JAMES C. FRANCIS IV, United States Magistrate Judge.
"The rise of an electronic medium that disregards geographical boundaries throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules but that cannot be governed, satisfactorily, by any current territorially based sovereign." David R. Johnson & David Post, Law and Borders — The Rise of Law in Cyberspace, 48 Stan. L.Rev. 1367, 1375 (1996). In this case I must consider the circumstances under which law enforcement agents in the United States may obtain digital information from abroad. Microsoft Corporation ("Microsoft") moves to quash a search warrant to the extent that it directs Microsoft to produce the contents of one of its customer's e-mails where that information is stored on a server located in Dublin, Ireland. Microsoft contends that courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant. For the reasons that follow, Microsoft's motion is denied.
Microsoft has long owned and operated a web-based e-mail service that has existed at various times under different internet domain names, including Hotmail.com, MSN.com, and Outlook.com. (Declaration of A.B. dated Dec. 17, 2013 ("A.B. Decl."), ¶ 3).
Microsoft stores e-mail messages sent and received by its users in its datacenters. Those datacenters exist at various locations both in the United States and abroad, and where a particular user's information is stored depends in part on a phenomenon known as "network latency"; because the quality of service decreases the farther a user is from the datacenter where his account is hosted, efforts are made to assign each account to the closest datacenter. (A.B. Decl., ¶ 6). Accordingly, based on the "country code" that the customer enters at registration, Microsoft may migrate the account to the datacenter in Dublin. (A.B. Decl., ¶ 7). When this is done, all content and most noncontent information associated with the account is deleted from servers in the United States. (A.B. Decl., ¶ 7).
The non-content information that remains in the United States when an account is migrated abroad falls into three categories. First, certain non-content information is retained in a data warehouse in the United States for testing and quality control purposes. (A.B. Decl., ¶ 10). Second, Microsoft retains "address book" information relating to certain web-based e-mail accounts in an "address book clearing house." (A.B. Decl., ¶ 10). Finally, certain basic non-content information about all accounts, such as the user's name and country, is maintained in a database in the United States. (A.B. Decl., ¶ 10).
On December 4, 2013, in response to an application by the United States, I issued the search warrant that is the subject of the instant motion. That warrant authorizes
(Warrant, Attachment C, ¶ I(a)-(d)).
It is the responsibility of Microsoft's Global Criminal Compliance ("GCC") team to respond to a search warrant seeking stored electronic information. (CD. Decl., ¶ 3). Working from offices in California and Washington, the GCC team uses a database program or "tool" to collect the data. (CD. Decl., ¶¶ 3, 4). Initially, a GCC team member uses the tool to determine where the data for the target account is stored and then collects the information remotely from the server where the data is located, whether in the United States or elsewhere. (CD. Decl., ¶¶ 5, 6).
In this case, Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent that it directs the production of information stored abroad.
The obligation of an Internet Service Provider ("ISP") like Microsoft to disclose to the Government customer information or records is governed by the Stored Communications Act (the "SCA"), passed as part of the Electronic Communications Privacy Act of 1986 (the "ECPA") and codified at 18 U.S.C. §§ 2701-2712. That statute authorizes the Government to seek information by way of subpoena, court order, or warrant. The instrument law enforcement agents utilize dictates both the showing that must be made to obtain it and the type of records that must be disclosed in response.
First, the Government may proceed upon an "administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena." 18 U.S.C. § 2703(b)(1)(B)(i). In response, the service provider must produce (1) basic customer information, such as the customer's name, address, Internet Protocol connection records, and means of payment for the account, 18 U.S.C. § 2703(c)(2); unopened e-mails that are more than 180 days old, 18 U.S.C.
If the Government secures a court order pursuant to 18 U.S.C. § 2703(d), it is entitled to all of the information subject to production under a subpoena and also "record[s] or other information pertaining to a subscriber [ ] or customer," such as historical logs showing the e-mail addresses with which the customer had communicated. 18 U.S.C. § 2703(c)(1). In order to obtain such an order, the Government must provide the court with "specific and articulable facts showing that there are reasonable grounds to believe that the content of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." 18 U.S.C. 2703(d).
Microsoft's argument is simple, perhaps deceptively so. It notes that, consistent with the SCA and Rule 41 of the Federal Rules of Criminal Procedure, the Government sought information here by means of a warrant. Federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States. Therefore, Microsoft concludes, to the extent that the warrant here requires acquisition of information from Dublin, it is unauthorized and must be quashed.
That analysis, while not inconsistent with the statutory language, is undermined by the structure of the SCA, by its legislative history, and by the practical consequences that would flow from adopting it.
