January 23, 2018

How a Supreme Court Case About Email Can Impact Law Enforcement Practices Around the World

Camille Fischer Frank Stanton Fellow at the Electronic Frontier Foundation

Over 300 U.S. and European lawmakers, civil liberties organizations, media organizations, computer science professors, U.S. and international legal academics, and companies urged the Supreme Court last week to protect privacy rights in the countless emails, chats, and other online communications that cross international boundaries.

In all, 23 amicus briefs were submitted in support of Microsoft’s challenge to a U.S. warrant requesting the company to turn over emails stored in Dublin, Ireland. The Electronic Frontier Foundation (EFF) signed onto a brief with the American Civil Liberties Union, Brennan Center, Restore the Fourth, and R Street Institute.

The stakes for user privacy in the court’s decision are extremely high. The U.S. government is attempting to overturn a Second Circuit decision holding that police cannot use U.S. warrants to compel U.S. Internet companies to disclose users’ email and digital content stored outside the United States. The appellate court reasoned that this extraterritorial application of a U.S. warrant would exceed the process Congress created — the Electronic Communications Privacy Act (ECPA) — to protect people’s privacy while allowing law enforcement access to emails. The case is titled United States v. Microsoft, and is often called “the Microsoft Ireland case.”

The U.S. government’s unilateral approach to obtaining Microsoft users’ emails would bypass the international procedures that it has previously agreed to. Specifically, the U.S. has signed treaties with 65 individual countries and the European Union, called Mutual Legal Assistance Treaties (MLATs), that enable the U.S. to apply to foreign governments where evidence of a crime is located, and ask that country to assist in collecting the evidence under its own privacy laws. The countries the United States has partnered with can similarly request that the U.S. Department of Justice help them collect evidence stored in the United States. Under MLATs, foreign countries must follow the privacy rules established by U.S. law, including the requirement under the Fourth Amendment that law enforcement obtain a warrant to search and seize content. These MLATs recognize the importance of other countries’ privacy and human rights laws. Ireland has advised the U.S. Supreme Court that it believes the MLAT process is the most appropriate means for the U.S. government to obtain the emails that Microsoft stores in Ireland.

To evade using MLATs, and get around the fact that U.S. warrants typically do not have international reach, the U.S. government is arguing that a Fourth Amendment search and seizure only occurs when Microsoft, within the United States, delivers emails to officers of the U.S. government. That is simply not the case. If Microsoft copies or moves data from Ireland to the United States on demand from the U.S. government, that is a search and seizure, and it occurs abroad. As the amicus brief EFF joined states:

Furthermore, the Government’s argument that such collection and copying does not “expand[ ] [Microsoft’s] authority over those emails” (id.) ignores that it does expand the government’s authority over them. A government-directed exercise of dominion over an individual’s private communications, by itself, is a Fourth Amendment seizure.

Further, many amici argued that emails stored on Microsoft’s server in Ireland are the property of the user who created the emails, and under a traditional property law analysis, a warrant is required for any action the government may take to access that property, which cannot be served on property held outside the United States. Analogizing emails to written letters, a coalition of Fourth Amendment scholars argued that emails retain the same protections the Court granted letters in Ex parte Jackson (1877), and that the attempt to intrude on the property interest through outside means – using technological capabilities to retrieve the emails in the U.S. – necessitated a U.S. based warrant under Kyllo (2001):

Because the emails sought by the Government are the property of the email account holder, and those emails are physically located in Ireland, any action by Microsoft to find and retrieve those emails for the Government would necessarily result in a trespass on property in Ireland. Execution of the warrant would therefore constitute an impermissible extraterritorial application of the SCA.

Although this case will decide the jurisdiction of a U.S. warrant served against U.S. technology companies, it will likely have ramifications for international law and foreign countries practices concerning access to information stored in the United States. Microsoft and other U.S. technology companies have data centers all over the world, but a large percentage of the data is still stored in the U.S., and not accessible by foreign countries under U.S. law. If the U.S. can serve a domestic warrant to access information stored in a foreign country, it would set a precedent for other countries to take similar actions. Essentially, Privacy International and other international law scholars argue that if respect for territoriality is lessened, countries would lose control over the legal processes happening within their own borders, thus losing the ability to protect the privacy and other rights of their own citizens.

EFF has long worked to ensure the greatest privacy protection for cross-border data. In the Microsoft Ireland case, we filed amicus briefs before the district court and the appellate court. We are also fighting for privacy protections at the international level in the Council of Europe, where a new treaty could allow direct foreign law enforcement access to data stored in other countries’ territories. And EFF is advocating against overbroad DOJ legislative proposals to access online content stored abroad.

It is necessary that the Supreme Court holds the U.S. government accountable for following the rules set by Congress, and by international treaty, when law enforcement agencies seek access to our private conversations stored outside the United States. The court is expected to decide this case during the spring 2018 term.

Criminal Justice, Electronic Privacy, Search and Seizure, Technology Law and Intellectual Property