Saturday, April 25, 2015

Guest Blog on Stored Communications Act Reach to Cloud Storage Outside the U.S. (4/25/15)

This blog entry is an offering by guest authors Peter D. Hardy, here, and Carolyn H Kendall, here, of Post & Schell PC.  Peter and Carolyn practice in the Internal Investigations & White Collar Defense and Data Protection/Breach Practice Groups of the law firm of Post & Schell P.C., in Philadelphia, PA.  Peter, a principal in the firm, is the author of a legal treatise entitled Criminal Tax, Money Laundering, and Bank Secrecy Act Litigation (Bloomberg BNA 2010), and is a former federal prosecutor.  Carolyn, an associate at the firm, co-authored the 2014 Supplement to Criminal Tax, Money Laundering, and Bank Secrecy Act Litigation.

Please note that downloadable copies of the key documents are at the end of the blog and links to the cited cases, statutory sections and procedure rules are at the end of the blog discussion.

Domestic Search Warrants for Emails Stored Abroad:
The Government Seeks to Expand its Ability to Collect Foreign Evidence

An appeal now under consideration by the Second Circuit arising out of a drug investigation may have substantial consequences for the government’s general ability to obtain evidence stored abroad – and such consequences certainly would extend to the continuing efforts by the Department of Justice and the Internal Revenue Service to gather evidence of undisclosed foreign assets held by U.S. taxpayers.  The appeal illustrates how increasingly sophisticated technology may curb the government’s investigative options or, alternatively, how creative and aggressive legal claims by the government may allow it to obtain foreign evidence through domestic courts, including emails generated by individuals who do not reside within the U.S.

In December 2013, the government obtained a warrant in the Southern District of New York for the contents of an email account hosted by Microsoft, which the government alleged had been used in narcotics trafficking.  The warrant, issued pursuant to the Stored Communications Act (SCA), 18 U.S.C. §§ 2701-2712, directed Microsoft “to disclose” the contents of the email account that were within Microsoft’s “possession, custody, or control.”  Microsoft stores its customer data in “the Cloud,” which in this case happened to be Microsoft’s datacenter in Dublin, Ireland.  Microsoft stored the account’s content there based on the account-holder’s representation that he was located outside the U.S.  Realizing that the warrant sought content from Dublin, Microsoft moved to vacate the warrant as an impermissible extraterritorial warrant.  The district court denied the motion, and Microsoft renewed its challenge before the Second Circuit, which is expected to hear argument this summer.  Given the potential ramifications in all kinds of criminal investigations of permitting the government to obtain sensitive information stored offshore by serving an SCA warrant on an entity in the U. S., this case is one to watch.  In this post, we lay out some of the issues currently before the Second Circuit.  A later post will address the Second Circuit’s ruling, once it has been published.

District Court Proceedings 

Search warrants of course represent a powerful investigative tool.  Federal Rule of Criminal Procedure 41(b)(5) allows for the issuance of search warrants only for property located within the U.S., or within a U.S. territory, possession, commonwealth, embassy, or consulate.  Rule 41 simply does not allow for the seizure of property located in a foreign country.

The SCA permits the government to obtain a warrant compelling an internet service provider (ISP), like Microsoft, to disclose all electronic communications associated with a given email address stored by the ISP.  The SCA states that, to obtain an SCA warrant, the government must “us[e] the procedures described in the Federal Rules of Criminal Procedure” and establish probable cause.  18 U.S.C. § 2703(a).  Despite these similarities to an ordinary search warrant obtained pursuant to Rule 41, an SCA warrant also bears similarities to a subpoena—it requires the recipient to disclose and deliver certain materials to the government, and it can be served by simply faxing the warrant to the ISP.  These facts led the magistrate judge reviewing Microsoft’s motion to vacate to describe in his opinion an SCA warrant as “a hybrid:  part search warrant and part subpoena.”  In re Warrant to Search a Certain E-Mail Account, 15 F. Supp. 3d 466 (S.D.N.Y. 2014).  Whether an SCA warrant is in fact a “warrant” as traditionally understood and governed by Rule 41’s prohibition on warrants for property outside the U.S., or instead represents a hybrid, analogous in relevant respects to a subpoena, is at the heart of this case.

