It’s no secret that the Electronic Communications Privacy Act and Title II of the ECPA, the Stored Communications Act, passed in 1986, are in desperate need of a complete overhaul. Or that the privacy rights of citizens are in serious play given the prevalent use of the cloud to conduct business and that Congress has not acted despite having proposed legislation pending for years and requests from courts seeking guidance.
So I’m hopeful that the Supreme Court’s decision last Monday to take up a case this session will spur Congress to get off their rear ends and take action before we end up with more law about an outdated statute with no hope of being read to apply to the hyper technological world in which we live.
The case, In the Matter of a Warrant to Search a Certain E–Mail Account Controlled and Maintained by Microsoft Corporation, began in 2013 when Magistrate Judge James Francis IV issued a warrant under the SCA on the government’s application for information on an email account, having found probable cause to believe that the account was being used in furtherance of narcotics trafficking. The government then served the warrant on Microsoft at its headquarters in Redmond, Washington.
Microsoft produced the information about the account that was within the United States, but moved to quash the production of the actual emails from the account on the grounds that they lived on a server outside of the U.S. — in Ireland. Microsoft argued that the warrant power of Federal Rule of Criminal Procedure 41 — which it applied to the term “warrant” as used in the SCA — did not extend beyond the borders of the United States and that there was no Congressional intent in the SCA to extend the powers of the United States government without some additional grant of authority in cooperation with Ireland.
The government moved to compel production of the emails from the account. In a very well-reasoned and dense nine-page opinion, Judge Francis reviewed the legislative history of the SCA as well as the more recent section of the Patriot Act that provided for nationwide search warrants for electronic evidence and found that because Microsoft needed only to access the data stored outside the country from within the U.S. rather than physically enter Ireland, the warrant was permissible. For the sake of brevity, I won’t articulate each of the arguments here, but I strongly encourage you to read the opinion in full.
On appeal to the Second Circuit, more than 20 tech companies — from Google to Verizon to Salesforce.com — filed amicus briefs in support of Microsoft’s position that a warrant under the SCA cannot extend to information outside the U.S. Earlier this year, on January 24, 2017, the Second Circuit issued it’s opinion reversing the District Court and quashing the warrant requiring the production of data from outside the U.S. as beyond the warrant power of the SCA.
The government filed a petition for certiorari with the Supreme Court and 33 states submitted a brief asking the Court to take the case, arguing that:
Although the decision below technically binds only federal courts in the
Second Circuit, it is impacting law enforcement agencies nationwide. Several prominent email providers – notably, Google and Yahoo! – are relying on the decision to resist warrants issued under the Stored Communications Act and its state law counterparts any time compliance would require retrieving data from a foreign server. The decision below is therefore directly interfering with the amici States’ ability to investigate
and prosecute crime in their jurisdictions.
The Court granted certiorari this past Monday, October 16, 2017. In a nutshell, the case poses this question: Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.
Following the grant, Brad Smith, President and CEO of Microsoft, issued this statement discussing the need for new legislation to address the open issue and identifying pending legislation called the ICPA — the International Privacy Communications Act. The ICPA, introduced into the Senate by a bipartisan group of senators, would require production of ESI by a service provider regardless of where the ESI is located as long as the government meets the increased requirements for a warrant, which include taking all reasonable steps to establish that the nationality and location of the user whose communications are sought AND that there are reasonable grounds to believe that such subscriber or customer is a U.S. citizen, physically located in the U.S. or a national of a foreign country that has a law enforcement cooperation agreement with the United States.
Now, I have only limited experience as a prosecutor during law school, but knowing how fast ESI changes, and the complex machinations that those who want to do harm will undertake to engage in criminal activity, these proposed increased warrant requirements look like they will work to thwart law enforcement and the government from being able to uncover these communications. (And, in fact, that seems to be the position of the 33 states on the brief asking the Supreme Court to take the case.) Note that I am not taking a side here, but I’m not sure that this proposed legislation does the job of balancing my privacy rights with the need for law enforcement to get information to break up drug cartels, human trafficking rings, and other criminal activity that is facilitated by the speed of our communications thanks to technology. What if the actor is not a U.S. citizen but uses Gmail and Google could access his account from sunny California? Under the proposed ICPA, our government would have no ability to seek that user’s email from Google.
What if the government did make a showing under the proposed ICPA, and the contents of that account pointed to another actor as the kingpin, but that kingpin was based outside the U.S.? The current legislation outlines no situation in which U.S. authorities would be permitted to retrieve that actor’s email to bring down the mastermind of the criminal activity. There’s a reason why we wanted and got Osama Bin Laden. Good thing he didn’t use email,
The point is that all of this takes time, and time is rarely what law enforcement has.
At least three subsequent district court decisions since the Second Circuit’s ruling in Microsoft have sided with the dissenters in that case and upheld warrants under the SCA seeking data outside the United States where the only point of access for that data was within the jurisdiction of the federal court presiding over the investigation. See, e.g., In re Information associated with one Yahoo email address that is stored at premises controlled by Yahoo; In re Search Warrant to Google, and In the Matter of the Search of Content that is Stored at Premises Controlled by Google.
These decisions raise two very important points about the need for Congressional intervention: first, it’s a desperate situation and one that requires guidance. Criminals who seek to undermine the U.S. and our civil liberties are using technology against us and our antiquated laws are letting them get away with it. Second, Congress needs to involve both sides of the discussion in hashing out a new law that addresses all possible situations and that continues to be revisited annually to evolve as technology and new situations evolve. In short, Congress, you have to move much faster on this to protect your constituencies.
This is a moving target and one law that stands for 30 years won’t do it. There are people who know and understand the various scenarios that can result from uncovering ESI and where that might lead to help provide real guidance on creating laws that can balance privacy concerns and the needs of law enforcement. Higher burdens on our existing warrant requirements may be part of the answer, but it’s not the whole solution.
As lawyers, we are often guilty of our own hubris — believing we are smart enough to have all the answers, even when we don’t understand the subject matter. So Congress, as you move forward — and please move forward quickly — get the experts in the room to help you work out these complex scenarios. It’s not just about what you know about the law, it’s what you know about how ESI works, is created, stored, and managed, and the ways in which it can be manipulated to defeat concrete requirements in a statute.
We are the United States of America. Let’s act like it. Let’s put together real legislation that will help navigate these difficult and challenging waters by providing practical solutions that balance citizens’ privacy and the need for information to protect those same citizens.
Kelly Twigger gave up the golden handcuffs of her Biglaw partnership to start ESI Attorneys, an eDiscovery and information law Firm, in 2009. She is passionate about teaching lawyers and legal professionals how to think about and use ESI to win, and does so regularly for her clients. The Wisconsin State Bar named Kelly a Legal Innovator in 2014 for her development of eDiscovery Assistant— an online research and eDiscovery playbook for lawyers and legal professionals. When she’s not thinking, writing or talking about ESI, Kelly is wandering in the mountains of Colorado, or watching Kentucky basketball. You can reach her by email at [email protected] or on Twitter: @kellytwigger.
