When asked about the Internet, Gertrude Stein famously remarked, “there is no there, there.” Well, maybe it wasn’t about the Internet.
On September 7, in a federal court in New York, Microsoft indicated that it was not going to comply with an order from the Court compelling it to produce to the United States government certain documents and records it may or may not hold on a server in Dublin Ireland.
This refusal sets up an appeal of the order of the District Court, which would have mandated such production. Which raises the question — is physcial location important online? The answer is, like the answer to all legal questions — it depends.
This one is big, though. It could change the Internet. For real.
It means that documents of any company stored anywhere in the world could be compelled to be produced by law enforcement, lawyers, litigants, courts or administrative agencies anywhere else in the world.
It means that the Chinese government can compel Amazon to produce the business records of Boeing stored on an Amazon server in Seattle because Amazon does business in Beijing. The location of the records sought no longer matters.
The subject matter of the investigation no longer matters. The nationality of the document owner, sender or recipient no longer matters. All that matters is whether the company sought to be compelled to produce the records in one country can be said to have “possession, custody and control” over these records. If so, they must produce.
Under the ruling, Microsoft must produce the records to a US prosecutor NOT because the email was sent and/or received in the United States, not because the subject of the investigation or the sender or recipient was a US citizen or subject to US law, and not because the companies that are the subject of the investigation are US companies or connected in any way with the United States.
In fact, Microsoft must produce the emails (in this case, but the rationale is not limited to communications) because IT — Microsoft — as the “holder” of the records is subject to the jurisdiction of the US courts. And it’s not just because Microsoft is a US company. Any company, anywhere in the world that either “does business” in the US or “transacts business” in the US subjects not only themselves, but also anyone whose records they maintain or can access to the long arm of the US law.
These terms mean different things — in the first case – “does business” the company has systemic contacts in the US so that you can say that they “exist” in the US irrespective of where they are incorporated.
These systemic contacts need not relate to the thing about which they are being forced to produce documents. And these “minimum contacts” can be completely virtual.
So a Bulgarian ISP that allows people in the US to sign up for service can subject their Bulgarian clients to subpoenas for their Bulgarian email because the Bulgarian company has “minimum contacts” in the US.
In the second case, where a company “transacts” business in the US, the same Bulgarian ISP may have only incidental contacts with the US — says one customer.
The US government could not say that the company “exists” in the US, but it could subpoena the records related to any transactions, which touch the US.
This is what the law calls “personal jurisdiction.” For a non-corporate human being, we look to things like residence, physical location, domicile, and citizenship.
For a corporate person, we look at incorporation, principal place of business, and “contacts.” If there is “personal jurisdiction” the US government has the power to compel.
Even of there isn’t the US government has the power to sanction. Take the case of the US company Yahoo! The government wanted them to pony over tens of millions of records which the government thought were related to terrorism, and which Yahoo! thought was protected by the Fourth Amendment.
When Yahoo! refused and noted its intention to appeal a super-secret court decision compelling production (on the grounds that, of course the NSA would not overstep their authority!) the Justice Department threatened to level a daily fine of a quarter million dollars on the ISP.
Same could be done to a foreign ISP — even if they have no connections whatsoever in the US, if they have an affiliate, a subsidiary, a business partner, a bank account, or any assets whatsoever in the US that we can seize. Borders? We don’t need no stinkin’ borders! We’re the federales! So when the US government wants something, odds are it’s going to get it.
The Stored Communications Act
In a narrow sense, the Microsoft case asks a simple question. Does the Stored Communications Act, 18 USC 2701, that permits the U.S. government to demand or subpoena stored electronic communications (e-mail) from ISP’s apply extraterritorially – that is, to communications that are stored overseas. Looking at the purposes of the statute and the nature of communications, the New York federal court said yes. Part of the reason that the court could apply the SCA to documents in Dublin is that the documents were said to be in the “possession, custody and control” of Microsoft. It’s bits and bytes. In today’s cloud environment, who cares if they are in Duluth, Dubai or Dublin, right?
But that’s way too narrow a way to read the import of the case.
The case represents the confluence of a number of factors and the law. First is the nature of outsourcing — our records, and records about us are held by third parties like Google, AT&T, Microsoft, etc., as well as cloud providers like Google, Amazon, HP and others. When our records are in the cloud, they become in the “possession, custody and control” of not only US but the third party “custodian.” Thus, the third party custodian can be compelled to produce our records.
Second, is the fact that the Internet in general and the cloud in particular does not respect national borders. This means that documents are no longer merely “held” on a server in a particular location. They are stored in many locations — or none at all. They exist in the ether. The cloud. But superimposed over the cloud is the fact that countries want to enforce their own laws and compel production of records not only within their jurisdiction, but that are relevant to violations of their own laws or other matters. The Internet and cloud do not respect national borders.
Third, there is the confluence between the subpoena and the warrant — particularly for electronic evidence. A subpoena and a warrant are two different kinds of court orders altogether, and which one is used makes a giant difference.