In construing federal law, the "starting point in discerning congressional intent is the existing statutory language." Lamie v. United States Trustee, 540 U.S. 526, 534, 124 S.Ct. 1023, 157 L.Ed.2d 1024 (2004) (citing Hughes Aircraft Co. v. Jacobson, 525 U.S. 432, 438, 119 S.Ct. 755, 142 L.Ed.2d 881 (1999)). "And where the statutory language provides a clear answer, [the analysis] ends there as well." Hughes Aircraft Co., 525 U.S. at 438, 119 S.Ct. 755. However, a court must search beneath the surface of text that is ambiguous, that is, language that is "capable of being understood in two or more possible senses or ways." Chickasaw Nation v. United States, 534 U.S. 84, 90, 122 S.Ct. 528, 151 L.Ed.2d 474 (2001) (internal quotation marks omitted).
Here, the relevant section of the SCA provides in pertinent part:
18 U.S.C. § 2703(a). This language is ambiguous in at least one critical respect. The words "using the procedures described in the Federal Rules of Criminal Procedure" could be construed to mean, as Microsoft argues, that all aspects of Rule 41 are incorporated by reference in section 2703(a), including limitations on the territorial reach of a warrant issued under that rule. But, equally plausibly, the statutory language could be read to mean that while procedural aspects of the application process are to be drawn from Rule 41 (for example, the presentation of the application based on sworn testimony to a magistrate judge), more substantive rules are derived from other sources. See In re United States, 665 F.Supp.2d at 1219 (finding ambiguity in that "`[i]ssued' may be read to limit the procedures that are applicable under § 2703(a), or it might merely have been used as a shorthand for the process of obtaining, issuing, executing, and returning a warrant, as described in Rule 41"); In re Search of Yahoo, Inc., No.
The SCA was enacted at least in part in response to a recognition that the Fourth Amendment protections that apply in the physical world, and especially to one's home, might not apply to information communicated through the internet.
Accordingly, the SCA created "a set of Fourth Amendment — like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users' private information." Id. at 1212. Because there were no constitutional limits on an ISP's disclosure of its customer's data, and because the Government could likely obtain such data with a subpoena that did not require a showing of probable cause, Congress placed limitations on the service providers' ability to disclose information and, at the same time, defined the means that the Government could use to obtain it. See id. at 1209-13.
In particular, the SCA authorizes the Government to procure a warrant requiring a provider of electronic communication service to disclose e-mail content in the provider's electronic storage. Although section 2703(a) uses the term "warrant" and refers to the use of warrant procedures, the resulting order is not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena. It is obtained like a search warrant when an application is made to a neutral magistrate who issues the order only upon a showing of probable cause. On the other hand, it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question.
This approach is also consistent with the view that, in the context of digital information, "a search occurs when information from or about the data is exposed to possible human observation, such as when it appears on a screen, rather than when it is copied by the hard drive or processed by the computer." Orin S. Kerr, Searches and Seizures in a Digital World, 119 Harv. L.Rev. 531, 551 (2005). In this case, no such exposure takes place until the information is reviewed in the United States, and consequently no extraterritorial search has occurred.
This analysis is not undermined by the Eighth Circuit's decision in United States v. Bach, 310 F.3d 1063 (8th Cir.2002). There, in a footnote the court noted that "[w]e analyze this case under the search warrant standard, not under the subpoena standard. While warrants for electronic data are often served like subpoenas (via fax), Congress called them warrants and we find that Congress intended them to be treated as warrants." Id. at 1066 n. 1. Given the context in which it was issued, this sweeping statement is of little assistance to Microsoft. The issue in Bach was whether the fact that a warrant for electronic information was executed by employees of the ISP outside the supervision of law enforcement personnel rendered the search unreasonable in violation of the Fourth Amendment. Id. at 1065. The court utilized the stricter warrant standard for evaluating the reasonableness of the execution of a search, as opposed to the standard for executing a subpoena; this says nothing about the territorial reach of an SCA Warrant.
Although scant, the legislative history also provides support for the Government's position. When the SCA was enacted as part of the ECPA, the Senate report, although it did not address the specific issue of extraterritoriality, reflected an understanding that information was being maintained remotely by third-party entities:
S.Rep. No. 99-541, at 3 (1986).
While the House report did address the territorial reach of the law, it did so ambiguously. Because the ECPA amended the law with respect to wiretaps, the report notes:
H.R. Rep. 99-647, at 32-33 (1986) (citations omitted). While this language would seem to suggest that information stored abroad would be beyond the purview of the SCA, it remains ambiguous for two reasons. First, in support of its observation that the ECPA does not regulate activities outside the United States, the Committee cited Stowe v. Devoy, 588 F.2d 336 (2d Cir.1978). In that case, the Second Circuit held that telephone calls intercepted in Canada by Canadian authorities were admissible in a criminal proceeding even if the interception would have violated Title III of the Omnibus Crime Control Act of 1968 if it had occurred in the Untied States or been performed by United States officials. Id. at 340-41. This suggests that Congress was addressing not the reach of government authority, but rather the scope of the individual rights created by the ECPA. Second, in referring to "access" to stored electronic communications, the Committee did not make clear whether it meant access to the location where the electronic data was stored or access to the location of the ISP in possession of the data.
