Microsoft Wins Closely Watched Email Privacy Case Over Feds

Microsoft scored a major legal victory against the U.S. government Thursday, when a federal appeals court ruled that federal investigators cannot compel the company to turn over customer emails stored on a server outside American borders.

In the case decided Thursday by the 2nd U.S. Circuit Court of Appeals in Manhattan, federal agents sought the email records of an individual implicated in a drug investigation. While that individual’s citizenship and physical location have not been revealed, his MSN email records were stored on a server in Ireland.

Microsoft argued that if compelled to turn over emails stored abroad, the company may face a deluge of similar requests — with dire privacy consequences. Chinese authorities, for example, could order the company to produce email records stored in the United States under similar legal reasoning, the company’s lawyers have argued.

In her ruling, Judge Susan Carney found that the Justice Department could not rely on the Stored Communications Act to require Microsoft to produce material stored overseas, and that a warrant for digital data turns on where that data are stored.

“Because the content subject to the warrant is located in, and would be seized from, the Dublin data center, the conduct that falls within the focus of the [Stored Communications Act] would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States,” Carney wrote.

Brad Smith, Microsoft’s president and chief legal officer, cheered the ruling in a statement. “This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” he said.

The case has been closely watched by Silicon Valley firms because it has huge implications for the government’s ability to compel companies to turn over information. That’s especially relevant in today’s era of cloud computing, where user data are stored on a server and accessed remotely. To improve the speed with which a company delivers data such as emails to its users, Microsoft has built data centers around the world to place that data as physically close to its customers as possible.

Decreasing that distance also decreases what is called “latency,” or lags in delivering data to a customer. That means Microsoft has dispersed its customers’ emails, photos, and stored records all over the world. And when the cops come knocking with a warrant, the data they seek may be stored on the opposite side of the world.

“Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime,” Justice Department spokesperson Peter Carr said in a statement. He added that the department is disappointed with the decision and is considering its options.

In the tangled world of international legal cooperation, the Justice Department could in theory use what is known as the mutual legal assistance process to secure Ireland’s help in producing the data at issue in Thursday’s ruling. But the so-called MLAT process is notoriously slow and overburdened, both in the United States and overseas.

The hurdles to accessing user data held by foreign countries have led some countries to require that their citizens’ information be held on servers inside the country — to better enable surveillance and investigations. Russia warned Twitter in November that it risks being blocked in the country if it doesn’t move Russian users’ data inside the country.

Thursday’s ruling comes amid a broader fight between the government and business over accessing user data. The increasing embrace of end-to-end encryption — a technology that allows messages or data to be unscrambled only by the individual user — by companies such as Apple and WhatsApp has left these firms unable to comply in some cases with court orders.

This year, the Justice Department sparked an acrimonious battle with Apple when it went to court to force Apple to undermine the security features of an iPhone belonging to one of the attackers who killed 14 people in San Bernardino, California, in December. Federal lawyers ultimately backed down in that case after the FBI found a way to hack into the phone.

Just as Apple received widespread support from the tech industry in the San Bernardino case, a bevy of technology companies and privacy groups backed Microsoft’s position against the federal government.

Unlike the Apple case — in which the company lacked the ability to access the phone belonging to Syed Rizwan Farook without breaking its own security features — Microsoft had the technical ability to produce the emails at issue in Thursday’s ruling. The case illustrates how laws governing access to electronic records — written long before the internet revolution — have failed to keep pace with technological development.

Jennifer Daskal, a law professor at American University who has written extensively about the issue, said that Thursday’s ruling was correct on the legal merits, but that a regime in which access to data depends on where it’s stored doesn’t make a great deal of sense.

Congress should consider writing legislation where the so-called warrant authority to access information depends on a suspect’s nationality, his location in the world, and a court’s jurisdiction to investigate a crime, Daskal said.

Legislation introduced in the Senate — dubbed the International Communications Privacy Act — would create such a regime. Smith said in his statement that “the protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today” and that he was “encouraged by the recent bipartisan support that has emerged” for that bill.

David Ramos/Getty Images