October 16, 2017

US Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress


Brad Smith, Microsoft, Microsoft v. US

microsoft_logo.png

by Brad Smith, President and Chief Legal Officer, Microsoft

*This piece originally appeared on Microsoft on the Issues on October 16, 2017.

In July 2016, the Court of Appeals for the Second Circuit agreed with Microsoft that U.S. federal or state law enforcement cannot use traditional search warrants to seize emails of citizens of foreign countries that are located in data centers outside the United States.  Today, the Supreme Court granted the Department of Justice’s petition to review Microsoft’s victory.  This is an important case that people around the world will watch.  We will continue to press our case in court that the Electronic Communications Privacy Act (ECPA) – a law enacted decades before there was such a thing as cloud computing – was never intended to reach within other countries’ borders.

But as we have said from the beginning of this litigation, there’s a broader dimension to this issue as well. The continued reliance on a law passed in 1986 will neither keep people safe nor protect people’s rights.  If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?  We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk. Therefore, Congress needs to modernize the law and address these fundamental issues.

In his Second Circuit opinion, Judge Lynch urged Congress to act, and many members of Congress have publicly agreed. Legislation has been proposed in both houses to update the law and we support these efforts, regardless of the outcome of our case in the Supreme Court.

The current law, ECPA, was enacted in 1986 when the World Wide Web was still a few years away from being invented and no one conceived of conducting most work and personal business online.  A world connected by cloud services simply didn’t exist. The ways in which we communicate have radically changed over the past three decades — but the laws governing those communications haven’t. Current laws don’t adequately support the needs of law enforcement anywhere in the world or protect our rights.

We challenged the warrant that resulted in this ligation because we believed U.S. search warrants shouldn’t reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States. We challenged the DOJ’s interpretation of the law because we strongly believe it is problematic in a number of ways:

  1. It contradicts the basic premise that before a U.S. statute reaches across another country’s borders, it should be clear that’s what Congress intended when it passed the law.
  2. We disagree with the premise of the government’s argument in favor of the warrant that customer email is the property of the email provider, not the customer, which would cause people to lose their rights when they go online.
  3. It creates conflicts with the laws of countries in Europe and elsewhere around the globe, which are intended to protect privacy interests and restrict the disclosure and transfer of personal data to a third country.
  4. It puts everyone’s emails at risk – if the U.S. government can unilaterally use a warrant to seize emails outside the United States, what’s to stop other governments from acting unilaterally to seize emails stored inside the United States? At a time when countries are rightly worried about foreign government hacking, the DOJ’s interpretation would open the door to accomplishing the same thing.

The current laws were written for the era of the floppy disk, not the world of the cloud. We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017. This past July, Senators Orrin Hatch, R-Utah, Chris Coons, D-Delaware and Dean Heller, R-Nevada, introduced ICPA in the Senate which builds on previous versions of the legislation. Representatives Doug Collins, R-Georgia, Hakeem Jeffries, D-New York, Darrell Issa, R-California, and Suzan DelBene, D-Washington, introduced an identical bill in the House.

ICPA provides sensible ways for cross-border data access, including a robust legal process to access the email of Americans and notification of foreign countries, when required under international law. Without these important clarifications, technology companies, law enforcement and the courts will continue to interpret and apply a law to technologies and circumstances far beyond what Congressional leaders envisioned in 1986.