Microsoft's case to prevent the United States government from using search warrants to demand data that is not stored in the United States has picked up a number of high-profile backers. Although Verizon, AT&T and the Electronic Frontier Foundation are supporting Microsoft's position, it was Apple and Cisco's legal teams that filed a joint amicus brief with the court in the Southern District of New York late on Friday. Apple makes the case that it offers iCloud services to customers for storing photos, contacts, calendars, documents and more. Because some of those servers are located outside the United States, Apple is subject to, or may become subject to, various foreign laws regarding data transfer. Apple further noted that "neither the broad economic interests nor the political interests of the United States will be served if foreign citizens believe that they are better off not doing business with U.S. based companies" – due to the overreach of US government search warrants.
The following is from the Apple-Cisco Amicus Brief filed with the court on Friday, June 13, 2014.
The Government served Microsoft with a search warrant directing it to produce the contents of a customer's email account. Microsoft determined that it had stored the responsive email content on a server in Dublin, Ireland, which was leased and operated by its wholly-owned subsidiary. Rather than produce the email content, Microsoft produced only non-content data stored in the United States and moved to quash the warrant to the extent it required Microsoft to conduct an exterritorial search at the government's behest.
The Magistrate denied Microsoft's motion, upheld the warrant and commanded Microsoft to produce data stored in Ireland. In doing so, the Magistrate held that the Stored Communications Act creates a special "SCA warrant" that is a hybrid between a Rule 41 Warrant and a subpoena. The Magistrate treated the "warrant" as a subpoena and held that Microsoft had "possession, custody, or control" over information stored in Ireland, and must produce the email content.
The Magistrate examined ECPA's structure and legislative history and found it trumped Rule 41's limitations, erroneously concluding that Congress intended the SCA to apply extraterritorially because it was "unlikely" to have intended for the Government to comply with the MLAT process.
The Magistrate's decision did not mention international law, possible conflicts of laws, or the burden on providers of complying with conflicting legal regimes. The Magistrate made no findings regarding (1) whether there were any treaties between Ireland and the United States; (2) whether the Irish government was slow to respond to U.S. law enforcement requests; or (3) whether the Irish government would refuse this request.
The argument presented by Apple and Cisco states that "The Magistrate's analysis improperly ignores the interplay of foreign and domestic laws when determining whether the government can use a warrant to require a U.S. company to produce data about a non-U.S. citizen when the data is held by a foreign subsidiary and stored in a foreign location. Rather than ignoring foreign law, courts should examine possible conflicts of law, inquire into the weight of the U.S. government's interest in each case, and determine whether those interests are sufficiently compelling to outweigh principles of international law, comity, sovereignty, and reciprocity, such that the government may circumvent U.S. treaty obligations.
The Magistrate's failure to include a more thorough international law and comity analysis has serious consequences and, if followed by other courts, is likely to put Apple and other providers in the untenable situation of being forced to violate one nation's laws to comply with another.
The Magistrate's error is compounded by the weak reasoning underlying his decision to apply ECPA extraterritorially. ECPA contains no express statement about extraterritoriality. It makes no reference to seeking data abroad. Instead of relying on ECPA's plain text and canons of construction that weigh against extraterritorial application of laws, or existing case law finding no extraterritorial application (Zheng v. Yahoo! Inc., No. C-08-1068 MMC, 2009 WL 4430297 (N.D. Cal. 2009)), the Magistrate found that Congress was "unlikely" to have intended to require law enforcement to use the MLAT process because, (1) it is sometimes slow; (2) member states may refuse requests; and (3) it is unavailable when no treaty is in place.
The Magistrate further justified his decision to compel Microsoft to produce data stored abroad based on speculation about how U.S. law enforcement efforts could be thwarted by users and providers in the future. The Magistrate considered activities that did not occur here: whether users can give false addresses to providers to effectuate foreign storage, what would happen if a nation refuses an MLAT request, and what happens when no treaty exists. Order at 18-20. Rather than speculating and using ECPA to reject the MLAT process unilaterally, this Court should evaluate the MLAT with Ireland, the relevant provisions of Irish data protection law, and determine whether the MLAT process was appropriate for this case."
The Magistrate Ignored Conflicts of Laws and International Comity In Dismissing the MLAT Process
ECPA Does Not Provide a Basis to Forego a Comity Analysis
The Magistrate Failed to Consider Possible Conflicts with Foreign Law Which Have a Substantial Impact on Providers.
The Magistrate Improperly Rejected the MLAT Process in All Cases
Allowing the Government to Avoid the MLAT Process in All Cases Will Place Providers at Greater Risk of Sanction in Foreign Countries
Requiring the Government to Use the MLAT Process Has Ancillary Benefits
In their conclusion, the Counsel for Apple Inc. and Cisco Systems, Inc. states that "The Magistrate erred by giving undue weight to unsupported concerns about the viability of the MLAT process, while ignoring the reality that U.S. providers frequently receive foreign requests for user data that implicate conflicts of laws. The MLAT process plays a vital role in defusing such conflicts. Accordingly, this Court should reject the magistrate's incomplete reasoning. It should also avoid the temptation to oversimplify what, for both service providers and law enforcement, is a complex web of often conflicting national laws on data privacy and law enforcement access, intricate global data flows to support performance and technical needs, and broader issues of diplomacy and comity in international investigations.
Furthermore, viewing the use of warrants in these circumstances as protecting U.S. interests is short-sighted. Neither the broad economic interests nor the political interests of the United States will be served if foreign citizens believe that they are better off not doing business with U.S. based companies. Based on the evolution of the case, the Court should reject the effort to apply ECPA extraterritorially, and conclude that absent further Congressional action, the MLAT process remains the appropriate vehicle for the retrieval of foreign user data stored abroad.