The US Supreme Court will review a Department of Justice request to overturn a landmark appeals court decision in favor of Microsoft over protections for company data stored overseas, mostly out of reach of US law enforcement.
The Supreme Court announced it had added the case to its docket on Monday.
In the appeal submitted on Friday, the DOJ argued that the Second Circuit Court of Appeals ruling “has created a regime where electronic communication service providers… can thwart legitimate and important criminal and national security investigations.”
Microsoft and the DOJ have gone back and forth for four years over the tech giant’s cloud server in Dublin, Ireland, which the American government believed held key evidence for an investigation into narcotics trafficking.
The Microsoft customer under investigation told the company he was based in Ireland when he signed up for his account. The government issued a warrant to Microsoft to hand over email content that is stored on the server, because they believed the information would help them pin a notorious drug trafficker.
Under the 1986 Electronics Communications Privacy Act, aka the ‘Stored Communications Act,’ a service provider must disclose electronic communication to a government body if it will help with a criminal investigation. Microsoft refused to comply, arguing that the US did not have authority to make a request for information stored outside its borders.
After being found in contempt of court, Microsoft issued a formal challenge, but the decision was upheld in April 2014. A second appeal by the company to a higher court led to another loss. In July 2016, however, the Second Circuit Court of Appeals unanimously overturned the lower court’s decision.
“Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas,” said the Seattle-based federal court said, referring to the Stored Communications Act.
Judge Gerard Lynch argued that the attempt to apply US law overseas could cause tensions with other countries, “most easily appreciated if we consider the likely American reaction if France or Ireland or Saudi Arabia or Russia proclaimed its right to regulate conduct by Americans within our borders.”
Much of the tech sector – including Amazon, Apple and Verizon – has opposed the US government’s position on this case.
“If US law enforcement can obtain the mails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post on Monday.
Critics of Microsoft’s stance, however, argue that law enforcement agencies around the world struggle to get the data they seek in connection with legitimate law enforcement operations, and sometimes resort to extreme measures.
“Cops in Brazil, India, and the U.K. are tired of American technology companies telling them they will not comply with a local judge’s warrant to compel data – something those companies are often barred from doing under ECPA. This is why many states are starting to get serious about the idea of forced data localization – compelling technology companies that operate on their soil to store data there too,” Andrew Woods wrote in the Brookings Institution blog TechTank.
If localization were enforced, it would impose enormous costs on technology companies, lower privacy protections for users, and make them less likely to use cloud services.
Congress has been exploring ECPA reforms. The House Judiciary Committee voted 28-0 in April 2016 to approve the Email Privacy Act which would require law enforcement to obtain warrants from a judge before forcing companies to hand over access to emails or other electronic communications, no matter how old they are. Under ECPA, the government only needs to bring a subpoena against a company.
Microsoft has complied with government requests under the act before, as well as similar laws from other jurisdictions around the world. Twice a year, the company publishes a country-by-country report on how it handles law enforcement requests.
This will be the second case on the Supreme Court’s current docket dealing with privacy rights in the digital age and the companies that hold that data. The other case, Carpenter v. US, is over whether police officers need a warrant to access historic location information on cell phone users that is held by wireless carriers.