Publication - 05/01/2014

SDNY Significantly Broadens Reach of Warrants under the Stored Communications Act: Forces Microsoft to Produce Customer Email on an Extraterritorial Server

Client Alert

By Bennet B. Borden, Andrea L. D'Ambra and Edward James Beale

On April 25, 2014 in the Southern District of New York, U.S. Magistrate Judge James C. Francis IV compelled extensive production of the contents of an unnamed user’s email account stored on a Microsoft server located in Dublin, Ireland.[1] Memorandum and Order, In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 13 Mag. 2814 (S.D.N.Y. Apr. 25, 2014). This startling ruling could have a significant impact on not only the use of free email services like Hotmail and Gmail, but also all cloud-based services like Office 365, Google Apps, and even cloud providers like Amazon.  If this ruling stands and is widely adopted, U.S. service providers may be compelled to produce customer’s data regardless of the jurisdiction in which it physically resides.

The Stored Communications Act (SCA) was enacted in 1986 as part of the larger Electronic Communications Privacy Act (ECPA), and sought to provide 4th Amendment-like protections to the contents of electronic communications in the hands of service providers like Microsoft.  Under the SCA, the government can obtain certain kinds of electronic information held by a service provider only upon a showing of probable cause of wrongdoing.  Obtaining the actual content of an electronic communication requires a higher showing than for, say, account information.  If the showing requirement is met, a court can issue an SCA Warrant.[2]  The SCA Warrant is served on a service provider, who then conducts a search and produces relevant communications.  Prior to this ruling, SCA Warrants typically did not apply to communications stored outside of the jurisdiction of the United States.

In its motion to quash the SCA Warrant in this case, Microsoft’s argument was simple: warrants are not subpoenas. If the government served a subpoena on Microsoft, then Microsoft would be required to produce relevant information within its possession, custody or control regardless of where it physically resided.  But, by attempting to obtain information located on servers in Ireland via a warrant, the U.S. government sought information outside of the territorial limits of the United States.  Because Federal courts have no authority to issue warrants for the search and seizure of property outside the territorial limits of the United States, Microsoft argued it should not be required to produce the information. In support of its argument, Microsoft noted the SCA Warrant is referred to as just that, a “warrant,” and also requires to the use of warrant procedures in obtaining it. 

This argument, however, failed to convince Judge Francis. After conceding Microsoft’s analysis was “not inconsistent with the statutory language” of the SCA, Judge Francis held that the SCA Warrant was not a typical warrant, but was a “hybrid: part search warrant and part subpoena.”  It is a like a search warrant in that an application is made to a magistrate upon a showing of probable cause.  But it is executed like a subpoena in that it is served upon a service provider who then conducts the search (as opposed to government agents) and provides the results.  The prohibition on extraterritorial searches is based, Judge Francis held, on the concern that government agents were searching and seizing property in a foreign jurisdiction.  When the service provider is the one doing to searching and seizing, those concerns are not present.

Judge Francis also focused on the practical consequences that would result from following Microsoft’s argument (and previous case law), that it would “seriously impede” legitimate law enforcement efforts, and that individuals could evade an SCA Warrant simply by assuring their data was stored on servers outside the United States.  In the short term, an appeal is virtually certain. In a TechNet.com blog post, David Howard, Microsoft’s Corporate Vice President & Deputy General Counsel suggested Microsoft would “bring the issue before a U.S. district could judge and probably to a federal court of appeals.” David Howard, One step on the path to challenging search warrant jurisdiction, TechNet (Apr. 25, 2014, 6:04 PM), available here.

If that appeal fails, this opinion has troubling far-reaching implications. Barring a successful appeal, U.S. service providers may be forced to produce digital content to U.S. government agents– including but not limited to customer emails – no matter whether that content is hosted in Silicon Valley or Siberia.  

For further information, please one of the authors listed above or your regular Drinker Biddle contact.
 


 

[1] Microsoft must disclose:

a. The contents of all e-mails stored in the account, including copies of e-mails sent from the account;

b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and sources of payment (including any credit or bank account number);

c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files;

d. All records pertaining to communications between MSN . . . and any person regarding the account, including contacts with support services and records of actions taken.

[2] The evidentiary burdens the government must meet, as well as the specifics about varying kinds of electronic communications are a bit arcane because the SCA is so dated.  A full discussion of these intricacies is beyond the scope of this alert.  But Judge Francis describes them well in the opinion.

Departments of Education and Justice Release Guidance on Maintaining Nondiscriminatory Educational Communities for Transgender Students

Client Alert
John R. Przypyszny, Jonathan D. Tarnow

Title IX of the Education Amendments of 1972 (Title IX) generally prohibits sex discrimination in educational programs and activities conducted by institutions that receive federal funds.Recently, the specific nature of that prohibition as it applies to transgender students has come under scrutiny.

Miscellaneous Tariff Bill Finally Passes

Client Alert
James Sawyer, Mollie D. Sitkowski

In a rare demonstration of bipartisan politics, on May 20, 2016, President Obama signed into law the American Manufacturing Competitiveness Act of 2016 (the “Act”) which includes long-awaited amendments to the process for requesting duty reductions under a Miscellaneous Tariff Bill (MTB).

Wellness Program Compliance – It’s Time to Review Your Program Under New ADA and GINA Final Rules (and HIPAA and…)

Client Alert
Summer Conley, Karen E. Gelula, Monica A. Novak, Dawn E. Sellstrom

On May 17, 2016, the EEOC issued new rules regarding the nondiscrimination requirements applicable to certain wellness programs under the Americans with Disabilities Act of 1990 (“ADA Final Rule”) and the Genetic Information Nondiscrimination Act of 2008 (“GINA Final Rule” and, collectively, the “Final Rules”).

DOL Exemption Rules to Take Effect December 1, 2016

Client Alert

By Stephanie Dodge Gournis, Dennis M. Mulgrew, Jr. and Shavaun Adams Taylor


Stephanie Dodge Gournis, Dennis M. Mulgrew, Jr.

Making good on a 2014 directive from President Obama “to modernize and streamline” existing overtime regulations, the Department of Labor (DOL) today published its highly anticipated Final Rule Defining and Delimiting the Exemptions for Executive, Administrative, Professional, Outside Sales and Computer Employees.

Supreme Court Holds That Plaintiffs Need Concrete Harm In Order To Seek Statutory Damages

Client Alert

The Supreme Court issued its long-awaited decision in Spokeo, Inc. v. Robins, in which it was asked whether plaintiffs have Article III standing if they allege a bare violation of a statute (i.e., an injury in law) but no concrete harm (i.e., an injury in fact).