Outlook and Gmail Encounter the SCA

Meg Franklin, Associate Member, University of Cincinnati Law Review

Under the Stored Communications Privacy Act (“SCA”), the government may only obtain electronic communication through a lawful search warrant.[1]  Yet, two recent cases illustrate the weakness of the SCA.  When the SCA was passed in 1986, it specifically addressed technology that existed at the time.  However, as the cases illustrate, its application can lead to absurd results in today’s era of global digital communications.  Since the SCA can only govern search warrants within the United States, the absurdity results from determining whether the data is stored and transmitted domestically or extra-territorially. The distinction can be absurd because modern-day electronic communication companies have many options when structuring their data storage practices. Yet, under the current interpretation of the SCA, these business decisions may conclusively determine the SCA’s application.

The Stored Communications Act

The SCA[2] was passed in 1986 as part of the Electronic Communications Privacy Act.[3]  At its most basic form, Congress sought to extend Fourth Amendment protections to electronic records.[4]  The statute is “a general prohibition against the unauthorized acquisition, alteration, or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.”[5]  Yet, the statute creates an exception to require disclosure to comply with warrants, court orders, administrative subpoenas, grand jury subpoenas, or trial subpoenas.[6]  Accordingly, the warrants issued under the SCA must comply with the “Search and Seizure” Rule 41 of the Federal Rules of Criminal Procedure.[7]  For technology in existence at the time SCA was enacted, the application of Rule 41 is straightforward.  At that time, communications were primarily within the United States borders.  Yet, current technology facilitates easy electronic communication across the world.  In two recent cases, courts have considered warrants for electronic communications transmitted across national borders.

The Microsoft Warrant       

In In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. (“Microsoft”), the government was restricted from carrying out a warrant for electronic communication because it was stored on a computer in Ireland.[8]  The court used a two-step framework to reach this holding.[9]  In the first step of its analysis, the Second Circuit determined that the SCA “does not contemplate or permit extraterritorial application.”[10]  In other words, warrants under the SCA do not reach extraterritorially.[11]  Second, the court concluded that privacy of stored communication was the “focus” of the SCA.[12]  The Second Circuit applied the facts to determine whether the “’territorial events or relationships’ that are the ‘focus’ of the relevant statutory provision” of the SCA occurred inside or outside of the United States.[13]  The Second Circuit concluded the following:

It is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed—here, where it is seized by Microsoft, acting as an agent of the government. Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.[14]

Therefore, the relevant facts to the Microsoft court was the location of the server and potential breach of privacy. [15]  Since the SCA does not cover extraterritorial warrants, the court concluded that any warrant seeking data in Ireland was unlawful.[16]

Judge Lynch’s Concurrence

Judge Lynch concurred in the result but not the reasoning in Microsoft because treating SCA warrants as extraterritorial whenever there is an offshore server seemed too simplistic.[17]  In his view, the Microsoft precedent did not allow adaptation to the nuanced world of transnational communication.[18]  Instead, it will be left to the business decision of a private corporation.[19]  If the server is located abroad, then the provider has an absolute right against disclosing the communication to the government.[20]

Moreover, Judge Lynch pointed out that the majority decided the case based on the “international reach of American law” and not on privacy under the Fourth Amendment.[21]  Particularly in the international context, “[t]he courts’ job is simply to do their best to understand what Congress intended.”[22]  Thus, the majority’s decision was “ultimately the application of a default rule of statutory interpretation to a statute that did not provide an explicit answer to the issue.”[23]

In the third part of his concurrence, Judge Lynch urged Congress to revise the SCA to answer the nuanced policy issues raised in Microsoft.[24]  Yet, he also urged Congress to go beyond the scope of the Microsoft scenario and address the other provisions of the SCA.[25]  He hoped Congress might devise a creative solution to the current and future technological environment.[26]

The Google Warrant

In a recent case in the Eastern District of Pennsylvania, Google relied on Microsoft when it challenged two SCA warrants.[27]  However, the facts from the two cases can be easily distinguished.  Unlike Microsoft’s static Irish server, “Google operates a state-of-the-art intelligent network that . . . automatically moves data from one location on Google’s network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.”[28]  Thus, unlike Microsoft’s data stored on server in Ireland, Google could not determine the location of the data at any particular point in time.[29]

Besides distinguishable facts, the court added the need to “avoid an interpretation of a statute that produces odd or absurd results, or that is inconsistent with common sense” to Microsoft’s two-step analysis.[30]  This “common sense” analysis compared other available alternatives to applying a domestic territory to the search warrant.[31]  Yet, the court could not find another appropriate alternative to domestic application because the data did not reside in any particular location.[32]  Finding no other alternative, the court seemed to find that the warrants had domestic application by default.[33]  The court held that the two search warrants executed on Google were permissible because they were not extraterritorial applications of the SCA.[34]

The SCA for an Interconnected World

Google and Microsoft demonstrate how two courts interpreted the SCA under different facts.  Even with slight changes to the legal analysis, finding that the electronic data was within the scope of the SCA appears to be the default.  In other words, the constantly-moving data may have dictated the holding in Google.  Likewise, finding that the data resided on a server in Ireland may have driven the court’s analysis in Microsoft.  For those in favor of stronger privacy protections, Google may seem too weak; whereas, Microsoft may have been too strong.  The relative protection of privacy is connected to the all-or-nothing granting or withholding of the search warrant.  Judge Lynch, in his concurrence in Microsoft, criticized this all-or-nothing approach.  Yet, as Judge Lynch discussed, the solution is found in legislation, not in judicial interpretation.

