US search powers extend to data stored on foreign servers, rules judge

Out-Law News | 30 Apr 2014 | 3:29 pm | 3 min. read

US authorities can exercise powers to search through electronic data stored by US companies on foreign-based servers, a US judge has said.

A district court judge in New York rejected claims by Microsoft that a warrant issued to it by US law enforcement to search data the company held was unauthorised because the data was stored on servers in Ireland.

The technology giant claimed that powers the US government has to search and seize data stored by US organisations, under the Stored Communications Act (SCA), where they have obtained a warrant to do so do not extend beyond the "territorial limits of the United States". However, the judge rejected the company's arguments.

"Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law," judge James Francis said.

In his ruling, judge Francis said that the way the SCA was drafted and intended to apply by US law makers did not support Microsoft's argument.

"Although [the SCA] uses the term 'warrant' and refers to the use of warrant procedures, the resulting order is not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena," the judge said in his ruling. "It is obtained like a search warrant when an application is made to a neutral magistrate who issues the order only upon a showing of probable cause."

"On the other hand, it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question. This unique structure supports the government’s view that the SCA does not implicate principles of extraterritoriality. It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information," he added.

In addition, the judge said that the "practical consequences that would flow" from accepting Microsoft's argument meant that the company's claims had to be rejected.

He said it would be wrong to solely rely on mutual legal assistance treaties (MLATs) that apply between the US and other countries to allow the US government to recover information held by US companies but stored abroad. He pointed to the "slow and laborious" process entailed in following the MLATs and said that countries often have the power to reject requests from others too.

The judge also said that the MLATs framework was only agreed between the US and around 60 other countries and that Microsoft's argument further did not account for cases where data is stored at sea, such as under plans reportedly being considered by Google.

"Google has reportedly explored the possibility of establishing true 'offshore' servers: server farms located at sea beyond the territorial jurisdiction of any nation," judge Francis said. "Thus, under Microsoft’s understanding, certain information within the control of an American service provider would be completely unavailable to American law enforcement under the SCA. The practical implications thus make it unlikely that Congress intended to treat [an SCA warrant] as a warrant for the search of premises located where the data is stored."

In Europe there has been significant debate at political level about the extent to which data held by European businesses can be accessed by US authorities when those businesses contract with US-based cloud providers to store that information. The debate has intensified in recent months following the leak of information by whistleblower Edward Snowden about the alleged surveillance practices of the US' National Security Agency.

In an effort to appease those privacy concerns in Europe, Microsoft earlier this year said that it would offer businesses the chance to store data at data centres based outside of the US.

In light of the New York district court's ruling, Microsoft said that the judgment was "a necessary step in our effort to make sure that governments follow the letter of the law when they seek our customers’ private data in the future". It said higher courts in the US will have the power to "correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States".

"It’s generally accepted that a US search warrant in the physical world can only be used to obtain materials that are within the territory of the United States," said David Howard, corporate vice president and deputy general counsel at Microsoft, in a company blog. "A US prosecutor cannot obtain a US warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. That’s why the US has entered into many bilateral agreements establishing specific procedures for obtaining evidence in another country. We think the same rules should apply in the online world, but the government disagrees."

"To be clear, we respect the critical role law enforcement plays in protecting all of us. We’re not trying to frustrate any government investigations, and we believe the government should be able to obtain evidence necessary to investigate a possible crime. We just believe the government should have to follow the processes it has established for obtaining physical evidence outside the United States," Howard added.