If a company like Microsoft stores emails in data centers located abroad, are those emails out of the reach of U.S. prosecutors?
That was the question before the U.S. Supreme Court this week. The case involves a warrant the Drug Enforcement Administration obtained under the authority of the 1986 Stored Communications Act. The DEA was after the emails of a drug trafficking suspect. Microsoft, however, has those emails stored in a data center in Ireland. It argues that Stored Communications Act warrants can’t be applied in other countries and refuses to turn over the emails.
A federal appeals court agreed with Microsoft. In 2016, the 2nd Circuit Court of Appeals said that these warrants only apply domestically. Unfortunately for the DEA, that ruling is hampering its ability to get its hands on email evidence stored in any of Microsoft’s data centers, which are located in 40 countries. Furthermore, other tech companies such as IBM, Apple, Verizon, Amazon and Google have come down on Microsoft’s side.
Everyone involved in the case, including the Supreme Court justices, agrees that the Stored Communications Act is out of date. In 1986, email itself was largely unknown and cloud storage wasn’t even imagined. The best solution would be for Congress to update the law, but there is no guarantee that will happen in a timely fashion. In the meantime, the administration wants to get hold of emails stored on Microsoft servers abroad. Can they?
The Department of Justice argued that it’s a simple matter of directing a computer operator in Redmond, Washington, to retrieve the emails from Ireland. The warrant doesn’t actually have to apply abroad.
Microsoft responded that the process involves activity within Ireland’s sovereign borders. Even though a robot would do the work, the emails would run “through Ireland on hard wires and then over the Atlantic.”
The DOJ argued that Microsoft is itself responsible for the emails being stored in Ireland and could easily make a business decision to move them back to the U.S.
Microsoft said that it’s not chance that located the emails abroad. The customer whose emails are at issue told the company when he signed up for his account that he was based in Ireland. If that is true, the U.S. government may be seeking evidence located on Irish soil for a case against an Irish national.
Should the U.S. government have the authority to obtain evidence located anywhere in the world simply because a U.S. company has the technical ability to access it? Or should the government be required to work with international law enforcement or with the foreign government involved?