It is not unusual for tech companies to spar with law enforcement over access to customer data. Most cases, however, do not go all the way to the U.S. Supreme Court, which is where Microsoft found itself Tuesday. The tech giant argued it was not obligated to turn over certain e-mails to U.S. investigators prosecuting a 2013 drug-trafficking case. Microsoft’s reasoning caught the court’s attention: The e-mails are stored at a data center in Ireland and therefore not subject to U.S. law. U.S. v. Microsoft Corp. now calls on the high court to decide whether a company can legally hide information from law enforcement simply by moving it to a foreign country, which can now be done with the click of a mouse.
The Stored Communications Act (SCA) gives law enforcement with a warrant the authority to compel companies to hand over e-mails stored on U.S. soil that are relevant to an investigation. Congress passed that law in 1986, however, before the dawn of the Web and cloud computing. As a result, the legislation’s powers have been limited by the lawmakers’ inability to imagine a time when data could be stored anywhere in the world and accessed easily over a computer network. Microsoft argues complying with the U.S. warrant could put the company at odds with Irish government regulations regarding data privacy and that, anyway, law enforcement cannot apply a U.S. law outside the nation’s borders. Microsoft further contends giving the U.S. government access to data stored in foreign jurisdictions might embolden those countries to likewise demand access to data stored in the U.S.
After the U.S. Court of Appeals for the Second Circuit ruled for Microsoft, federal officials asked the Supreme Court to weigh in. The U.S. counters law enforcement is asking Microsoft for information the company can access from its Redmond, Wash., offices, where the warrant was served. There would be no need to involve Irish authorities to obtain access to the Microsoft e-mail account the U.S. suspects was being used as part of a drug-trafficking operation. Chief Justice John Roberts pointed out at the hearing [pdf] that a ruling in Microsoft’s favor might embolden companies to solicit customers by assuring them that “no matter what happens, the government won’t be able to get access to their e-mails.”
Associate justices Ruth Bader Ginsburg and Sonia Sotomayor suggested the issue could best be resolved by Congress, which earlier this month proposed the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. The Senate bill specifies that a court order issued under the SCA applies to all data a provider possesses, manages or controls, regardless of where it is stored. The proposed law would also allow foreign governments that have negotiated agreements with the U.S. to request data from companies storing it in this country.
The Supreme Court will likely weigh in by the end of June. Scientific American spoke with Andrew Keane Woods, an assistant professor of law at the University of Kentucky College of Law, about how this case reached the highest court in the land and whose argument is strongest as well as the tangential connection with Special Counsel Robert Mueller’s investigation of possible Russian tampering in the 2016 U.S. presidential elections.
[An edited transcript of the conversation follows.]
Why has this case gotten so much attention?
The facts of the case are pretty simple: The cops have a warrant for an e-mail account for someone they suspect is involved in selling drugs. They go to Microsoft to get the information. Microsoft says they’ll give law enforcement the information they have stored in Washington [State], but the e-mails for that account are stored in Ireland and the warrant doesn’t apply to their Irish data center. The Supreme Court will decide whether the facts of this case are foreign or domestic and, based on that, whether the law can be applied to information stored in another country.
Lots of people are watching this case for a lot of different reasons. For some people, it’s an extraterritoriality case that extends the lines of U.S. laws into other countries. For others, it’s a case about privacy or one that involves geopolitics about who gets to regulate the internet. Another way to think about this is: Which institutions are best situated to regulate the internet—the courts or Congress?
If Congress fails to act, will the Supreme Court feel compelled to make a decision, rather than hand it back to a lower court?
Justice [Samuel] Alito seemed to suggest that they’re going to have to make a decision one way or another because who knows what Congress will do. The [standard] process of requesting information like e-mails directly from a foreign government depends on treaties with the U.S. government and can take months or years. Although we don’t know for certain, that is likely how Mueller has gotten information for his investigation when it involved American service providers storing data in foreign countries. However, the Mueller investigation is high profile enough that they could probably get access to data using diplomatic channels relatively quickly. The problem is that Microsoft receives 60,000 requests from law enforcement each year. If a lot of those requests get tied up in bureaucratic processes, that’s a problem for law enforcement.
Does Microsoft have a strong argument that legally the company must get permission from Ireland or the European Union in order to fully comply with the warrant?
You could imagine a case where U.S. law enforcement orders an internet company to violate the laws of another country. That’s not the case here. The amicus brief [pdf] that Ireland filed with the Supreme Court related to this case is very mealymouthed and doesn’t explicitly support either Microsoft or the U.S. government. The brief doesn’t specifically say that Microsoft would be violating Irish law if the company complied with the warrant, and Ireland isn’t even saying that they don’t want Microsoft to comply with the warrant. The U.S. government has pointed to that brief as conclusive proof that there is no real conflict with Irish interests if the court order is enforced.
If the court rules in favor of the U.S. government, would foreign governments use that as an excuse to request data stored in the U.S.?
Microsoft’s argument is that, if the U.S. government is able to get stuff held in Ireland, then other countries will say, “Aha, the U.S. did it, so we can do it, too.” According to Microsoft, other countries might then demand access to information stored in the United States, including information about U.S. citizens. Actually, foreign governments will benefit regardless of how the court rules. On the one hand, foreign countries would like to see the highest court in the U.S. tell the government that they may not access information stored in those countries. However, those same governments would also be happy to assume the same authority that the U.S. is claiming in this case—to fully enforce their laws even if that means accessing information held in other countries.
The best evidence that other countries want the U.S. to cooperate with foreign law enforcement is newly proposed E.U. legislation that would allow law enforcement in those countries to get companies to turn over data stored outside [the 28-nation bloc]. That law would go along with the new GDPR [General Data Protection Regulation], which goes into effect in May and compels companies operating in the E.U. to turn over data to law enforcement in any E.U. country.
How likely is Congress to resolve the problem that the Supreme Court is debating?
I think Congress cares about this. Sen. [Orrin] Hatch [R–Utah] was at the oral arguments on Tuesday sitting in the front row. His message to the court was, I’m taking care of this. That doesn’t mean Congress will take care of it. There’s widespread support for the CLOUD Act—even Microsoft wants this to happen—but there’s good reason to worry about this Congress getting anything done.