The Profound Implications of U.S. v. Microsoft

In the world of privacy and global digital communications, the case of the United States v. Microsoft is a big deal. In June 2016 Microsoft won a victory in the case in the U.S. 2nd Circuit. This week, the U.S. Supreme Court surprised many when it announced that it granted a petition to review Microsoft’s victory. The U.S. Supreme Court’s decision to review the case is remarkable given that there was not a conflicting decision, often called a circuit split, in the lower courts.

What’s at stake? A lot. This case, no matter how decided, will be a landmark privacy case. The details of the case are as nuanced as they are arcane; the issue is whether email providers who store data abroad must comply with a probable-cause-based warrant issued in the United States, under U.S. law. Said another way, the core question in dispute here is whether the U.S. government can force companies to give the government access to data it seeks, even though that data resides on servers that the U.S. government could not otherwise access. In the Microsoft case, the servers in question were located in Ireland. This case presents a messy microcosm of many of the legal and practical tensions of modern global digital communications.

As a general rule, unpredictable consequences often arise from how old law interacts with modern technology. In this case, distributed, global digital network architectures and remote storage practices are a significant complicating factor. Fourth Amendment scholar Orin Kerr has written an intriguing take on the network architecture angle of this case, noting that some data providers have a fluid network architecture approach to data location and storage, whereas other providers have stricter “data localization” policies. (See Orin Kerr, The Surprising Implications of the Microsoft/Ireland Warrant Case, Washington Post, 29 Nov. 2016.)

Data localization is a (controversial) topic unto itself, but the overall gist here is that there is not a one-size-fits all approach to data storage, including storage of emails. Just because an email originated in the U.S. does not necessarily mean that all providers will always store the email in the originating geography.

Further key complications in the case arise from the fact that in the U.S., the laws the case relies on — including the Electronic Communications Privacy Act of 1986 and the Stored Communications Act — are ancient, predating modern email practices, predating cloud computing, and predating modern remote storage practices. To put a law written in 1986 into context technically, think of Internet history: the Domain Name System (DNS) had just begun in 1984, and in 1987, the number of then-Internet hosts was a mere 10,000. Email was just beginning to encircle the globe; the first email was sent from China to Germany in September of 1987. (See China’s first email link, Jay Houben, New School of Global Journalism.)

Contrast the 1987 landscape with today. Now, billions of people are active online, with more than a billion users accessing popular social media sites each month, and in excess of a zettabyte of Internet Protocol data flowing globally. (See Hobbes’ Internet Timeline for more Internet history and statistics.) The digital environment between 1987 and today is different on a scale that would have been nearly impossible for lawmakers to envision.

A long-awaited and much-needed Congressional update to these regulations could have a potential impact on the long-term outcome here, in addition to potential impacts from any SCOTUS actions. But updates to ECPA and SCA may not be enacted anytime soon.

This case deserves attention, robust dialogue, and meaningful, serious effort towards unraveling and understanding the complex problems of modern digital ecosystems. It is not enough to just say that laws are out of date; that is a fair starting point, but this case reminds us that we need to be proactively and cooperatively looking for solutions to the problems we know about. There will be plenty of new issues down the road, and they will likely be just as unexpected as the ones on hand in U.S. v Microsoft. But today, let’s begin to discuss this case and understand its nuances so that we can find solutions.

-Pam Dixon

Key Reading:

Supreme Court of the United States, United States v. Microsoft Corp.

The SCOTUS United States v. Microsoft page links to the full briefs and reply briefs, as well as other documents.

From the SCOTUS U.S. v Microsoft page:

“Issue: Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.”

Full SCOTUS list of proceedings and orders in United States v. Microsoft Corp:

2nd Circuit, Microsoft v. United States

Microsoft v. United States, United States Court of Appeals for the Second Circuit, decided July 14, 2016.

Full document:

Microsoft Blog post about SCOTUS review

Brad Smith, President and Chief Legal Officer, Microsoft, Oct. 2017:

“In July 2016, the Court of Appeals for the Second Circuit agreed with Microsoft that U.S. federal or state law enforcement cannot use traditional search warrants to seize emails of citizens of foreign countries that are located in data centers outside the United States. Today, the Supreme Court granted the Department of Justice’s petition to review Microsoft’s victory. This is an important case that people around the world will watch. We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.”

Brad Smith, US Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress, Microsoft Blog, 16 Oct. 2017.

Full document