Symposium: Business decisions should not control whether law enforcement can investigate local crimes
on Feb 6, 2018 at 10:25 am
Benjamin D. Battles is the solicitor general of Vermont, which filed an amicus brief with 34 other states and the commonwealth of Puerto Rico in support of the federal government in United States v. Microsoft.
Should a private company be able shield evidence of a crime from law enforcement by electronically sending that evidence out of the country? That, in a nutshell, is what the Supreme Court must decide in United States v. Microsoft. In the decision below, a panel of the U.S. Court of Appeals for the 2nd Circuit answered “yes.” Not surprisingly, every other court to consider the question — more than a dozen at last count — has emphatically answered “no.”
Email providers must disclose customer data to a requesting law enforcement agency under the Stored Communications Act, 18 U.S.C. § 2703, “pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State Court, issued using State warrant procedures) by a court of competent jurisdiction.” Section 2703 thus creates a unique procedural device — an SCA warrant — that functions like a subpoena but incorporates the privacy protections of a traditional warrant, most notably the requirement of a judicial finding of probable cause. That requirement represents the highest level of protection afforded by the Fourth Amendment. In other words, under the SCA, the government must make the same showing to search a suspect’s email account as it would if it wanted to forcibly enter the suspect’s home, search his file cabinets, and seize and examine his computers and hard drives.
The legal question before the Supreme Court in Microsoft is thus not about privacy. It is about whether Section 2703 applies extraterritorially when it requires a domestic email provider to use a domestic computer to access and copy data stored on a foreign server, and then to provide that data to a domestic law enforcement agency. Microsoft argues that application is extraterritorial and therefore unlawful, while the United States disagrees.
A statutory provision applies domestically if the conduct relevant to the provision’s “focus” occurs in the United States, according to Morrison v. National Australia Bank and RJR Nabisco, Inc. v. European Community. Regardless of whether Section 2703 focuses on disclosure to law enforcement (as the United States argues) or on user privacy (as Microsoft argues), the relevant conduct occurs in the United States. There is no dispute that the disclosure to law enforcement occurs entirely within the United States. And common sense compels the conclusion that any potential invasion of privacy also occurs here when an email provider’s employee uses a computer in this country to retrieve data that is then disclosed to law enforcement in this country. Indeed, no invasion of privacy occurs at all until the provider actually gives the data to law enforcement. Providers like Microsoft do not need permission to access and copy their customers’ data from one server to another. For example, Google divides data from a single customer file into component “chunks” or “shards,” which it then continuously copies and moves between a worldwide network of data centers. The location of a Gmail customer’s data at any given time bears no relationship to the customer’s location. Yet, according to Microsoft’s logic, when a Google employee sitting at a desk in California retrieves these shards of data to comply with an SCA warrant, the customer’s privacy is simultaneously invaded in countries around the world — from Finland to Singapore — even if the customer has never been outside the United States.
The most troubling aspect of the 2nd Circuit’s decision, however, is the unnecessary and artificial obstacles it creates for legitimate law enforcement investigations. In its brief to the Supreme Court, the United States explained how SCA warrants are a critical tool in federal criminal investigations, including cases involving terrorism and other threats to national security. The vast majority of criminal investigations, however, are conducted by state and local law enforcement agencies. These cases range from drug trafficking and burglary to murder and child sexual exploitation. State and local law enforcement routinely use SCA warrants to obtain key evidence in these investigations. And prior to the 2nd Circuit’s decision, providers routinely complied with these requests without protest.
Following the 2nd Circuit’s decision, however, providers — most notably Microsoft, Google and Yahoo — began relying on that decision in courts around the country to refuse to comply with any SCA warrant that would require copying data from a foreign server. Such refusals have been made even when (i) a court found probable cause that the targeted email account was used in connection with a domestic crime, (ii) the provider could access the requested data from within the United States, (iii) the account user and the provider were both located in the United States, and (iv) law enforcement would receive and review the requested data in the United States. As demonstrated by the experience of Vermont’s Internet Crimes Against Children Task Force, this has created serious problems.
This Vermont task force investigates and prosecutes people who use online communications to sexually exploit children. Since 2008, the task force has prosecuted nearly 200 cases involving child pornography and child sexual assault or exploitation. In the past two years alone, the task force has obtained hundreds of subpoenas and search warrants, many of which were issued under the federal Stored Communications Act and its state law counterpart.
The task force recently litigated three motions to compel compliance with SCA warrants against Google. Each case involved someone present in Vermont using a Gmail account to sexually exploit children. In each case, a court found probable cause to believe a crime was committed in Vermont and that the suspect’s email account would contain evidence of that crime. And in each case, Google relied on the 2nd Circuit’s Microsoft decision to refuse to disclose the requested data, thereby denying investigators access to time-sensitive electronic evidence that could have been used to identify victims and prevent ongoing crime. A Vermont trial court ordered Google comply with the warrants, but Google appealed to the Vermont Supreme Court. After the United States Supreme Court granted certiorari in Microsoft, Google dropped its appeal and finally provided the requested data, nearly 10 months after a court first determined the company had data needed in a serious criminal investigation involving the potentially ongoing sexual exploitation of children by a Vermont resident.
Vermont’s experience is not unique. Law-enforcement agencies around the country have experienced similar problems because of the decision below. In Utah, for example, a provider refused to comply with a warrant that sought the contents of an account police knew contained a photograph of the suspect sexually abusing a minor. And in California, a provider recently refused to comply with a warrant for the contents of a cloud account that could be instrumental in determining the timeline and location of young girl’s disappearance and suspected murder. Providers have refused to comply with SCA warrants for email data in sexual-exploitation investigations in a number of other states, including Massachusetts, Indiana, Illinois, Mississippi, New Hampshire, New Jersey and Texas. Although these examples involve child-exploitation investigations, the problem is far more widespread. Given the ubiquity of email and other electronic communications, this issue can potentially arise in any criminal investigation.
And these are just the problems under various providers’ current systems. Nothing prevents Microsoft or any other provider from choosing at any time to store all of its customers’ data on foreign servers. Under the 2nd Circuit’s reasoning, providers have carte blanche to fashion their network architecture and store their customers’ data beyond the reach of domestic law enforcement. The ability of state and local law enforcement to investigate and prosecute crime in their jurisdictions should not be held hostage to the business decisions of private corporations.