HOW WILL THE MICROSOFT EMAIL RULING IMPACT COMMUNICATION PROVIDER COOPERATION WITH LAW ENFORCEMENT?
On July 14th the Second Circuit Court of Appeals issued a ruling in the case of Microsoft v. US that could impact all communication service providers (CSPs) that store communications content (e.g. email or voice mail). The ruling held that if a U.S. law enforcement agency (LEA) serves a valid warrant on a CSP to obtain a criminal suspect’s email content, and the CSP stores the content on a server outside the U.S., the CSP must not disclose the information.
Does the Microsoft v U.S. ruling impact other CSPs? The following Q&A explores the implications.
(Note Subsentio is not a law firm and therefore does not provide legal advice. If you have legal questions about your law enforcement support obligations, consult your in-house counsel or law firm with relevant expertise.)
- Q: If I store all my subscribers’ communication content abroad, should I routinely refuse to comply with US warrants for the data?
A: The Microsoft case changed communication privacy law only in the second circuit, which covers six federal districts in New York, Connecticut, and Vermont. In all other circuits (there are nine in all, plus the D.C. circuit) the law remains unchanged.
The Department of Justice (DOJ) may appeal the Microsoft ruling before the Supreme Court. If the Court upholds the ruling it will be followed by all circuits nationwide. If the Court strikes down the ruling, the nationwide law will revert to the status quo pre-Microsoft.
The DOJ may alternatively let the Microsoft ruling stand. Then the same legal issue may arise before other circuit courts. Those other circuits may issue rulings that differ from the second circuit. A split among the circuits could complicate the CSP’s compliance task, at least until the Supreme Court or Congress steps in to clarify the law.
- Q: Is there any stronger due process standard than a warrant that the LEA could serve on me to obtain the data?
- Q: Am I required to prove to the LEA that the requested data is stored abroad?
A: The Microsoft ruling doesn’t address this issue. Certainly, an LEA cannot determine independently whether a CSP’s data is stored abroad. A separate discussion would be needed to explore the consequences of withholding information from LEAs.
- Q: What if I tell the LEA the data is stored in a foreign country, and the LEA asks me to name the country?
A: This is another unknown. Privacy laws protect the location of your subscribers but do not address the location of their communications content. If you name the foreign nation, the LEA may approach the nation’s law enforcement leadership and ask them to obtain the targeted data through their own channels of due process and privacy protection.
- Q: I rely on a global cloud computing provider to store my subscribers’ communications content, so I don’t know where the content is stored. Must I research the issue in response to each warrant?
A: A cloud provider may store your data entirely in the U.S., partly in the U.S., or entirely abroad. In addition, providers use back-up data centers in case the primary ones malfunction. It seems unrealistic to expect CSPs and their cloud vendors to conduct a content storage investigation each time the CSP receives a warrant. But until Congress or the courts provide further guidance, industry must fend for itself.
- Q: How will my trusted third party (TTP) for LEA support know how to respond to LEA requests for my stored content?
A: Your TTP has no way of knowing if your subscriber data is stored domestically or abroad unless you tell them. To avoid misunderstandings, call your TTP and discuss your data storage practices. The TTP may then adapt its policies to meet your needs.
- Q: Does it matter whether the subscriber is an American citizen or whether he or she is located in the US?
A: No. The law hinges solely on whether the targeted data is stored in the US.
- Q: What if the warrant is signed by a state court judge?
A: The Microsoft case did not change the laws governing state-level warrants.
- Q: Did the Microsoft ruling change the rules for federal or state subpoenas?
A: No. Unlike U.S. warrants, U.S. subpoenas remain empowered to gather investigative information stored overseas. A subpoena typically requests subscriber information other than communications content or the subscriber’s location. Examples include the identities of the communicating parties, as well as the dates, times, and durations of their communications.
- Q: Will the Microsoft case reduce my LEA assistance burden?
A: Maybe not. If an LEA cannot gather the investigative information it needs through a warrant for stored communications content, it may have to rely more heavily on alternatives such as subpoenas and real-time lawful electronic surveillance. Those work-arounds could add to the time and cost burden for both LEAs and CSPs.
- Q: Could an LEA require me to store my subscribers’ communications content in the U.S.?
A: The federal statutes governing stored communications do not address the issue. In the absence of statutory authority, an LEA cannot order you to store your content in any particular place.
- Q: What if my privacy-minded subscribers ask me to store their communications content abroad?
A: CSPs are not required to store communications content in the U.S. And foreign storage would help keep the information out of U.S. government reach. However, the pro-privacy strategy would work only for purposes of warrants signed in the second circuit. Even then, the information would still be obtainable through the international LEA process noted above. Moreover, many foreign LEAs, including those in Europe, have powers just as great, if not greater, than U.S. LEAs to access communications data.
Before shifting content storage to an overseas data center, a CSP should also consider the cost of building the foreign facility or leasing capacity in an existing facility, the impact on network management and cyber security, and the demands of the particular customer base. Some customers may expect you to cooperate fully with LEAs for the sake of public safety, especially considering the recent incidents of violence around the world.