Supreme Court to Decide Major Internet Privacy and Jurisdiction Case

We love the cloud. We store our documents there. Our e-mails travel through cloud or other third-party providers. Now the U.S. Supreme Court is poised to decide whether the physical location of both the communications or documents themselves, or the location or citizenship of the people who are communicating, is relevant in deciding whether the government (or others) can get access to the contents of the records. In other words, does place matter anymore in cyberspace?

The case arises out of a search warrant issued by New York federal prosecutors to compel Microsoft to produce the contents of e-mails relevant to an ongoing drug case. While the Redmond, Washington, company agreed to turn over the e-mails which were located on servers within the United States, they refused to produce records outside the United States (specifically in Dublin, Ireland) as being outside the jurisdictional limit of U.S. search warrants.

The parties agreed that, if Microsoft wanted to, it could type a few keys in Redmond and “call up” these documents from the Irish servers. But that’s not the point, Microsoft asserted: The records are in Dublin.

The parties also agreed that the U.S. prosecutors could use a treaty mandating criminal cooperation between the United States and Ireland, or what is called “letters rogatory” where a U.S. Court would issue a request to an Irish Court, which would then compel the Irish entity (Microsoft Ireland) to produce records located in Ireland.

The question for the court to decide is whether the government can compel a company in the United States to produce records located outside the country simply because it has the “ability” to produce them, irrespective of the privacy rights or location of the records. You see, to lawyers, legislatures and others, those funny lines on a map—borders—mean something. It’s the difference between being a Mexican citizen or a U.S. Citizen. It’s the difference between being Catalonian or Spanish. It’s the difference between free health care or bankruptcy, democracy or despotism, freedom or tyranny. But to the internet, not so much—data doesn’t care where it is. Packets don’t care what route they take from point A to point B.

If the Court rules against Microsoft, it means that companies incorporated in the United States, with headquarters in the United States, or even those with offices in the United States, affiliates or subsidiaries in the United States, or which even conduct or transact business in the United States will be subject to the jurisdiction of U.S. courts and will be required to comply with U.S. court orders. That’s fine. But it also means that anyone who uses the services of a U.S. company is subject to having their data produced by that company. Ultimately this will be bad for a range of U.S tech companies: Customers in Tokyo would have their Tokyo-based records stored in Tokyo-based servers subject to searches by cops in Alabama because the company providing storage of these records is headquartered in the United States. You can see why non-U.S. persons and companies might reconsider their decision to “buy American”?

Whose Records Are They Anyway?

First, an important distinction: Companies that are subject the jurisdiction of U.S. courts—whether they have offices, assets (such as bank accounts), corporate headquarters or whether they regularly transact business in the United States—can be compelled to produce their records under a subpoena or other compelled process. Thus, the federal government could compel Microsoft to produce records of its own activities in Dublin, Ohio, or Dublin Ireland. In fact, the government could compel Microsoft to produce records of foreign headquartered subsidiaries, affiliates, etc. irrespective of where those records were physically located, provided (and this is a big provided) the entity subject to U.S. jurisdiction has “possession, custody and control” over the demanded documents. The ability to obtain the records may—or may not—be enough to demonstrate “possession custody and control” of the records. That determination is going to be pretty fact specific, e.g., does the “custodian” of the foreign records have the right to refuse to produce the records, are they regularly exchanged between the parties, etc.? I have the ability to log into my local library and download a copy of Atlas Shrugged or the Anarchist’s Cookbook, but the “ability” to get a document is not the same as “possession, custody and control” over that document.

If the documents are corporate records within the custody of an entity subject to U.S. jurisdiction (and not otherwise protected by law) they can be compelled. Mostly.

Included in the definition of “records of Microsoft” are a bunch of things you wouldn’t think of as “records of Microsoft.” For example, if you have a hotmail account, all of Microsoft’s records of when you set up the account; the IP addresses from which you logged into the account; how, when and where you used the account; etc. are not your records, they are Microsoft’s. So Microsoft can be forced to produce them to U.S. courts even if you are located in Kilearney, and even if the records are stored in Dublin. Got it?

But there are certain records that are your records even though they may be held by Microsoft (or Amazon, Google, AOL or whomever). So if you store your documents on Google Docs, or your files on AWS, or your emails on Yahoo! mail, these are your records, not Google’s, Amazon’s or Yahoo!’s. So they aren’t theirs to give up. Records of postings on social media are a hybrid. Some are private (such as DMs), some public and some in between. Nobody said this would be easy.

Search vs. Subpoena

One reason it’s important to know whose records these are is because the government can get Microsoft’s records (or its records of how you used its service) with just a subpoena—no probable cause required. To get the contents of your communications from an ISP or provider, it needs a search warrant.

One big difference between a warrant and a subpoena is the nature of the order. A subpoena is an order telling the recipient to do something—show up in court or produce the records. It’s an order to Microsoft to produce. A search warrant, on the other hand is an order to the police authorizing or compelling them to conduct a search somewhere and seize something specifically described in the warrant, for which a court has found probable cause. A court in Atlanta could not authorize a search for a murder weapon across the border in Tennessee or in Tblisi, Georgia.

However, a law called the Stored Communications Act permits the government to essentially turn a search warrant into a subpoena—at least with respect to internet records. The law provides that a government agency with a court order “may require a provider of remote computing service to disclose the contents of any wire or electronic communication …” So instead of a warrant telling the cops to seize the records in Dublin, it becomes an order to Microsoft in Washington State to product the records in Dublin.

Microsoft vs. Google

In the case before the Supreme Court, the parties agree that the documents sought are physically located in Dublin. But what about the cloud? Where does a document “reside” when bits of it may be found in various places online?  In a recent case where the government sought records from Google, the Court in Wisconsin held that Google had to produce the cloud-based records irrespective of where they were located—the opposite of what the court told Microsoft. One difference is the fact that Microsoft gave the government an option: Get the records through an Irish court. Google said not only were the records not in the United States, but it couldn’t tell where they were at any given point in time (you know, the cloud). Problem is, because Google couldn’t say where the records actually were, the only recourse to get the records was through Google in the United States.

What Will the Court Do?

This is a big deal. It will dictate whether the EU can enforce the GDPR over websites hosted by companies located in the United States. If Microsoft loses, data located in the EU regarding EU citizens on EU servers will be subject to review by U.S. courts if the legal entity with authority over the data centers is a U.S. company. On the one hand, you have sympathy for the Justice Department—companies such as Microsoft and Google should not be able to thwart U.S. investigations by arbitrary decisions about where to located documents or records. On the other hand, at least as it pertains to venue and jurisdiction, borders matter.  Texas cops can’t go into Mexico to execute a search, even if the things they want were deliberately placed in Mexico to avoid just such a search. If Microsoft loses, it is likely that non-U.S. citizens seeking to protect the privacy of their documents and communications will seek out non-U.S. providers. We see hints of this in EU resistance to Privacy Shield adequacy.

A decision by the Supreme Court is likely by late June or early July of 2018.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 14 posts and counting.See all posts by mark

2 thoughts on “Supreme Court to Decide Major Internet Privacy and Jurisdiction Case

Comments are closed.