The facts of the case are relatively simple. The US Department of Justice in Manhattan wanted some e-mails of a Microsoft subscriber in relation to an investigation of some crime in the U.S. It’s not clear whether the emails were sent and received in the US, or whether the subjects or targets were US citizens.
In the case, titled In re: A Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, (SDNY, Dkt No. 13-mj-02814), Microsoft claimed that it could not be compelled to produce the records of emails which were physically located on a server in Dublin, Ireland.
The court disagreed, finding that the United States Stored Communications Act, 18 USC 2701 authorized a U.S. court to issue an order compelling a company like Microsoft to produce documents within its “possession, custody or control” irrespective of the physical location of those records.
In essence, the Court ruled that the statute has “extraterritorial application.” Therefore, the actual “physical” location of the records (if there really is a physical location) is irrelevant. What is important is that, if Microsoft chose to, it could access and produce those records.
Since Microsoft, both as a US company, and as a company with locations in the US, is subject to the laws of the US, they must comply with the order under the Stored Communications Act.
You have to have some sympathy for the US Court and for the DOJ. If you permitted companies to “hide” records on overseas servers, then we would effectively create document havens. Companies would store records on servers on the Isle of Man, or in Antarctica, and would be able to duck production of these records just about anywhere. There is no there there. As long as the government can get some hook, it can compel production.
Whose Records Are They, Anyway?
This makes perfect sense IF the government is seeking production of the records of Microsoft. Governments frequently compel entities to produce their overseas records (like bank records, etc.) even if they create them through overseas subsidiaries. Years ago I worked on a case where the US prosecutors wanted records of a Bahamian bank whose parent company was a Canadian bank who also had a subsidiary in New York (everyone following along? Good.)
The US prosecutors used the fact that the US bank could ask its Canadian parent to get the records from its Bahamian sibling (see, corporations ARE people) to say that the New York entity had the Bahamian records in its “possession, custody and control” (or at least the ability to get them) and therefore they were subject to subpoena in the US.
That’s fine for the bank’s records. But what about records that an entity is holding for another entity. Like cloud documents. Or e-mail.
IMHO, that’s a different kettle of fish. But not to the Court in the Microsoft case.
Well if You’ve Got A Warrant, I Guess You’re Going to Come In…
The SCA allows the government to subpoena — compel the recipient to produce — the emails stored on its servers. By ruling that the SCA was extraterritorial, it simply meant that the SCA authorized compelled production of emails on its servers anywhere in the world.
The problem here lies with a subpoena. I can subpoena the Bank of Nova Scotia for ITS records (even its bank records for you). I can’t subpoena the Bank of Nova Scotia for the contents of your safe deposit box. For that, I need a warrant.
Even though the contents of the safe deposit box are in the bank’s possession, custody or control, the bank lacks the legal authority to produce them. Sure, the government could subpoena YOU for the contents of your safe deposit box. But not the bank.
Think of your apartment. The government could subpoena you for the pot you keep in the top right drawer of the nightstand. (Might be some 5th Amendment issue with production). Or they could get a warrant to search the apartment. They can’t however serve a subpoena on the landlord, and compel the landlord to search your apartment for the pot, and produce it. Even if the lease allows the landlord to, under certain circumstances, enter onto the premises and search. It ‘aint his stuff.
Same goes for the Dublin emails. The government COULD get a search warrant in Dublin to search the servers and seize the verboten emails. They could serve a subpoena on the sender or recipient in the US. They could even use processes like MLAT’s (Mutual Legal Assistance Treaties) or Letters Rogatory to get an Irish order for production. But like the landlord case, Microsoft has no legal authority to produce these emails.
‘The problem here has to do with the difference between a subpoena and a search warrant. Or an order enforcing a subpoena and a search warrant. And that’s what the court gets completely wrong.
The Stored Communications Act permits the DOJ to get a SUBPOENA to an email provider compelling the provider to produce SOMEONE ELSE’S records. And that makes all the difference. And that is why the SCA is plainly unconstitutional.
An ISP has a bunch of information IT collects about you. It has your browsing history, your IP address, your physical location, your login data, your email metadata, routing information, etc. While this information is what the law calls CPNI (Customer Proprietary Network Information) and you have privacy interests in that data, lets just say for argument’s sake that this is the ISP’s data.
A SUPBOENA to the ISP can compel them to produce their own data — even if this data is about you and your use of their services. The government can subpoena your doctor for your medical records, your bank for your financial records, and your drug dealer for your purchases and sales. This is because these are THEIR records. You can try to resist, or claim certain rights in the data, and you may have a legitimate claim.
That’s not what happened here.
What makes the SCA unconstitutional is that the SCA allows the government — with a subpoena — to compel an ISP or email provider to produce YOUR records, not theirs. Think about a law that would require your landlord to produce records contained in your apartment (by the way, your lease permits the landlord to enter your apartment for legal purposes). Or a law that would compel the owner of a self-storage facility to produce the contents of the storage facility. Or a law that would require Iron Mountain to produce records it was storing for a third party.
