Nearly all Internet users interact with “the cloud” every day, but most never consider what — or where — “the cloud” is.1 As it turns out, “the cloud” is composed of server farms2, and a server farm, also known as a data center, is a group of servers in one location connected by a network.” Id. (citations omitted). located all over the world.3 Companies like Google, Facebook, Apple, Microsoft, and Amazon now host large quantities of data abroad,4 raising novel jurisdictional questions. Recently, in Microsoft Corp. v. United States,5 the Second Circuit held that the government cannot compel Internet Service Providers (ISPs) to turn over data stored overseas, even with a warrant.6 The court did not acknowledge the unique “un-territorial” nature of data, instead proceeding as if it were considering a physical object. Increasingly, courts must apply old laws to new technology. In doing so, they can either acknowledge the unique features of modern technology, or, like the Second Circuit, they can disregard these differences. Only the first approach allows courts to grapple with the legal issues generated when old law meets new tech.7 In Microsoft, the majority did not engage with the emerging scholarly consensus that the “where” of data is not a straightforward inquiry.8 It thus did not address the novel issues implicated in this case and failed to reason through its decision fully.
In December of 2013, Magistrate Judge Francis of the Southern District of New York issued a warrant under the Stored Communications Act9 (SCA) for the content associated with a Microsoft Network (MSN) email address.10 Microsoft handed over responsive data stored in the United States.11 However, much of the requested information was stored on a Microsoft server in Ireland.12 Believing the data in Ireland to be beyond the jurisdiction of the warrant, Microsoft moved to quash the warrant.13
The magistrate judge denied the motion, and Judge Preska affirmed for the Southern District.14 The court noted that a traditional search warrant cannot be executed outside of the United States,15 but that the language of the SCA is ambiguous regarding jurisdiction.16 An SCA warrant, the court reasoned, is a hybrid between a search warrant and a subpoena.17 Its subpoena-like qualities supported the government’s position — a subpoena recipient must hand over information it controls no matter where that information is located.18 The practical consequences of its decision bolstered the court’s conclusion: letting Microsoft withhold the data stored in Ireland would allow criminals to evade SCA warrants by forcing the government to rely solely on Mutual Legal Assistance Treaties (MLATs) to obtain information stored abroad.19 This could not have been Congress’s intention — MLATs are slow and unreliable, and many countries have no MLAT with the United States.20 Finally, the court noted “the concerns that animate the presumption against extraterritoriality are simply not present” in this case.21
The Second Circuit reversed. Writing for the majority, Judge Carney22 held that the SCA does not apply extraterritorially, and that requiring Microsoft to turn over the disputed data would constitute an extraterritorial application of the statute.23
Applying the two-part test for extraterritoriality laid out by the Supreme Court, the court first concluded that the SCA does not apply extraterritorially.24 The court found no indication of Congress’s intent to override the strong presumption against the extraterritorial application of statutes.25 Further, the court held that the word “warrant” was a term of art, whose meaning was tied to Fourth Amendment search warrants that “protect[] privacy in a distinctly territorial way.”26 The court rejected the government’s argument that an SCA warrant is a search warrant/subpoena hybrid: the SCA itself distinguishes between subpoenas and warrants,27 and nowhere uses the word “hybrid.”28
Second, the court held that compelling Microsoft to turn over the data stored in Ireland would be an extraterritorial application of the SCA.29 To reach this conclusion, the court had to determine the “focus” of the SCA’s warrant provision.30 If the “domestic contacts” of the case did not fall within the focus of the SCA, then the warrant would constitute an extraterritorial application of the statute.31 The court concluded that the focus of the SCA was protecting privacy.32 The court supported this conclusion by pointing to the SCA’s reference to the federal rule governing traditional search warrants,33 and to the fact that the SCA was passed as part of the Electronic Communications Privacy Act, with the word “privacy” in its very title.34 The court further noted that the SCA protects privacy in a variety of contexts unrelated to government requests, which undermined the government’s claim that the statute’s focus was aiding law enforcement.35 Since the SCA’s focus was privacy, and the privacy interest was in Ireland, compelling Microsoft to turn over the data in question would be an extraterritorial, and thus unlawful, application of the SCA.36
Judge Lynch concurred in the judgment.37 He began by stressing what the case was not about: privacy.38 A warrant, issued by a neutral magistrate under a showing of probable cause, is the “highest level of protection ordinarily required by the Fourth Amendment.”39 Judge Lynch doubted that privacy interests would be better protected by “the business decision[] of a private corporation” than by “the traditional constitutional safeguard” of a search warrant.40
For Judge Lynch, the case boiled down to a dispute over the “international reach of American law.”41 He agreed with the majority that the SCA contained no indication that it should apply extraterritorially.42 He went a step further than the majority as to why that was so: in 1986, the year it passed the SCA, Congress could not have foreseen the developments of modern cloud technology.43 Due to the nature of cloud technology, whether compelling disclosure of the data stored in Ireland would constitute an extraterritorial application of the SCA was a very close question. After all, data in the cloud is not nearly as physically moored as tangible objects, and “[t]he entire process of compliance [with the warrant would] take[] place domestically” with a few clicks on a computer.44 But because the nationality of the account holder was unknown and that person may not have been from the United States, Judge Lynch ultimately did not believe that Congress wanted “to reach situations of this kind.”45 The warrant was thus an unlawful extraterritorial application of the SCA.46
When courts must apply old laws to modern technology, they face a choice: they can treat technology as they would anything else, or they can acknowledge its unique qualities and consider adapting their application of existing laws accordingly. The trouble with choosing the former, as the Microsoft court did, is that “[a] law created for one world may have a very different impact when applied to the facts of a different era.”47 When courts ignore the technological elephant in the room, they risk failing to evaluate the novel issues that arise with modern technology — issues that might require an adjustment to existing legal doctrine. In this case, after the majority concluded that the SCA could not be applied extraterritorially, it had “little trouble concluding that the execution of the [w]arrant would constitute an unlawful extraterritorial application of the [SCA].”48 The court did not consider how the application of the presumption against extraterritoriality to data might differ from its application to a physical object, therein overlooking the growing scholarly debate over this question. Reasonable minds may disagree whether the court’s ultimate conclusion was correct, but the court’s failure to consider the unique attributes of data reflects incomplete reasoning getting there. In essence, the court skipped a step, because it didn’t think to check whether the step was there.
