Supreme Court Could Limit Law Enforcement’s Reach in the Cloud

Government attorneys will ask the U.S. Supreme Court to decide for the first time Tuesday how far U.S. warrants can reach into the global data storage networks maintained by modern internet companies.

Whatever the court decides, it’s likely to ratchet up pressure on Congress to finally update the three-decade-old law that tech companies and national security hawks both agree is ill-suited for an era of global internet firms and cloud computing.

In the case at issue, United States vs. Microsoft, the Washington state tech giant refused to comply with a Justice Department warrant for customer emails stored in a data center in Dublin.

According to Microsoft, the law the government used to justify the warrant, the 1986 Stored Communications Act, doesn’t extend outside U.S. borders. Just like physical files in a Dublin filing cabinet, Microsoft argued, the emails are only governed by Irish law.

The Stored Communications Act—and the Electronic Communications Privacy Act, which is contained within it—largely predate the internet era in which people routinely consign their most personal communications to commercial email and app providers.  

If the Justice Department wants to get ahold of the emails, Microsoft said, it should ask Irish police to write a warrant for them and then pass them along using a process known as a Mutual Legal Assistance Treaty, or MLAT. MLATs are notoriously slow and often hindered by diplomatic disagreements—especially between the U.S. and its ideological adversaries such as Russia and China.

The Justice Department argued that the emails aren’t really outside the U.S.’s digital borders because Microsoft employees could retrieve them simply by pressing a few buttons at the company’s Redmond, Wash., headquarters.

The government’s argument won before a magistrate judge and at a federal district court in New York City but was overturned in favor of Microsoft by the U.S. Court of Appeals for the Second Circuit.

Now, the case is poised to be one of the most complex technology cases to ever reach the high court, which has tackled GPS tracking and cellphone searches in recent terms.

A Bad Result Either Way

If the Supreme Court upholds the Second Circuit decision, that would bar U.S. warrants from reaching emails and other communications that are vital to crime and terrorism prosecutions, government attorneys say. A government loss would likely spur an outcry by Justice Department officials and swift action by Congress, attorneys and advocates favoring both sides of the issue told Nextgov.

“The likely immediate consequence is the DOJ sending an army of prosecutors in the halls of Congress seeking legislation to reverse the court’s decision,” said Greg Nojeim, senior counsel for the Center for Democracy and Technology.

A pro-government decision, however, would produce problems of its own, said Michael Vatis, a former top cyber and national security official at the FBI and Justice Department.

First, it could spur other countries to pass or implement similar laws that would give them broad access to U.S. citizens’ information held by companies with offices in their countries, potentially damaging Americans’ privacy.

Second, it could spur countries to pass “blocking statutes” that bar companies from turning over to U.S. law enforcement digital information that resides within their borders—essentially forcing U.S. companies to choose between violating U.S. laws or a host country’s laws.

Both Nojeim and Vatis would prefer that the Supreme Court rule in Microsoft’s favor. They would also like, however, for Congress to ameliorate that decision with new legislation that allows overseas data warrants in limited circumstances.

Nojeim’s organization, the Center for Democracy and Technology think tank, filed a friend-of the-court brief advocating for a Microsoft win. Vatis, who’s now a partner at Steptoe and Johnson, wrote a pro-Microsoft brief on behalf of a group of legal scholars who focus on Fourth Amendment protections against unreasonable search and seizure.

Jennifer Daskal, a former top national security attorney at the Justice Department, would prefer a government win. She hopes, however, that the justices also make clear that judges shouldn’t approve overseas warrants willy-nilly with no thought to how those warrants might damage international relations.  

“The problem with a government win is that it will, at least, be perceived as the U.S. saying ‘we can access data anywhere without regard to the interests of others,’ ” said Daskal, who’s now a law professor at American University.

“Hopefully that’s not how it will operate,” Daskal said. “If a U.S. warrant conflicts with a foreign government’s law, then courts should take that into account in deciding whether to issue the warrant and [while considering] the scope of the warrant.”

Like Nojeim and Vatis, Daskal would prefer that Congress update the Stored Communication Act to allow certain overseas data warrants, but she acknowledges there will be less pressure for congressional action following a government victory.

A Problem Congress Hasn’t Fixed

Unlike some other showdowns between tech companies and law enforcement, such as the battle over encrypted communication systems, Microsoft and other tech companies have generally favored compromise legislation that allows warrants for overseas data in certain cases. Industry and privacy groups have generally followed suit.

Yet, legislative proposals to update the Stored Communications Act in response to the Microsoft case have failed to gain traction in three successive congresses.

The most recent iterations of those bills would authorize overseas data warrants but also give data companies and the countries where that data is stored an opportunity to object in a U.S. court. A judge would then decide “whether, in the interests of international comity, the warrant should be modified or quashed,” according to the Senate version of the bill sponsored by Sen. Orrin Hatch, R-Utah.

That’s similar to the balancing act between the desires of law enforcement and international relations that Daskal said she hopes the Supreme Court will highlight.

Both Hatch’s bill and the House version this session are called the Clarifying Lawful Overseas Use of Data, or CLOUD, Act. The Senate bill won quick praise from Microsoft, Google and other tech firms as well as from industry groups such as the Information Technology Industry Council.

The president’s Homeland Security Adviser Tom Bossert and his British Counterpart Paddy McGuinness also penned a joint Valentine’s Day op-ed in the New York Times endorsing the bill.

Nojeim’s group, the Center for Democracy and Technology, opposed the CLOUD Act, though it had supported other legislative fixes in earlier congresses.

That opposition is largely based on the fact the bill fails to close a separate Stored Communications Act loophole that allows law enforcement to obtain emails that are more than 180 days old without a warrant.

Under the 1980s-era logic of the law, those emails are considered abandoned by their owner and only require an administrative subpoena for access that hasn’t been reviewed by a judge.

That loophole would have been closed by a separate bill, the Email Privacy Act, which passed the House in both 2016 and 2017 but has yet to reach a floor vote in the Senate.

The Google Problem

One additional wrinkle is that the Microsoft case—while far more complex than what lawmakers envisioned when the Stored Communications Act passed in 1986—is likely the simplest version of the problem law enforcement faces with international data storage in the cloud computing era.

In the Microsoft case, as far as the public knows, all of the emails the Justice Department is seeking are in a single data center in Ireland—presumably placed there based on the account owner’s location.

In other cases, data storage is far more complex.

Google, for example, is widely believed to “load balance” customer data, shifting it from one location to another throughout the day to maximize server space and utility. In other cases, companies “mirror” data in multiple locations so there will be a safe copy in one location if a digital or natural disaster destroys the version in another location.

Finally, Google and other companies are also believed to “shard” data—for example, by splitting up text and images from the same email or web page—also to maximize storage efficiency.

That means, theoretically, if the Justice Department was pursuing a child pornography case, the incriminating images could be in one legal jurisdiction while incriminating email messages are in another.

All of these problems are likely to grow even more difficult as the internet grows larger and more complex.

That means that a Supreme Court victory, whether for Microsoft or the government, will still leave many questions unanswered—especially if the court rules narrowly on the facts of the Microsoft case.

That, in turn, will kick many significant questions back to Congress.

“In an ideal world, Congress would be updating these laws much more quickly,” Daskal, the former Justice official, said. “This is one of many updates that folks on the Hill have been working on that have been languishing in Congress for far too long.”

Despite the long lag time, Daskal said she’s “cautiously optimistic” that a ruling in the high court case will push congressional action.  

“We have major tech firms and the government agreeing on a way forward,” she said. “We have big players coming together in a way that I think is quite beneficial for security and privacy over the long term.”