Andrew Keane Woods is an assistant professor of law at the University of Kentucky College of Law.
On one level, United States v. Microsoft Corp. presents a fairly straightforward matter of statutory interpretation. The statute in question — the Stored Communications Act — is silent about its territorial reach, which raises at least two questions: (1) Is it an extraterritorial application of the statute to issue a U.S. warrant in Washington state for data that Microsoft holds in Ireland, and (2) does the statute apply extraterritorially? Because the statutory issues are covered at length by other posts in this symposium and in the briefing before the Supreme Court, I thought I would say a few words about what is not in the briefing.
Much like Apple’s dispute with the FBI, this case has attracted interest from around the globe. It is seen as a test both of U.S. government efforts to access foreign data — the first time our highest court has considered that issue — and of one nation’s efforts to exert control over a hugely powerful internet company. These two questions matter — symbolically, politically, as a matter of precedent — to the rest of the world. The Supreme Court will, we should hope, deploy its usual arsenal of statutory-interpretation tools and foreign-affairs doctrines to arrive at a sensible solution. But whatever happens in the case, the following issues will persist and reappear in future cases.
Court-made internet policy
One thing that nearly everyone agrees on in this case — including the U.S. Court of Appeals for the 2nd Circuit’s majority and dissenting opinions — is that Congress can and should help the Supreme Court by legislating on whether the SCA ought to apply in this scenario. Rather than court-made policy built to suit the facts of a single case, the argument goes, we would be better off with legislation that fairly and fully reflects the views of all stakeholders involved. The Senate appears poised to meet that need with the recent release of the CLOUD Act of 2018. That bill may moot the present case, but it will not resolve larger questions about institutional competence in crafting global technology policy.
Is it wise for courts to rule on internet policy disputes that have foreign affairs implications? Or should they refrain from doing anything that might affect another sovereign state’s interests? How one feels about this question may reflect one’s feelings about judicial deference to the political branches more generally. As the briefing suggests, there are longstanding canons of statutory construction that serve to limit a court’s role in foreign affairs cases.
But court-made technology policy is not all bad. One thing that can be said for courts is that they actually hear cases and controversies. And although courts can be criticized for making policy incrementally, one case at a time, this can be just as much a feature as it is a bug. Legislators are slow to act, and when they finally do act, they often attempt to fix many things at once and far into the future. But in an area involving rapid technological change, big one-time, far-reaching regulatory acts — especially those that are hard to reverse — may not always be preferable to smaller, case-by-case incremental changes to the existing rules.
Even if one thinks that it would be desirable, in an ideal world, for courts not to engage in anything approaching foreign affairs, this is not always possible. The more globalized the world becomes, the harder it is for courts to resolve disputes without doing so in a way that has some extraterritorial effect. This is especially true in the context of internet disputes, and even more so when a ruling will affect an American service provider with a huge foreign footprint and foreign customer base. (Indeed, the majority of the most popular web-service companies in nearly every country in the globe are American; most of the customers of American internet firms reside outside the U.S.)
Privacy on the internet
Another issue implicated by this case — and indeed driving much of the interest in its outcome — is user privacy on the internet. Much of the briefing suggests that (a) the case is fundamentally about user privacy and (b) a win for Microsoft is a win for privacy. I’m not sure either of these is right. First, this is a case in which the government has convinced a federal judge that it has probable cause to seek the user’s data. As privacy advocates know, the Fourth Amendment sets quite a high bar as compared to other countries’ search-and-seizure standards. So no one should be arguing that this case somehow represents a violation of this particular suspect’s privacy. We might have a discussion about which privacy rules ought to apply in this case, Irish or American. Under the logic of Microsoft’s victory in the 2nd Circuit, the appropriate rule regarding government access is the law of the place where the data rests on servers — Ireland — rather than, for example, the law of the place where the search originates. So is the user in this particular scenario better off under an Irish privacy rule than under the American Fourth Amendment standard? I’m not an expert in Irish search-and-seizure law, but I am told that he is not. So much for the claims about the individual user’s privacy.
But beyond this case, privacy advocates might ask, will there be more privacy in the world if the U.S. government has to go through diplomatic channels to get access to this sort of user data in the future? It is simply not clear that if Microsoft wins the world will have more privacy than it had before — and it may very well turn out the other way. If Microsoft prevails, especially under the logic of the 2nd Circuit’s decision, the SCA likely will no longer apply to user data stored in other countries. This could mean — because the SCA is both a sword and a shield — that American firms can no longer tell foreign governments they must meet the strictures of the SCA (and request U.S. government help) to compel user data. This would make firms that store data outside the U.S. less able to resist demands from law enforcement around the world. Whether that means more or less privacy for users will depend on the relative strength of privacy laws around the world as compared to U.S. law.
Ultimately, the debate is not about “which privacy rule ought to apply in this case,” but rather, as a jurisdictional matter, “which state ought to be able to compel the data?” And the optics of that debate are significant, especially in a world in which foreign governments regularly struggle to assert their authority over American technology firms.
Perhaps more than any other theme, this case highlights the ongoing global struggle over state authority to create and enforce internet policy. This is something we’ve seen in a number of high-profile disputes: the struggle between the United States, China and Russia over internet governance at the International Telecommunications Union; the diplomatic and commercial fallout after Edward Snowden’s revelations about U.S. surveillance of the world’s internet traffic; the repeated failure of cybersecurity norms initiatives; and more. This case matters around the world because it is seen as part of the wider struggle over how and where states can shape the internet in their image.
How far should any state be able to reach into corporate networks in order to satisfy law-enforcement demands? This is a hard question, but in this particular instance it is worth noting that it is made considerably harder by global politics post-Snowden. Trust — in both American firms and the U.S. government — is simply too low. One could imagine a world in which the Snowden disclosures had never occurred and as a consequence: (1) Microsoft would not resist the warrant in the first instance and (2) even if it did, privacy groups and foreign governments would not come to its aid. But we do not live in that world. We live in a world in which a loss for the U.S. government is a per se victory for some.
Is it a victory for all foreign governments? Not obviously. This case requires foreign governments to walk a bit of tightrope — evident in the foreign-government amicus briefs — because many of them see the case as a chance to assert limits to U.S. influence over the internet abroad but also a chance to say to powerful internet companies that they must heel to law enforcement demands. That is, what appears to be foreign-government support for Microsoft is instead, in part, support for the general idea that foreign states ought to be the primary rule makers over how the internet behaves in their territory — an argument made against private firms and the U.S. government alike.
These issues will not be resolved by the Supreme Court’s decision. They may not even play a prominent role at oral argument on February 27. But whatever doctrinal arguments prevail at the court, they are motivated by the shifting of these tectonic themes.