What happens when an American technology company receives a court order to fork over customer emails stored in a foreign country by one of its many overseas operations? What should happen?
That’s the subject of Microsoft v. United States, an interesting case working its way through the Second Circuit right now. On December 4, 2013, according to court documents, federal agents served a search warrant on Microsoft at its U.S. headquarters in Redmond, Washington under a federal law called the Electronic Communications Privacy Act (ECPA). ECPA allows law enforcement to “require the disclosure” of emails from an email account by serving a search warrant on the provider that maintains the email account. The warrant sought emails associated with a particular msn.com email address that was suspected of being associated with narcotics traffic. (ECPA does not require the government or the provider to notify the customer about the warrant.)
Unbeknownst to the government, however, the emails in the subject account were located in a Microsoft data center in Dublin, Ireland, which is operated by Microsoft’s wholly-owned Irish subsidiary. According to Microsoft, the person who created the account selected Ireland as the owner’s location, which caused Microsoft’s systems to automatically migrate the account data to Ireland and delete it from its U.S.-based servers. Although Microsoft stores some account metadata in the U.S. and retains the ability to migrate accounts to and from the United States, for reasons of network efficiency, it does not store the contents of the emails domestically.
Microsoft challenged the warrant, lost in the trial court, and was held in contempt of court for failure to produce the emails to the government. Microsoft then appealed the contempt citation to the Second Circuit. The case is scheduled for argument on September 9, 2015 in New York.
This is the most important cyberspace search-and-seizure case since last year, when the Supreme Court held in Riley v. California (2014) that cellular phones could not be searched incident to arrest without a warrant. ECPA isn’t quite as sexy as the Fourth Amendment, but it’s just as relevant for investigations involving cyberspace because ECPA generally imposes greater restrictions on law enforcement access to Internet communications than would the Fourth Amendment.
I’ll delve into some of the arguments in Parts Two and Three, and then provide some concluding observations in Part Four. In the meantime, some anonymous drug dealer’s email history remains in limbo while the case winds its way through the federal courts.