US v. Microsoft: How do you rule on the cloud when legislation is over 30 years old?
The U.S. Supreme Court heard arguments Tuesday for United States v. Microsoft Corp on whether the government can compel technology companies to disclose data stored abroad.
The Supreme Court does not hear a lot of technology cases. This case is remarkable in the justices' decision to hear it without a split among lower courts on the relevant law, section 2703 of the Stored Communications Act (SCA).
But Microsoft and other tech companies may have broken a sweat during the proceedings as the justices tried to clear up the application of decades-old legislation. The law was enacted at a time when the public did not have internet access and Congress had no idea of the cloud on the horizon or the possibility of companies storing digital data abroad.
Several of the justices noted that this may be a matter better suited for Congress to handle by updating the SCA, while others expressed concerns over long-term implications for criminal investigations and legal proceedings if technology companies can withhold data by simply storing it abroad.
Should Congress fix it?
Justices Ruth Bader Ginsburg and Sonia Sotomayor questioned whether or not the Court would be better off leaving the status quo in place, especially since a bipartisan bill is currently in Congress targeting outdated SCA provisions.
It is clear to both sides that more modern, nuanced legislation made in the purview of the cloud computing era is necessary. Justice Samuel Alito recognized the need for both congressional action but also something in the interim.
In light of this uncertainty, Michael Dreeben, Deputy Solicitor General of the DOJ, cautioned the judges against passing the case back down to the Second Circuit or maintaining the status quo.
"If Congress doesn't enact legislation, we will be here in the exact position we are today, stymied in the Second Circuit, but getting the exact same information from providers all over the country," Dreeben said.
Short of leaving the problem to Congress, Justice Stephen Breyer inquired as to whether the SCA can be adapted or understood in a more modern context, affording a "fair shot" for everybody.
Josh Rosenkranz, Microsoft's attorney, also cautioned against the court exercising too much discretion, arguing that the court needs to interpret the SCA as it stands rather than innovate or adopt it to a new standard.
"If you try to tinker with this, without the tools … only Congress has, you are as likely to break the cloud as you are to fix it," said Rosenkranz.
The devil is in the details
The arguments hinged on many technicalities, including the distinctions between subpoenas, warrants and mutual legal assistance treaties (MLAT) as they relate to 2703 and the Microsoft case. MLATs are agreements between countries to share information for law enforcement purposes and the standard mechanism for obtaining evidence from abroad.
But many of the technicalities appeared unclear to the court, including the abstract and oftentimes intangible nature of cloud data storage and retrieval.
Since a Microsoft employee in Redmond, Washington could simply press a button to retrieve the email communications in question, some of the judges tried to clear the air on what actually happens when data is retrieved from a data center and what physical and human actions are involved.
Digital information has many physical manifestations, from the human direction initiating the reading of hardware to the transfer across hardwires between continents. Rosenkranz argued that these physical traces cannot be overlooked.
Even when a robot is retrieving data, something physical is happening and some human action is involved. Simply put, "something has to happen in Ireland," Rosenkranz said, making the matter at hand extraterritorial in the view of the technology company.
Location, location, location
The question of whether this case has an extraterritorial application will be one of the deciding factors.
The presumption of extraterritoriality hinges on which branch of government is making that decision, especially the question of whether Congress intended to apply the law internationally when it passed the SCA in 1986, according to Dan Sullivan, partner at Holwell Shuster & Goldberg LLP, in an interview with CIO Dive. Sullivan co-authored an amicus brief on behalf of EU data protection and privacy scholars.
On the side of the U.S. government, Dreeben argued that "there is not an international problem here. This is largely a mirage that Microsoft is seeking to create." Dreeben also noted that the State Department and Department of Justice have not heard complaints from foreign governments so far about 2703.
Microsoft and many parties supporting it, however, argue that the warrant in this case was a gross extraterritorial application, and such actions can violate international data laws and break past the scope of 2703's application.
Chief Justice John Roberts voiced concern of what happens if the Supreme Court rules in favor of Microsoft and the protection of overseas data from the government. Specifically, could Microsoft offer data storage abroad specifically for customers that want to protect their communications from disclosure to the U.S. government?
Rosenkranz pushed back that "if customers do not want their emails to be seized by the government, they don't use Microsoft's services ... because those are available by MLATs." If the court sides with the government, this data could also be available with a warrant.
How different localities associated with stages of data's life cycle are relevant to a criminal investigation was another point of contention.
For example, the warrant was issued to Microsoft at its headquarters in Redmond, Washington. If the data had been stored domestically, Microsoft would have turned it over, and the location of disclosure would have been Washington. But the retrieval process would happen outside of Redmond, potentially even abroad.
"Why should we have a binary choice between a focus on the location of the data and the location of the disclosure? Aren't there some other factors, where the owner of the email lives or where the service provider has its headquarters?" asked Justice Anthony Kennedy.
Could Microsoft have just handed over the email?
Throughout the years of debate, the question of whether Microsoft could have have turned over the information of its own accord has certainly touched the minds of many. But could it have?
Section 2702 of the SCA handles the voluntary disclosure of customer communications by an ISP, but limits disclosure to governmental entities. Section 2703, with the issuance of a warrant, provides an exception and an avenue for the disclosure of data by an ISP to the government.
Because of these sections, Microsoft could not, of its own volition, hand over customer data to the government. "If we voluntarily disclosed, it would be a violation of our obligations to our customer. It would also, by the way, in this context, be a violation of European law," said Rosenkranz.
Come May, transfers of data from Ireland to the U.S. under an American warrant would violate GDPR requirements unless that transfer took place through the appropriate channels, said Sullivan.
Follow Alex Hickey on Twitter