The magistrate judge ruled that the SCA warrant’s “unique structure” did not implicate extraterritoriality concerns.  According to the magistrate, because an SCA warrant is similar to a subpoena, the requirement that the government establish probable cause “does not alter the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.”  The magistrate also found support for this proposition in the Second Circuit’s decision in Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (2d Cir. 1983), cert den. 463 U.S. 1215 (1983), which required compliance with a subpoena in a tax evasion investigation for documents held in Switzerland because the district court had personal jurisdiction over the company on which the subpoena was served and the requested documents were within the company’s control.

On review, the district court echoed the magistrate’s reasoning.  During a hearing, the court repeatedly asked why the Bank of Nova Scotia subpoena doctrine, which requires banks to produce account transaction records located or stored outside of the U.S., would not apply to the SCA warrant at issue.  United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984).  Microsoft attempted to distinguish Bank of Nova Scotia subpoenas from SCA warrants by noting that Bank of Nova Scotia subpoenas seek the banks’ own records (i.e., records of transactions between the bank and the client account), while SCA warrants demand production of data belonging to Microsoft’s clients.  Conceding that it has control over clients’ email contents, Microsoft stated that this “control of other people’s information [ ] is imbued with an expectation of privacy,” and analogized its control to that of a bank with “control” over a customer’s safe deposit box:  the contents are the customer’s and the bank lacks unilateral access to the box’s contents.  This distinction could be essential, especially given the important privacy interests in email that motivated the SCA’s creation.  However, Microsoft did not raise this challenge before the magistrate and the district court found that the argument was waived.

Ultimately, the district court ruled from the bench that the SCA warrant provision’s “structure, language, legislative history, [combined with] Congressional knowledge of precedent, including the Bank of Nova Scotia doctrine, all lead to the conclusion that Congress intended in [the SCA] for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States.”

Before the Second Circuit

Microsoft has renewed its challenge to the SCA warrant’s validity before the Second Circuit.  In deciding whether an SCA warrant requiring disclosure of material stored offshore is valid, the Second Circuit likely must confront whether an SCA warrant is a traditional warrant or instead represents some kind of “hybrid.”  The court also must address the related issues of whether Rule 41’s territorial limitations apply and whether, and to what extent, the Bank of Nova Scotia subpoena doctrine applies to SCA warrants.

Resolution of the first issue likely will depend on the court’s textual analysis, informed by the SCA’s legislative history.  As currently written, the SCA requires only that the “procedures” in the Federal Rules be used to obtain the warrant; whether all of Rule 41 applies is ambiguous.  The district court concluded that there was no evidence that Congress intended to place territorial limits on SCA warrants’ operation.  On appeal, Microsoft has pointed to Congress’ use of the term “warrant” and explicit reference to the Federal Rules.  It also points to a prior version of the SCA warrant provision to support its position, but there is an absence in the current version of a clear intent that the substantive dictates of Rule 41 should govern SCA warrants, rather than just supply the procedures for establishing probable cause and obtaining them.  If the Second Circuit finds that Rule 41’s extraterritoriality prohibition applies to SCA warrants, it then will have to decide whether the warrant, which is served on Microsoft in the U.S., is in fact operating extraterritorially by requiring disclosure of offshore records.      

The Second Circuit also likely will have to address the issue of whether the Bank of Nova Scotia subpoena doctrine will be expanded to reach electronic communications stored in the Cloud, i.e., in datacenters outside the U.S.  Although Bank of Nova Scotia subpoenas for bank and financial records are not new, this case represents a potential expansion of the doctrine because it would allow the government to obtain personal communications created and/or stored in other countries, including the emails of people whose only connection to the U.S. is their use of an international email service provider over which a U.S. court has personal jurisdiction.  Given the recent increase in the use of Cloud storage offered by service providers like Microsoft, this issue will affect any data attached to communications that users entrust to providers.  In anticipation of just such an outcome, many amici have filed briefs in support of Microsoft, including technology companies such as Apple, Inc., Verizon Communications Inc., and AT&T Corp. and news organizations, such as Cable News Network, Inc., Fox News Network LLC, Forbes, Inc., and The Washington Post, which are concerned about foreign governments issuing similar warrants to obtain journalists’ politically-sensitive reports and communications.    