Quite frankly, while the landlord, the U-Haul or Iron Mountain has physical possession of the things in question, it has no LEGAL ownership. It has possession, but not legal possession.
What is worse, the standard for a subpoena — even under the SCA — is much lower than that for a search warrant. Although a subpoena LOOKS and SMELLS like a court order, in fact it is not. The government (and private litigants) has a desk drawer full of subpoenas in blank with the seal of the Court. To “issue” a subpoena, the party simply types in the name of the party it wishes to subpoena, the address, the stuff it wants, and then “serves” the subpoena on the other party. In many cases this is done by email or fax.
The Subpoena says, “The United States District Court” from somewhere, and that you are hereby “COMPELLED” by the court to, on a particular date and time, produces certain documents and records to the Court. Guess what? The Court has nothing to do with it. They don’t know that the subpoena has been issued. The prosecutor or other party just typed it up and faxed it. The subpoena does not enforce itself. If you ignore it, the other party must file a motion to compel production, or you can file a motion to quash. Only then does a court get involved.
What is worse, the government is ROUTINELY issuing subpoenas under the SCA compelling companies like Google, Yahoo!, AOL, Microsoft and others to produce YOUR email, and ordering them not to tell you about it. It’s not MICROSOFT’s mail. It’s yours. What’s worse, the mail could be privileged, confidential, protected by law, or whatever. Microsoft would have no way of knowing, and have no way of asserting privilege. They just comply. No muss, no fuss.
A search warrant on the other hand is what SHOULD be used for e-mail from an ISP or provider. But even in the case of a search warrant, the government is doing it wrong.
In an ordinary search warrant (say for the pot in the bedroom) the cops file an affidavit with the court showing probable cause to believe there is evidence of a crime in a specified place. They get a court order from a judge in the district where the search is to be conducted — directed to law enforcement agents — authorizing (actually, compelling) them to search that place, and seize those things specifically mentioned in the warrant.
The cops inform the owner that the warrant has been issued, execute the warrant, are limited by the terms of the warrant as to where they can go and what they can do, and leave a copy of the warrant and an inventory of what is seized with the owner of the property. The owner can then challenge the probable cause behind the warrant, the scope of the warrant, the scope of the execution of the warrant, assert privileges with respect to items seizes, or file a motion for return of illegally seized property.
Not so for electronic records. The law enforcement agents don’t conduct the search. They don’t tell the owner of the emails about the search. No inventory is provided to the owner of the emails, and no opportunity to challenge.
And they can go to a judge anywhere — in fact, if a thousand judges deny the warrant, if the cops can find one in say, Provo Utah willing to sign the warrant, they are in. The government just faxes the warrant to the ISP, and the ISP conducts the “search” and the “seizure” for them, and delivers up the requested records. For practical purposes, it looks the same as a subpoena. But there are significant differences.
In the case of Alexey Ivanov and Vasiliy Gorshkov.two Russian hackers lured to the US for promises of a job interview with Seattle based “Invita” corporation, they logged into their personal computer in Moscow to get their tools to show their prospective employer their skills.
However, Invita was no ordinary employer — it was a ruse created by the FBI to lure the Russians in. Armed with a search warrant, the feds logged into the Moscow server using Ivanov and Gorshkov’s credentials (snarfed off the Invita computer) and seized evidence that was used against the pair at trial in the U.S. In fact, the US court found no problem with the execution of the warrant for Russian documents.
The Russian court disagreed. The FBI agents were indicted in Russia for hacking. You see, according to the Russians, a US court can’t authorize a search in Russia. Imagine if the FBI agents in Seattle got a U.S. Court order to search Ivanov’s Moscow dacha? The agents fly to Moscow and kick in the door, armed with a piece of paper signed by some dude in a robe in Tacoma. Not convincing.
And that’s the big difference between a subpoena (you produce) and a warrant (I take.)
To the extent that the SCA authorizes the production of third party records located overseas, it violates not only the Fourth Amendment, but the sovereignty of the other nation, just as much as kicking in the door of the Moscow dacha.
The decision is not just bad law. It’s bad business.
US companies — particularly security, storage, communications and Internet companies are still reeling from the revelations about NSA surveillance. Foreign companies already think that US providers are acting as witting or unwitting agents of the NSA, and are reluctant to work with them for fear that their information will be subject to subpoena, demand or extortion from some US government agency.
This ruling adds fuel to that fire. Any document anywhere in the world can be compelled to be produced if a company with access to that document has some contacts with the U.S.
And, of course, the reverse would be true too. Your Hotmail email to grandma in Pittsburgh is subject to a subpoena by the South Korean National Police Agency because Microsoft has an office in Seoul. It’s subsidiary in Teheran makes grandma’s email subject to subpoena by the Iranians. See where this is going?
If the US government wants stuff in Ireland, let them go to the Courts in Ireland and get it. It’s a lovely country, But like Guinness Stout, the documents don’t travel well. They have to be appreciated in Ireland. Erin go bragh!