Judge Lynch’s concurrence points out the policy-related-shortcomings of the SCA as interpreted by courts like Microsoft.[35]  Courts struggle to apply the 1986 SCA with modern realities of electronic data that moves around the globe.  To illustrate this point, Edward W. Felten, a Professor of Computer Science and Public Affairs at Princeton University, observed:

In 1986, when ECPA was passed, the Internet consisted of a few thousand computers … . There were no web pages, because the web had not been invented. Google would not be founded for another decade. Twitter would not be founded for another two decades. Mark Zuckerberg, who would grow up to start Facebook, was two years old.[36]

Therefore, perhaps Judge Lynch is correct in observing that it is time for Congress to step in.  Some laws are limited in their long-term applicability.  This is especially true of a statute that was passed in response to technological advancements in the 1980s.

Otherwise, as Judge Lynch explained, courts are left to choose the least absurd result.  As Microsoft and Google illustrate, the determinations become fact-dependent.  If the data is found within the United States, the government may execute the search warrant.  However, if the data is outside of the United States, the government cannot execute the search warrant.  For future litigants, these two decisions create a practical loophole in privacy protections under SCA.  In other words, companies can avoid SCA warrants by housing their electronic data on servers overseas.  Such an all-or-nothing approach is not likely to balance the need for privacy with the need for furthering domestic justice.

The domestic territory versus extra-territorial analysis is flawed because data is increasingly becoming transnational.  As data continues to elude physical boundaries, this analysis of the SCA will continue to become more difficult to apply.

Conclusion

Modern technology complicates laws assumed under traditional notions of territory and sovereignty.  In 1986, Congress sought to update the SCA to accommodate the new methods of electronic communication.  However, today’s courts struggle to apply the SCA to electronic data that frequently crosses national borders.  To avoid absurd or arbitrary results, Congress would be advised to heed Judge Lynch’s suggestion to fully revise the SCA.  Yet, defining a non-arbitrary restriction on the SCA will require creative legislation.  Today’s electronic data fluidly moves across borders. Moreover, new technologies are constantly introduced.  Any legislation replacing the SCA would have to overcome these two challenges.
 

[1] See infra, note 5.

[2] 18 U.S.C. §§ 2701-2712.

[3] Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 829 F.3d 197, 205 (2d Cir. 2016).

[4] Id. At 206. Cf., United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010) (holding “to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional”).

[5] 5-22 Computer Law § 22.03.

[6] Id.

[7] Rule 41 “directs ‘the magistrate judge or a judge of a state court of record’ to issue the warrant to ‘an officer authorized to execute it.’ And insofar as territorial reach is concerned, Rule 41(b) describes the extent of the power of various authorities (primarily United States magistrate judges) to issue warrants with respect to persons or property located within a particular federal judicial district. . . . Rule 41(b)(5) generally restricts the geographical reach of a warrant’s execution, if not in another federal district, to ‘a United States territory, possession, or commonwealth,’ and various diplomatic or consular missions of the United States or diplomatic residences of the United States located in a foreign state.” In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d at 208 (internal citations omitted).

[8] Id. at 202.

[9] “When we find that a law does not contemplate or permit extraterritorial application, we generally must then determine whether the case at issue involves such a prohibited application.” In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d at 216.

[10] Id.

[11] Id. at 213.

[12] Id. at 216.

[13] Id. at 216-220. Then, “[i]f the domestic contacts presented by the case fall within the “focus” of the statutory provision or are ‘the objects of the statute’s solicitude,’ then the application of the provision is not unlawfully extraterritorial. If the domestic contacts are merely secondary, however, to the statutory ‘focus,’ then the provision’s application to the case is extraterritorial and precluded.” Id. at 216.

[14] Id.

[15] Id. at 204.

[16] Id. at 220-221. Also note, Ireland was the “focus” even though the data could be accessed from the United States. Id. at 204.

[17] See, id. at 222.

[18] See, id. at 224.

[19] Id. (where, “the sole issue involved is whether Microsoft can thwart the government’s otherwise justified demand for the emails at issue by the simple expedient of choosing — in its own discretion — to store them on a server in another country.”)

[20] Id.

[21] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d at 225.

[22] Id.

[23] 5-22 Computer Law § 22.03 (2016).

[24] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d at 231.

[25] Id. at 232.

[26] See, id.

[27] In re Search Warrant No. 16-960-M-01, No. 16-960-M-01, 2017 U.S. Dist. LEXIS 15232 (E.D. Pa. Feb. 3, 2017).

[28] Id. at *9.

[29] Id.

[30] Id. at *34.

[31] For example, the court echoed the practical difficulty the Microsoft court encountered with using the mutual legal assistance treaty process (“MLAT”). Yet, the Google court pointed out that the MLAT was not even an option because the data does not reside in any one country. In re Search Warrant No. 16-960-M-01, No. 16-960-M-01, 2017 U.S. Dist. LEXIS 15232 at *34.

[32] Id. at *38.

[33] See, id.

[34] Id. at *38.

[35] Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 829 F.3d 197 (2d Cir. 2016).

[36] NOTE: Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud, 13 Vand. J. Ent. & Tech. L. 617, 648.

Advertisements

Comments are closed.