Additional evidence of congressional intent with respect to this latter issue can be gleaned from the legislative history of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the "Patriot Act"). Section 108 of the Patriot Act provided for nationwide service of search warrants for electronic evidence. The House Committee described the rationale for this as follows:
H.R. Rep. 107-236(1), at 58 (2001). This language is significant, because it equates "where the property is located" with the location of the ISP, not the location of any server. See In re Search of Yahoo, Inc., 2007 WL 1539971, at *4 ("Commentators have suggested that one reason for the amendments effected by Section 220 of the Patriot Act was to alleviate the burden placed on federal district courts in the Eastern District of Virginia and the Northern District of California where major internet service providers [ ] AOL and Yahoo, respectively, are located.") (citing, inter alia, Patricia L. Bellia, Surveillance Law Through Cyberlaw's Lens, 72 Geo. Wash. L.Rev. 1375, 1454 (2004)).
Congress thus appears to have anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.
If the territorial restrictions on conventional warrants applied to warrants issued under section 2703(a), the burden on the Government would be substantial, and law enforcement efforts would be seriously impeded. If this were merely a policy argument, it would be appropriately addressed to Congress. But it also provides context for understanding congressional intent at the outset, for it is difficult to believe that, in light of the practical consequences that would follow, Congress intended to limit the reach of SCA Warrants to data stored in the United States.
First, a service provider is under no obligation to verify the information provided by a customer at the time an e-mail account is opened. Thus, a party intending to engage in criminal activity could evade an SCA Warrant by the simple expedient of giving false residence information, thereby causing the ISP to assign his account to a server outside the United States.
Second, if an SCA Warrant were treated like a conventional search warrant, it could only be executed abroad pursuant to a Mutual Legal Assistance Treaty ("MLAT"). As one commentator has observed, "This process generally remains slow and laborious, as it requires the cooperation of two governments and one of those governments may not prioritize the case as highly as the other." Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L.Rev. 373, 409 (2014). Moreover, nations that enter into MLATs nevertheless generally retain the discretion to decline a request for assistance. For example, the MLAT between the United States and Canada provides that "[t]he Requested State may deny assistance to the extent that ... execution of the request is contrary to its public interest as determined by its Central Authority." Treaty on Mutual Legal Assistance in Criminal Matters, U.S.-Can., March 18, 1985, 24 I.L.M. 1092 ("U.S.-Can.MLAT"), Art. V(1). Similarly, the
Finally, as burdensome and uncertain as the MLAT process is, it is entirely unavailable where no treaty is in place. Although there are more than 60 MLATs currently in force, Amy E. Pope, Lawlessness Breeds Lawlessness: A Case for Applying the Fourth Amendment to Extraterritorial Searches, 65 Fla. L.Rev.1917, 1931 (2013), not all countries have entered into such agreements with the United States. Moreover, Google has reportedly explored the possibility of establishing true "off-shore" servers: server farms located at sea beyond the territorial jurisdiction of any nation. Steven R. Swanson, Google Sets Sail: Ocean-Based Server Farms and International Law, 43 U. Conn. L.Rev. 709, 716-18 (2011). Thus, under Microsoft's understanding, certain information within the control of an American service provider would be completely unavailable to American law enforcement under the SCA.
The practical implications thus make it unlikely that Congress intended to treat a Section 2703(a) order as a warrant for the search of premises located where the data is stored.
The presumption against territorial application
Kiobel v. Royal Dutch Petroleum Co., ___ U.S. ___, ___, 133 S.Ct. 1659, 1664, 185 L.Ed.2d 671 (2013). But the concerns that animate the presumption against extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this
Blackmer v. United States, 284 U.S. 421, 437, 52 S.Ct. 252, 76 L.Ed. 375 (1932) (footnotes omitted). Thus, the nationality principle, one of the well-recognized grounds for extension of American criminal law outside the nation's borders, see Marc Rich, 707 F.2d at 666 (citing Introductory Comment to Research on International Law, Part II, Draft Convention on Jurisdiction With Respect to Crime, 29 Am. J. Int'l Law 435, 445 (Supp.1935)), supports the legal requirement that an entity subject to jurisdiction in the United States, like Microsoft, may be required to obtain evidence from abroad in connection with a criminal investigation.
