Later this month, Supreme Court justices will hear a case involving Microsoft’s heated dispute with federal prosecutors over whether it must turn over data currently hosted in a storage facility in Ireland. At the heart of the legal dispute is whether U.S. courts can compel a company to turn over an individual’s data when it is held overseas.
The case has drawn intense global interest, including more than a dozen legal briefs to the Supreme Court from abroad, in a sign that some parties believe a ruling may offer a future road map for the internet.
The showdown is unfolding on several fronts. Bills put forth in both chambers of Congress this week would partially resolve disputes over law enforcement access to private data held across borders. The bipartisan bills would obligate service providers in “possession, custody, or control” of data to turn it over to prosecutors under certain conditions regardless of where in the world the material is stored.
Still, some mystery surrounds the legal dispute that will be aired Feb. 27 in Supreme Court chambers. For one, prosecutors have never identified the person who was targeted in a warrant issued by a New York district court judge on Dec. 4, 2013.
“We don’t know what the nationality is of the subject … We know that the case is about drugs. But we don’t know a lot more than that,” said Gregory T. Nojeim, senior counsel at the Center for Democracy & Technology, a public policy group in Washington.
Prosecutors demanded from Microsoft all emails and information associated with the subject’s account, and the Redmond, Washington, tech giant responded that it could not be forced to turn over information stored overseas, in this case at a data center in Dublin, Ireland.
At its heart, the case goes to a conundrum of the modern age: Where does data in “the cloud” actually reside and what sovereign entity should have control?
“Is the data on the server, wherever the server is located? Or is the data from wherever you can access that server? Or does the data not have any location?” asked Faiza Patel, co-director of the Liberty and National Security Program at the New York University School of Law’s Brennan Center for Justice. A different program at the NYU law school filed an amicus brief in the case.
The most pertinent statute on data, the Stored Communications Act, was passed three decades ago.
The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing.
Brad Smith, Microsoft president
“The government relies on a law that was enacted in 1986, before anyone conceived of cloud computing,” Brad Smith, Microsoft’s president and chief legal officer, wrote in a blog post Jan. 19.
While prosecutors and big tech companies clash over access to digital data in the United States, the issue also has broad resonance overseas, leading some countries to demand that data be stored within their own borders. Prosecutors abroad also complain of obstacles to conducting probes of criminal suspects using U.S.-based webmail.
“Eight of the 10 most popular web services and websites in almost every country in the world, with few exceptions, are American,” said Andrew K. Woods, a professor at the University of Kentucky College of Law. He added that foreign requests to companies like Microsoft and Google for email disclosure have soared.
“The cops in Brazil and the cops in India and the cops in France, all of the cops in the world, want to issue normal evidence orders in accordance with local law and they are frustrated or stymied by American rules,” Woods said.
Woods cited a hypothetical case in which a Londoner is a suspect in the murder of a fellow Brit, a crime investigated by local police.
“Everything about that case is British,” Woods said, but police “cannot go to Google and compel Google to give them content of the suspect’s email account. They have to go through the mutual legal assistance process. That is not only slow it is also an affront to British sovereignty.”
The U.S. government has struck mutual legal assistance treaties, or MLATs, with about a third of the world’s countries. The mechanism, while useful, can clog the wheels of justice.
It’s a slow and laborious process. … It often takes months, if not years.
Jennifer Daskal, American University law professor
“It’s a slow and laborious process. … It often takes months, if not years, for governments to respond,” said Jennifer Daskal, a former attorney in the National Security Division of the Justice Department who now teaches law at American University’s Washington College of Law.
More criminal cases than ever involve digital evidence, she said, and “the volume (of MLAT requests) is just going to keep on increasing exponentially.”
Something else likely to go unmentioned in the Supreme Court chambers is the name of Edward Snowden, the former National Security Agency contractor who spilled secrets about U.S. surveillance programs in 2013 before taking exile in Moscow. Snowden’s acts have shaped views abroad of what some critics see as the extraterritorial reach of the U.S. government.
“In the wake of the Snowden revelations, levels of trust around the world in the American government went down,” Woods said. “American businesses ever since have been scrambling to reassure customers around the world that they resist the American government.”
The Microsoft case has elicited an outpouring of briefs from people, organizations and governments around the world. Such amicus briefs to the Supreme Court are legal documents from non-litigants with a strong interest in the case.
Outside of the United States, among those filing such briefs, or joining in them, are the European Commission (on behalf of the European Union), Ireland, the New Zealand privacy commissioner, law societies of Europe, the Australian Privacy Foundation and the United Nations special rapporteur on the right to privacy.
This case obviously is highly watched.
Jennifer Daskal, American University law professor
“This case obviously is highly watched,” Daskal said. “A straight-up win for the government will be perceived, rightly or wrongly, as the United States claiming authority to access data anywhere without regard to foreign governments’ countervailing considerations. And that could harm the U.S. tech industry.”
But if Microsoft prevails, she said, “it may completely stymie legitimate investigations simply because some or all of the sought-after data is held outside of the United States.”
The bills now before both chambers of Congress, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, may provide a more feasible framework and pave the way for executive agreements that would allow foreign governments to request data directly from U.S. service providers.
The bills provide "a logical solution for governing cross-border access to data," five big tech firms, including Microsoft and Google, said in a letter to the Senate sponsors on Tuesday.
U.S. service providers, under the proposal, would no longer be shielded when they store data abroad, but it also gives them rights to challenge the requests. It also would incentivize the executive branch to to reach bilateral agreements with foreign governments that would allow them to serve direct surveillance demands on U.S. providers.
Not all watchdog groups are in favor of the legislative proposals. In a statement, the Center for Democracy & Technology said it "does not believe the CLOUD Act does enough to protect the privacy of internet users."