One of the clearest indications that technology is far outpacing the law came on Feb. 3, when Google Inc.’s motion to quash federal search warrants for user email data the company stored overseas was rejected by the U.S. District Court for the Eastern District of Pennsylvania.
Just a few months prior on Sep. 5, 2016, the U.S. Court of Appeals for the Second Circuit ruled that search warrants under Section 2703 of the Stored Communications Act (SCA)—the same warrants served to Google—could not compel Microsoft to disclose its user email data stored in Ireland.
The Second Circuit’s decision, cited by Google in its own motion, was not without contention. On Jan. 24, the court denied a request for a rehearing in a deadlocked 4-4 vote.
But while the divergent rulings mean courts are far from any definitive guidance on what rights the U.S. government has to request and access corporate data stored overseas, they do provide counsel with some direction on how to minimize risk of such seizures, as well as highlight the specific legal complexities at play when considering such requests.
In no small part, both rulings turned on how each corporation stored and transferred its data in the cloud—data servers maintained or used by corporations worldwide. It is a consideration inextricably linked to how courts ascertain the location of requested data, and with it, the rights of government authorities’ to access such information.
“The transferability of the data has a lot to do with both of these decisions,” said Todd Haley, vice president of strategic solutions at eTERA consulting. “In Microsoft, it seems that the data resided mostly in Ireland and did not move from that location, and could also be physically defined as staying in that location. Whereas in the Google case, [the court] seems to indicate that because Google moved data around all the time” for network efficiency purposes, it was not tied to a single non-U.S. location.
The difference of each company’s different cloud storage practices led separate courts to contrary conclusions on where “the focal point of privacy is,” said David Bender, special counsel of data privacy at GTC Law Group.
“The Microsoft court saw it in Ireland because that’s where the data is,” but the Google court “saw it in the U.S. because that’s where the invasion of the right privacy [would occur] when the data is presented to the FBI,” he explained.
What these rulings underscore, Bender added, is that “using a method of storage that is similar to Google”—which data moves regularly around from servers around the globe—”may be invitation to permit enforcement of an SCA warrant, because it appears here [that there] is no other way for the government to get that data.”
Such transitory cloud storage, after all, pushes the limits of mutual legal assistance treaties (MLATs), which are cumbersome, country-specific legal processes governments rely on to access international data.
“That question is, what do you do with data that doesn’t exactly reside in any jurisdiction because it’s in motion and simultaneously out in multiple different jurisdictions?” asked John Carlin, chair of the global risk and crisis management group at Morrison & Foerster.
Litigating Ones and Zeros
Despite dealing with the same fundamental legal issues surrounding U.S. government access to corporate-held overseas data, each case concerned a distinct situation. Microsoft vs. USA , for example, dealt solely with the issue of accessing user data in a singular, agreed upon location.
In its ruling, the Second Circuit noted that “although electronic data may be more mobile, and may seem less concrete, than many materials ordinarily subject to warrants, no party disputes that the electronic data subject to this warrant were in fact located in Ireland when the warrant was served.”
The court added that search warrants under Section 2703 of the SCA “may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s email account stored exclusively in Ireland.”
The nationality of the user whose data was requested, however, was not revealed in the case, though the court did note that “Microsoft generally stores a customer’s email information and content at data centers located near the physical location identified by the user.”
In re Search Warrant No. 16-960-M-01 to Google, the situation was far different. U.S. Magistrate Judge Thomas Rueter of the Eastern District of Pennsylvania explained that each Google account holder whose information was requested “resides in the United States, the crimes they are suspected of committing occurred solely in the United States, and the electronic data at issue was exchanged between persons located in the United States.”
And more importantly, he noted, Google does not store this user data in one singular, agreed-upon location.
While Rueter agreed with the Second Circuit that SCA warrants do not apply extraterritorially, he said such a distinction was not a factor in this case. He explained the search and seizure of the data in question would only take place on U.S. soil by FBI agents, and not at the point of transfer from an overseas server.
“Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a ‘seizure’ because there is no meaningful interference with the account holder’s possessory interest in the user data,” Rueter wrote.
While each situation lead each court to unique interpretations of the location of cloud data, at its core, both courts still sought to understand electronic information “as a physical, tangible thing,” said Ryan Costello, European operations manager at eTERA Consulting. But he added that such interpretation is not entirely accurate: “That’s not really what it is—it’s a collection of ones or zeros.”
“I think we are seeing courts kind of struggle with defining or pinpointing exactly what the nature of data is with respect to legal precedent,” he added, specifically pointing to Rueter’s citing of the Ninth Circuit’s 2007 United States v. Hoang ruling to compare the “possessory interest” of data to that of small physical packages. “There is just a difficult nature in applying precedent in this analogous kind of way especially when it’s not entirely fitting, and you’ll continue to see varying judicial interpretations in this regard.”
Given the potential for varying interpretations of data and data location in the cloud, some believe these jurisdictional issues may be far too complex for the judiciary to handle alone.
“The issue of when and how law enforcement can gain access to information when they have judicial warrants is one that cries out for a legislative solution and agreement among multiple countries of what a regime should look like,” Carlin said.
But without legislation, Carlin, himself a former assistant attorney general for the U.S. Department of Justice’s National Security Division, believes that this could become an issue “where you could see a circuit split, and it wouldn’t surprise me if it ended up in the Supreme Court.”
How courts will apply established legal precedent to cloud considerations in future cases is anyone’s guess, but what is certain is that these issues will be an unavoidable challenge for judges given the growing prominence of certain types of cloud services.
Though the ruling in the Google case can be seen as a warning for organizations using cloud storage that constantly puts data in transit, Bender noted many organizations will likely keep and continue to implement such dynamic storage “because of technological and economic considerations.”
And more to the point, these organizations will continue to fight government access of their overseas data due to the market sensitives and concerns over the National Security Agency’s surveillance programs, he added.
If U.S. corporations or cloud providers were to readily allow government access to its overseas data, Bender explains, that could be “touted by EU and other foreign cloud providers as another example of unreasonable U.S. government data acquisitions, and one more reason why customers should not entrust their data to U.S. providers.”
Contact Ricci Dipshan at firstname.lastname@example.org. On Twitter: @R_Dipshan.