On appeal, Microsoft again argues that the Bank of Nova Scotia subpoena doctrine is inapplicable because the SCA warrant seeks client records and data, not Microsoft’s.  Whether, and to what extent, the Second Circuit will squarely address this key distinction between a Bank of Nova Scotia subpoena and an SCA warrant remains to be seen.  Success on plain error review may turn on the court’s reading of the Bank of Nova Scotia cases and its view on whether the cases’ reasoning necessarily depends on the ownership, and not just control, of the records in question.  Whether the doctrine is applicable at all likely turns on the court’s threshold resolution of whether an SCA warrant is a traditional warrant or a “hybrid” warrant-subpoena.  

Microsoft also stresses the potential international ramifications of affirming the district court’s decision, arguing that the practical effect of the ruling is to permit a U.S. judge to order a search and seizure in another country.  The case is being closely watched internationally: the German government reportedly has stated that it will not store data with U.S. Cloud service providers unless the district court’s decision is reversed, and foreign technology firms are considering offering Cloud storage limited to certain countries, in an apparent attempt to put data out of the U.S.’s reach.  In an unusual move, the government of Ireland filed an amicus brief in support of Microsoft, stating that it stands ready and willing to work with the U.S. government should the U.S. make use of the normal channel for obtaining information stored abroad:  the U.S.-Ireland Mutual Legal Assistance Treaty (MLAT).  Although not expressly claiming that the warrant’s operation would conflict with Irish law, the amicus brief relates that “the Irish Supreme Court [has] accepted that, in general, a court does not order inspection of documents in a foreign country and that, where possible[,] courts should avoid coming into conflict.”  

Emphasizing the potential international impact, Microsoft has argued that if the district court’s decision is affirmed, citizens may no longer be able rely on their own countries’ data and privacy protections, and that businesses that operate in the U.S. and abroad could be subject to potentially conflicting requirements regarding safeguarding customer privacy.  This case’s ultimate resolution, whether by the Second Circuit, the Supreme Court, or congressional action, also will impact significantly the government’s ability to obtain evidence and information stored outside of the U.S.  Whether the government will have to resort to the admittedly slow and cumbersome MLAT process to obtain such information, or whether it simply can serve an SCA warrant on a Cloud service provider with a U.S. presence, will inform any enforcement calculus.

Key Documents in the Case:
  1. Magistrate Judge Opinion, here.
  2. Transcript of Hearing before District Judge Preska, here.
  3. Appeal - Microsoft Opening Brief, here.
  4. Appeal - U.S. Answering Brief, here.
  5. Appeal - Microsoft Reply Brief, here.
  6. Appeal - Ireland Amicus Brief, here.
Cases Cited in Blog Entry:
  • Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (2d Cir. 1983), cert den. 463 U.S. 1215 (1983), here.  [Note: the name of the case appears in various other formats, such as In re March Rich & Co., and Matter of March Rich & Co., A.G.]
  • In re Warrant to Search a Certain E-Mail Account, 15 F. Supp. 3d 466 (S.D.N.Y. 2014), here,  appeal docketed, No. 14-2985 (2d Cir. Aug. 12, 2014). [This is the key decision in the case currently on appeal to the Second Circuit]
  • United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984), here. [Note: the name of the case appears in various other formats, such as In re Grand Jury Proceedings of Bank of Nova Scotia]
Stored Communications Act, 18 USC 8 U.S.C. §§ 2701-2712, the key section of which is 2703, here.

Federal Rules of Criminal Procedure, 41, here.

Mutual Legal Assistance Treaty (MLAT) Between the United States and Ireland (January 18, 2001), here.

A Harvard Law Review discussion of the Magistrate Judge's decision is here.

No comments:

Post a Comment

Please make sure that your comment is relevant to the blog entry. For those regular commenters on the blog who otherwise do not want to identify by name, readers would find it helpful if you would choose a unique anonymous indentifier other than just Anonymous. This will help readers identify other comments from a trusted source, so to speak.