This morning, the United States Supreme Court heard oral argument on a case that could decide the fate of the Cloud, the Internet, and the fate of the free world. Or not. The case deals with the thorny issue of “data sovereignty,” that is, whether the location of the data impacts the ability of governments to obtain the data.
In United States v. Microsoft, the US government served a Court order (technically a search warrant) to the Redmond, Washington giant for disclosure of the contents of email communications by users of a Microsoft-based email client in Europe. Because the users were in Europe (or at least appeared to be in Europe) Microsoft stored the emails in its European database in Dublin, Ireland.
The Court appeared skeptical of the arguments made by Microsoft that the records in Dublin could not (or would not) be produced pursuant to a Court order in the United States. After all, several Justices asked, couldn’t the government just execute the warrant at Microsoft’s offices in Redmond, Washington and log in and call up the records located in Dublin? I mean, what does “location” have to do with data online? Isn’t it really about accessibility?
Location, Location, Location?
This case is not about whether or not the US government can obtain the contents of email communications stored in Dublin. It can. The United States and Ireland have what is called an “M-LAT” or an agreement on Mutual Legal Assistance in Criminal Matters that allows the US government to request the cooperation of the Irish Department of Justice, Equality and Law Reform in obtaining evidence located in Ireland.
In addition, the US Department of Justice has the authority to request what are called “letters rogatory” of the Courts of Ireland essentially asking the Courts in Dublin to issue a search warrant to Microsoft in Ireland compelling the Dublin entity to produce the records to the Dublin Court, and then to the Irish prosecutors, and then to the US Court, and then to the US prosecutors. As you can imagine, a time consuming undertaking. But that’s the problem you have when you have files in one country wanted by another.
You Know, Sovereignty.
After all, we wouldn’t like it if the Espoo, Espo Finland District Court were to issue an order to Nokia compelling them to produce the contents of your Nokia 8110 “Matrix” cell phone because the phone was manufactured by a company with a headquarters in Finland. What’s worse, imagine having an apartment in Manhattan where the building is owned by some US holding company. Unbeknownst to you, that holding company is owned by some Swiss holding company, which is itself owned by some Russian oligarch. Because the oligarch is subject to Russian law, under the analogy posited by the government in the Microsoft case, a Court in St. Petersburg could order the oligarch to enter your apartment, take and copy your files, and produce them to the court in Russia. It seems absurd when it comes to physical records, but this is what Microsoft is being asked to do because the records are electronic.
But, as the Supreme Court struggled with, does the concept of “data location” make any sense in a modern world?
Where Is Your Data?
In the Microsoft case, the United States Attorney’s Office in Manhattan was pursuing a criminal investigation and wanted access to some Hotmail or “live” (another MS domain) emails. Because they sought the contents of the emails (and not just metadata) they needed a search warrant based on probable cause, which they obtained from a Magistrate in Manhattan.
The Federal Rules of Criminal Procedure generally limits a search warrant’s execution to the district in which the Court sits – so a Federal Court in Manhattan cannot issue a search warrant for a search across the Hudson in New Jersey, or across the East River in Brooklyn or Queens (the Harlem River to The Bronx is fine, by the way because Manhattan and the Bronx and parts of Westchester and Rockland Counties which are in the same federal district).
There are special rules for searches of property in the district that might move outside before the warrant is executed, terrorism cases where the property is outside the district, installing tracking devices that might move in and out of the district, diplomatic or consular searches and, this being the 21st century, the rules provide that a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
In layman’s terms, in an electronic evidence case, if you can’t figure out where the files are, or in a hacking case involving lots of computers around the country, a judge in one district can issue a warrant outside the district. Note that none of these explicitly permit the execution of a US search warrant outside the United States. No FBI agents wearing navy windbreakers with bright yellow F.B.I. (Helvetica, sans serif) writing show up at the sleek silver office building near the Leopardstown racecourse south of Dublin and start seizing Microsoft records. Or technically, the records of the people the prosecutors in New York want, stored by Microsoft.
A sovereign cannot extend its authority beyond its borders without guns, rockets, planes, etc. If a prosecutor in New York wants records in Ireland, it has to get them from an Irish court, prosecutor, or friendly cat burglar.
Seems simple, no? It’s not. The problem lies in the nature of distributed systems and electronic records. Now, if the government wanted MICROSOFT’s corporate records, it would be easy. Microsoft is a U.S. company and subject to US law. A subpoena to Microsoft could compel the Washington State entity to produce ANY records within its possession, custody or control worldwide. This would likely (but not inevitably) also be true for its corporate affiliates and subsidiaries. Note that I said “subpoena” not “warrant.”
A subpoena is a court order to the entity (Microsoft) compelling THEM to do something – produce a record in their possession, custody or control. It is likely that the Dublin records OF Microsoft would be deemed in the possession, custody or control of the Redmond parent, and therefore a subpoena to Redmond could compel production of MS records in Dublin. However, a search warrant by a Court in New York is essentially an order to New York cops (or FBI agents) authorizing them to conduct the search – in New York. In the case of a warrant, the “subject” of the warrant – whether it’s the emailer or the repository (Microsoft) is compelled to do nothing except get out of the way – or in a few cases, to provide “technical assistance” to the police if that is ordered by the Court.
On the Internet, you don’t want the cops sitting at your keyboard. You would much prefer if they tell you what records they want, and then YOU pull the records up. More like a subpoena than as a warrant. That way the cops only get what is called for under the warrant, and can’t “grab everything and sort it out later,” a common procedure for a search warrant for electronic evidence.
So if the Court rules that search warrants in the US can reach documents outside the United States provided that (1) those records are accessible in the US; by (2) a company either headquartered in the United States, or with assets in or significant ties to the US, what will this mean?
For people already in the United States, not much. Your records are already likely in the United States and subject to subpoena or warrant here. For people outside the United States it means that your data is not protected from compelled production by Courts in the United States. A German’s email to an Austrian can be produced in the United States if the email provider, storage provider, router manufacturer or someone else with the ability to produce that email has a corporate identity, affiliate, office, bank account, or second cousin twice removed in the United States. It means that people who care about privacy will stop using US corporate entities. Of course, not using US corporate entities won’t necessarily help since the Supreme Court ruled in 1990 that when U.S. government agents conduct searches outside the United States of non-US citizens, they don’t even need a warrant.
You Can’t Produce What You Can’t See
Ultimately, the issues in this case should have been decided by Congress who could have solved or at least ameliorated the problem. In fact, the Supreme Court complained that Congress should have done that. Good luck with that. But if the Court rules (as expected) that a warrant can reach foreign records accessible here, you can expect a few things.
First, if the test is one of “warrant + ability to access” then you can expect law enforcement agents to seek, and courts to order, warrants to hack foreign accounts – why wait for Google or Facebook or Microsoft or AOL to produce records when you can just grab them yourself from anywhere in the world? I mean, that’s what a warrant is – and order to “steal” the records, right?
Second, this may increase the likelihood of true customer-controlled encryption. Your Microsoft email account can be produced to the FBI, DEA, DHS, or Bronx County Sheriff’s office, BUT – and this is a big BUT – all of the files held by MS would be encrypted in a way that MS could not decrypt. That technological “fix” (if you think law enforcement access is a problem in need of a fix) would exist any time law enforcement sought access to files in the hands of a third party. At that point, if the US Government wanted access to the now encrypted files, it would either need to get the data subject to decrypt the records, or have some dude in Fort Meade, Maryland figure it out.
The Court is likely to rule on this case some time in late June. Until then, try keeping your electronic records somewhere safe. And as soon as I figure out where that is, I’ll let you know.