The cases that Microsoft cites for the proposition that there is no authority to issue extraterritorial warrants are inapposite, since these decisions refer to conventional warrants. For example, in United States v. Odeh, 552 F.3d 157 (2d Cir.2008), the Second Circuit noted that "seven justices of the Supreme Court [in United States v. Verdugo-Urquidez, 494 U.S. 259, 110 S.Ct. 1056, 108 L.Ed.2d 222 (1990)] endorsed the view that U.S. courts are not empowered to issue warrants for foreign searches," id. at 169, and found that "it is by no means clear that U.S. judicial officers could be authorized to issue warrants for overseas searches," id. at 171. But Odeh involved American law enforcement agents engaging in wiretapping and searching a residence in Kenya. Id. at 159-60. The court held that while the Fourth Amendment's proscription against unreasonable search and seizure would apply in such circumstances, the requirement of a warrant would not. Id. at 169-71. Similarly, in Verdugo-Urquidez, the Supreme Court held that a Mexican national could not challenge, on Fourth Amendment grounds, the search of his residence in Mexico by American agents acting without a warrant. 494 U.S. at 262-63, 274-75, 110 S.Ct. 1056; id. at 278, 110 S.Ct. 1056 (Kennedy, J., concurring); id. at 279, 110 S.Ct. 1056 (Stevens, J., concurring). Those cases are not applicable here, where the requirement to obtain a section 2703(a) order is grounded in the SCA, not in the Warrant Clause.
Nor do cases relating to the lack of power to authorize intrusion into a foreign computer support Microsoft's position. In In re Warrant to Search a Target Computer at Premises Unknown, 958 F.Supp.2d 753 (S.D.Tex.2013), the court rejected the Government's argument that data surreptitiously seized from a computer at an unknown location would be "located" within the district where the agents would first view it for purposes of conforming to the territorial limitations of Rule 41. Id. at 756-57. But there the Government was not seeking an SCA Warrant.
Id. at 755. "In other words, the Government [sought] a warrant to hack a computer suspected of criminal use." Id. Though not "garden-variety," the warrant requested there was conventional: it called for agents to intrude upon the target's property in order to obtain information; it did not call for disclosure of information in the possession of a third party. Likewise, in United States v. Gorshkov, No. CR 00-550, 2001 WL 1024026 (W.D.Wash. May 23, 2001), government agents seized a computer in this country, extracted a password, and used it to access the target computer in Russia. Id. at *1. The court characterized this as "extraterritorial access" to the Russian computer, and held that "[u]ntil the copied data was transmitted to the United States, it was outside the territory of this country and not subject to the protections of the Fourth Amendment." Id. at *3. But this case is of even less assistance to Microsoft since the court did not suggest that it would have been beyond a court's authority to issue a warrant to accomplish the same result.
Perhaps the case that comes closest to supporting Microsoft is Cunzhu Zheng v. Yahoo! Inc., No. C-08-1068, 2009 WL 4430297 (N.D.Cal. Dec. 2, 2008), because at least it deals with the ECPA. There, the plaintiffs sought damages against an ISP on the ground that it had provided user information about them to the People's Republic of China (the "PRC") in violation of privacy provisions of the ECPA and particularly of the SCA. Id. at *1. The court found that "the alleged interceptions and disclosures occurred in the PRC," id. at *4, and as a result, dismissed the action on the ground that "[p]laintiffs point to no language in the ECPA itself, nor to any statement in the legislative history of the ECPA, indicating Congress intended that the ECPA ... apply to activities occurring outside the United States," id. at *3. But this language, too, does not advance Microsoft's cause. The fact that protections against "interceptions and disclosures" may not apply where those activities take place abroad hardly indicates that Congress intended to limit the ability of law enforcement agents to obtain account information from domestic service providers who happen to store that information overseas.
Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft's motion to quash in part the warrant at issue is denied.
SO ORDERED.
Likewise, it is not necessary to determine whether Microsoft was providing ECS or RCS in relation to the communications in question. The statute defines ECS as "any service which provides users thereof the ability to send or receive wire or electronic communications," 18 U.S.C. § 2510(15), while RCS provides "to the public [ ] computer storage or processing services by means of an electronic communications system, 18 U.S.C. § 2711(2)." Since service providers now generally perform both functions, the distinction, which originated in the context of earlier technology, is difficult to apply. See Crispin, 717 F.Supp.2d at 986 n. 42; In re Application of the United States of America for a Search Warrant for Contents of Electronic Mail and for an Order Directing a Provider of Electronic Communication Services to not Disclose the Existence of the Search Warrant, 665 F.Supp.2d 1210, 1214 (D.Or. 2009) (hereinafter In re United States) ("Today, most ISPs provide both ECS and RCS; thus, the distinction serves to define the service that is being provided at a particular time (or as to a particular piece of electronic communication at a particular time), rather than to define the service provider itself."); Kerr, A User's Guide at 1215 ("The distinction of providers of ECS and RCS is made somewhat confusing by the fact that most network service providers are multifunctional. They can act as providers of ECS in some contexts, providers of RCS in some contexts, and as neither in some contexts as well.").
