Government Cannot Use Warrant to Seize Overseas Emails from Microsoft

The conflict between the right to privacy and the government’s desire to gather evidence of crimes is one that courts are frequently asked to resolve. The U.S. Court of Appeals for the Second Circuit recently decided that government officials cannot compel Microsoft to produce a customer’s emails relating to alleged criminal activity. Since Microsoft stored the emails in a server outside of the United States, a search warrant cannot reach them.

Conflicting Positions

Federal prosecutors in New York obtained a search warrant from a district court that directed Microsoft to produce the emails of a customer who uses an Outlook account. Outlook is the most recent version of the free email service that Microsoft makes available to its customers. The warrant was based on the government’s assertion that the email account was being used to facilitate drug trafficking.

Microsoft responded to the warrant by providing information about the customer that was stored on its servers in the United States. The emails, however, were stored on a server in Ireland. Microsoft refused to access its servers in Ireland in order to bring the emails to the United States because it did not believe that the district court had lawful authority to compel the production of data it maintained outside of the United States. The court eventually held Microsoft in contempt and Microsoft appealed.

Email Storage

Outlook accounts are available to Microsoft customers in more than 100 countries. Microsoft stores email content on a worldwide network of servers. The servers are physically located in Microsoft’s data centers. Microsoft maintains data centers in 40 countries.

Customer emails are usually stored on servers in a data center that is near the location the customer provides when subscribing to the service. That allows customers to retrieve emails without experiencing the delay that might be caused if the customer were required to access a server at a more remote location.

Microsoft does not usually know where its Outlook subscribers are actually located. It takes the information provided by the customer when opening an account at face value. If a customer provides a location outside of the United States, the customer’s emails will normally be stored in a database center that is assigned to that country. In this case, the emails described in the search warrant were stored in a database center in Dublin, Ireland.

When a customer has been assigned to a data center outside the United States, Microsoft transfers the customer’s emails to the assigned data center, even if those emails have passed through Microsoft servers in the United States. Microsoft then deletes them from its other servers. Once the emails are in a data center in a foreign country, Microsoft cannot access them without retrieving them from the foreign data center.

The Stored Communications Act

Congress passed the Stored Communications Act (SCA) in 1986. While the key objective of the law was to protect the privacy of digital communications, the law provides ways for the government to obtain information that is stored electronically. Just as the government cannot wiretap a telephone without obtaining an appropriate warrant, the government cannot gain access to emails unless a court has authorized it to do so. At the same time, internet service providers may not disclose a customer’s private data unless that disclosure has been authorized by the customer or a court.

Depending on the nature of the digital information that the government wants to acquire, the government can use either a subpoena, a court order, or a search warrant. An administrative subpoena can be issued to compel the release of basic subscriber information. The production of more detailed subscriber information requires a court order. The government is entitled to that order only if it convinces the court that there are reasonable grounds to believe that the requested information is relevant to a criminal investigation.

The government can only obtain the content of stored communications (such as emails) by executing a search warrant. The government must demonstrate probable cause to believe that the emails contain evidence of a crime before the court can issue a search warrant.

The SCA permits customers to sue a service provider that discloses private data in violation of the law. The SCA provides a defense to service providers who make the disclosure in good faith reliance on a warrant, order, or subpoena. In this case, Microsoft did not believe it could rely on the warrant in good faith, because it did not believe the court was authorized to issue a warrant to search for data contained in a server outside the United States.

The Court of Appeals’ Decision

Federal rules allow federal courts to issue warrants that permit law enforcement agents to search property within the boundaries of the United States and its territories, as well as certain federal property (such as embassies) in other countries. Searches outside those geographic limits cannot generally be authorized. It therefore is not surprising that Microsoft questioned whether a warrant could compel it to disclose information that it kept outside of the United States.

Although warrants cannot be executed outside of the United States, a subpoena can be used to compel a business located in the United States to produce records that it stores outside of the United States. The government argued, and the district court agreed, that the SCA treats search warrants as if they are subpoenas. While a typical warrant authorizes the government to conduct a search, a subpoena requires a party to produce records for the government’s inspection. Since an SCA warrant permits the government to use a service provider as its agent to retrieve information, the court decided that the warrant was essentially a subpoena.

The court of appeals disagreed. Subpoenas require a party to turn over its own records. An SCA warrant requires a service provider to turn over a subscriber’s private information. Emails belong to the sender and their recipients. Microsoft is merely the custodian of its subscribers’ emails. An SCA warrant for a subscriber’s emails is therefore markedly different from a subpoena that seeks Microsoft’s own records. The fact that the warrant compels the service provider, rather than government agents, to conduct the search for emails does not transform the warrant into a subpoena.

In addition, warrants and subpoenas have long been understood to be different tools that serve different purposes. Unlike a subpoena, a warrant can be issued only if there is probable cause to believe a crime was committed. Warrants therefore provide a stronger safeguard of privacy than subpoenas. Congress plainly intended the greater protections of a warrant to apply when the government seeks the production of emails. Treating a warrant as if it were a subpoena would undermine those protections.

The court also rejected the government’s argument that an SCA warrant authorizes the search of all records that are available to Microsoft within the United States, even if it stores the records outside the United States. That argument is contrary to centuries of tradition that limit the scope of warrants to property that is located within the United States. Just as a warrant cannot force a suspect in New York to retrieve a gun that is stored in Dublin and bring it to New York, a warrant cannot force Microsoft to electronically transmit records from Dublin to the United States.

A Victory for Privacy

The court made clear that Congress enacted the warrant requirement of the SCA to protect the privacy of individuals who store digital communications with internet service providers. The subscriber is not notified that the government plans to read the subscriber’s emails after a search warrant is executed. The subscriber has no opportunity to object to the warrant before it is issued or executed. It is therefore appropriate to apply warrant principles strictly. By doing so, the court protected the privacy interests of individuals from intrusion when the law simply does not allow the government to seize a subscriber’s emails.

That the intruder in this case is a federal law enforcement agency makes no difference. The very purpose of search warrants is to protect individuals from unreasonable governmental intrusions upon their privacy. The government is free to seek the assistance of Irish authorities in gaining access to the Microsoft servers if it considers the emails to be sufficiently important to its criminal investigation. It is not free to obtain emails that a service provider has stored on servers in another country.

(Photo Credit: “Microsoft sign closeup” is licensed under the public domain)