Microsoft wins appeal over US government access to emails held overseas

Decision has broad implications for tech companies and consumer privacy

Microsoft's Ireland server search warrant case has been scrutinized in the US and Europe.
Credit: IDGNS

A U.S. appeals court has quashed a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland, in a case that has broad ramifications for privacy, diplomatic relations and the ability of American companies to sell web services abroad.

"We think Microsoft has the better of the argument," said Circuit Court Judge Sarah Carney, in an opinion written for a three-judge panel of the U.S. Court of Appeals for the Second Circuit in New York.

The panel based its judgment on the 30-year-old U.S. Stored Communications Act. The act, Carney wrote, "does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers." The opinion was posted Thursday.

Microsoft in 2014 asked the appeals court to reverse a ruling requiring it to turn over the emails, sought by law enforcement as part of a drug-trafficking case. The name and country of residence of the person whose email is being sought has not been revealed.

The case has had the U.S. technology industry worried. American tech companies have said they will not be able to sell web-based applications and services abroad if they can’t keep U.S. officials from unilaterally seizing records stored in foreign countries. In addition, a ruling for the U.S. government, they said, could clear the way for foreign governments to order local companies to hand over data stored in the U.S.

"This is a big case -- the technology companies have a very good point," said Robert Cattanach, a partner at the international law firm Dorsey & Whitney, noting that Europe is looking more carefully than ever at international data transfer rules.

In October last year, the Court of Justice of the European Union declared invalid a "safe harbor" agreement, on which thousands of companies including Google, Facebook, and Apple rely for the transatlantic transfer of personal data. The court ruled that the accord inadequately protected the privacy of EU citizens.

The U.S. and the EU, meanwhile, have negotiated a new pact, called the Privacy Shield data protection agreement.

Given the turmoil in the legal arena, ordering U.S. service providers to turn over data stored abroad could make them run afoul of foreign laws, Microsoft lawyer E. Joshua Rosenkranz said in a letter to the appeals court.

Tech companies, lobbying groups and media associations have written briefs to support Microsoft’s position, including Verizon, Apple, Accenture, Rackspace, the American Civil Liberties Union and the German Magazine Publishers Association, known as VDZ.

The case goes back to December 2013, when Magistrate Judge James Francis of the District Court for the Southern District of New York authorized a search warrant for all emails and other information belonging to the Microsoft user under investigation. Microsoft complied by providing non-content information held on its U.S. servers but after it determined that the account was hosted in Dublin, it filed to quash the warrant. It argued that U.S. courts are not authorized to issue warrants for extraterritorial search and seizure.

Microsoft also argued that to obtain data stored abroad, the U.S. government should turn to mutual legal assistance treaties, or MLATs. The U.S. has MLATs, which are separate from the Safe Harbor accord, with Ireland and the EU. In addition to the Privacy Shield agreement, Microsoft has cited the broad new General Data Protection Regulation, due to go into effect in 2018, to support its claim that the U.S. government should use inter-governmental agreements rather than a warrant to require technology companies to turn over data stored in the EU that are required for an investigation.

The government countered that the location of records is irrelevant under the Stored Communications Act, which was passed as part of the 1986 Electronic Communications Privacy Act and was the law on which the court relied to issue the warrant. If territorial restrictions applied to SCA warrants it would be very easy for criminals to evade investigations, the government said.

Otherwise, relying on MLATs would dramatically slow down and undercut investigations, the government said. The MLAT process is subject to national laws, can be lengthy and a country can deny assistance to a nation with which it has a treaty for a variety of political, security or other reasons.

In April 2014, Judge Francis sided with the government, saying that the order to produce the emails stored in Ireland was "not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena." It is obtained like a warrant, with a judge finding probable cause that the records requested would provide evidence of a crime, but it is executed like a subpoena, since it is served directly on the company and does not involve federal agents seizing and searching company servers.

"It has long been the law that a subpoena requires the recipient to produce information in its possession . . . regardless of the location of that information," Francis wrote.

Francis also said the "search" would take place only when the emails were opened and read, and that would be in the U.S.

However, in the appeals court decision, Judge Carney rejected these arguments: "When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user's interaction with a service provider. Neither explicitly nor implicitly does the statute envision the applications of its warrant provisions overseas."

This is the second time Microsoft has appealed a decision against it in the case. The company appealed Francis' ruling but in July 2014, District Court Judge Loretta Preska, also of the Southern District of New York, rejected the company's appeal. Preska ruled that Microsoft would not have to turn over the emails while it filed another appeal, this time to the U.S. Court of Appeals for the Second Circuit.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.