the SCA explicitly excludes “contents of communications” from its definition of “records.” Second, Microsoft contends that should it be required to turn over the information, the compulsion to do so would make the action a search attributable to the government. Microsoft, relying on Kyllo v. United States, emphasizes that a search by the Government occurs at the site of the information, not where the officer is located. Third, Microsoft counters that any search or seizure would occur when copying the data, not only after it is disclosed or transferred. Microsoft produces several cases supporting their conclusion that the mere copying of electronic data is considered a seizure. In sum, Microsoft believes that the relevant conduct is a search or seizure required by warrant, which occurs at the site of the information.

DISCLOSURE AS THE "FOCUS" OF § 2703

The Government argues that the “focus” of the provision is disclosure—conduct that would occur in the United States—which would render the application of the law at issue domestic. In making that argument, the Government relies on several lower court opinions finding § 2703’s “focus” to be on conduct occurring in the United States. The Government also cites several subsections of § 2703, contending that regulations of “disclosure” appear dozens of times. The Government also argues that the legislative history of the SCA and § 2703 and its amendments support finding disclosure as the “focus” of the statute. Under this theory, the Government believes that the relative conduct would be the disclosure of the records, which occurs in the United States. The Government reminds the Court that under the framework, even if some conduct occurs outside the United States, so long as the “focus” of the law applies to domestic conduct, there is no issue of extraterritoriality.

Microsoft claims that even if considered in isolation, the “focus” of § 2703 cannot be disclosure, especially with regard to internationally-stored information. Microsoft also argues that legislative comments made in 1986—before the invention of the Internet—do not support the government’s expansive reading of the statute. Microsoft points to an amendment to the SCA, which changed the reach of warrants from “districts” to “within the United States” as evidence that disclosure of internationally stored data was not the “focus” of the statute. Even should the Court determine the “focus” of the subsection to be disclosure, Microsoft argues, because the relevant conduct is the compliance with the warrant (as discussed above), the law would still have impermissible extraterritorial effect.

PRIVACY AS THE "FOCUS" OF § 2703

Microsoft, on the other hand, argues that privacy is the “focus” of the SCA and § 2703. Microsoft relies on Morrison in defining “focus” as what “Congress intended to ‘regulate’ or ‘protect.’” Microsoft asserts that the goal of the SCA was to protect digital data from third parties and unauthorized government intrusion. Microsoft supports this conclusion by analyzing the combined effects of sections 2701, 2702, and 2703 as supporting efforts to limit access by hackers, service providers, and law enforcement. Microsoft argues that when looking at the three provisions together, it is clear that § 2703 protects data from law enforcement; its “focus” is not disclosure. Microsoft argues that the focus on privacy therefore means the relevant conduct occurs where the data is stored, which means that § 2703, with its lack of explicit extraterritorial jurisdiction, would apply to data stored only in the United States.

The Government counters that even should the Court find the “focus” of the statute to be privacy, requiring compliance with § 2703 would not be extraterritorial. The Government argues that in this situation, the relevant conduct is the breach of privacy when the information is given to law enforcement, which is an act that would occur in the United States. The Government supports this position by contending that the SCA protects privacy by preventing disclosure, not by limiting the duplication or transferring of data. The Government claims that because there would be no violation of the SCA until the data is disclosed in the United States, the law as applied in this case would be domestic.

Discussion 

UNDERMINING CONGRESSIONAL OBJECTIVES AND JUDICIAL OVERREACH

The Government argues that adopting Microsoft’s proposed scheme would undermine Congress’s objectives in enacting the SCA by creating administrability concerns, hampering domestic law enforcement, and harming counterterrorism efforts. A group of thirty-five U.S. States along with the Commonwealth of Puerto Rico (“States”) support the Government’s stance by providing evidence of how the Second Circuit ruling below has already interfered with the States’ ability to investigate and prosecute crime locally, as it has allowed major service providers like Microsoft, Google, and Yahoo to resist warrants issued under the SCA to acquire data from foreign servers. The government also argues that adopting Microsoft’s scheme would lead to absurd results through the following hypothetical: a U.S. provider doing business domestically would not need to disclose an email about a crime that occurred in the United States, even if it was sent from a U.S. citizen to a U.S. citizen who both lived in the United States at the time and the email could be retrieved by the provider at its U.S. offices, so long as the provider had chosen to store this email in a server located in a foreign country. The States also bolster this argument by depicting three recently-tried Vermont cases involving Google in which the customer whose data was sought lived in Vermont or committed a crime associated with sexual exploitation of children in the state. In all three cases, a court issued a probable-cause warrant for evidence that could be found in the customer’s email contents, but Google resisted compliance and failed to give law enforcement officers the time-sensitive evidence that could have assisted in identifying victims and preventing crime.

Three members of the U.S. House of Representatives and two U.S. Senators (“Congressmembers”), supporting Microsoft, argue against extending the reach of SCA warrants, pointing out that the presumption against extraterritoriality was adopted to prevent judicial overreach in the area of foreign policy. The Congressmembers point out that renouncing this presumption could conflict with three key separation-of-powers principles well-established by U.S law that the presumption is intended to support, creating uncertainty throughout the U.S. legal system. The Congressmembers describe the three principles as: first, avoiding unintended international conflicts over choice of law; second, promoting the general understanding that Congress is the appropriate body to make decisions about when and how to extend U.S. law beyond the nation’s borders; and third, providing a clear rule that demonstrates Congress “legislates with domestic concerns in mind.” Finally, twelve business and consumer associations (“Associations”), including the Chamber of Commerce and the National Association of Manufacturers, in addressing the Government’s fear that a ruling favoring Microsoft would put foreign electronic communication information permanently outside the reach of U.S. law enforcement, suggest that the Government utilize the various international cooperative methods available to the U.S. as a member of Mutual Legal Assistance Treaties.

COLLATERAL EFFECTS ON INTERNATIONAL LAW AND COOPERATION

The Government argues that by enforcing § 2703 in matters like the case at hand, the United States would be respecting its international obligations, and not enforcing the law would create greater global discord. The Government supports this with evidence of other nations already using a similar approach, claiming that enforcing the statute enables the United States to fulfill its international obligations to the Budapest Convention. The Government also notes that seemingly no international conflict has materialized as a result of U.S. courts (outside of the Second Circuit) attempting to enforce such warrants based on a disclosure-focused interpretation of § 2703. The States are also skeptical that enforcement would cause international discord as SCA warrants have primarily been sought to obtain critical evidence in child pornography and exploitation cases, spurring little opposition to their use internationally.

The European Commission, the executive body of the European Union, supporting neither party, aims to aid the court in also considering regulations that the European Union has promulgated to protect privacy of personal data, specifically the General Data Protection Regulation which will come into effect in May of 2018. The European Commission further seeks to remind the Court that the United States must be careful as to apply its domestic law in a manner that is mindful of the restrictions imposed by relevant international law and general considerations of international comity, as the U.S. law creates cross-border obligations. Finally, the Council of Bars and Law Societies of Europe, supporting Microsoft, warns the Government of the dangers of expanding its “domestic” search and seizures to include any activity in which the last step occurred in the United States. The Council argues that such expansion would “deputize” American service providers, requiring them to comply with these warrants when such warrants often-times violate the laws of foreign countries in which they operate, encouraging those abroad to avoid doing business with U.S. companies and discouraging them from investing in the United States.

Edited by 

Acknowledgments 

The authors would like to thank Cornell Law School Professor James Grimmelmann for his insights into this case.

Additional Resources