Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.
The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?
As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency.
In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.
In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.
Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.
And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.
But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.
According to the Court which issued the warrant, the specific nature of an SCA warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.
The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.
There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.
For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.
There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.
However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.
Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.
The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.
The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.
Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive and the Framework Decision which regulates data transfers to non-EU Member States.
In this context, in a statement issued last November, the Article 29 WP stated as follows:
a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.
Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!
Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.
This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.
While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.