Microsoft was decided in the context of deep uncertainty regarding the territoriality of data among legal scholars49 and ISPs50 alike. Many commentators have concluded that “the very idea of online data being located in a particular physical ‘place’ is becoming rapidly outdated.”51 According to Professor Jennifer Daskal, the utility of “territorial-based dividing lines” depends on two assumptions: “that objects have an identifiable and stable location,” and that “location matters.”52 Cloud-stored data undermines both assumptions. First, data moves around the world quickly,53 often fragmented and stored on multiple servers.54 Second, the “disconnect between the location of data and the location of its user” means that data’s “location” should not hold much significance.55 Because the whereabouts of cloud-stored data is out of the user’s control — and often information that is not even available to the user — the notion that the location of data would matter more than the location of the person creating the data simply does not make much sense.56 In sum, data is what Daskal calls “un-territorial.”57
The Microsoft majority did not acknowledge the “un-territorial” nature of data. In fact, the court only briefly referred to the notion that cloud-stored data differs from the traditional objects of search warrants and dismissed the importance of this fact out of hand: “Al-though electronic data may be more mobile, and may seem less concrete, than many materials ordinarily subject to warrants, no party disputes that the electronic data subject to this [w]arrant [are] in fact located in Ireland . . . .”58 The rest of the opinion discussed data in a manner interchangeable with physical objects, speaking of the collection, storage, and location of the information abroad.59 In fairness to the court, it did acknowledge that the world has changed since the passage of the SCA, and indicated that it felt constrained by an outdated statute.60 Yet Microsoft was not simply a matter of the court straightforwardly applying an outdated statute. As Daskal noted in her comments on the district court’s decision in this case: “[I]t is clear that a territorial presumption applies to the SCA. But the question of how this presumption applies when an international border separates the data and the person or entity accessing the data remains unsettled.”61 It is this second question that the majority did not engage with. Because it did not consider the unique attributes of data, the court ignored the emerging consensus that placing much importance on the “location” of data is a mistake.
Microsoft is not the first time that a court has failed to grapple with legal wrinkles created by new technology. One prominent example is Olmstead v. United States,62 in which the Supreme Court held that a wiretap did not constitute a search under the Fourth Amendment.63 Traditional Fourth Amendment doctrine held that a physical trespass was required in order for the government’s action to constitute a search.64 Instead of considering the novel attributes of modern technology and adjusting the definition of a search accordingly, the Court simply applied the trespass test and determined that a wiretap could not amount to a search.65 Not only was this incomplete legal reasoning, but it also resulted in a significant delay in developing Fourth Amendment doctrine appropriate for modern technology. It was not until Katz v. United States,66 decided nearly forty years later, that the Court created an additional definition of a search appropriate for modern technology — the expectation-of-privacy test.67
Microsoft may be a new Olmstead. Like in Olmstead, the Microsoft majority failed to appreciate the unique attributes of new technology, and as a result the court did not recognize that its application of existing legal doctrine may have required an additional step.
By skipping over the question of how territoriality applies to data, the court did not fully reason through a decision with policy consequences that are, at the very least, bizarre. According to the Second Circuit, law enforcement is absolutely barred from obtaining electronic communications stored abroad directly from an ISP. The only recourse the government has is appealing to MLATs,68 which are notoriously slow69 and do not exist with every country.70 Even if the crime were entirely local — a U.S. defendant committed a crime against a U.S. victim on U.S. soil — with the only international component being an ISP’s business decision to store the defendant’s emails abroad, the government now has no means by which to compel disclosure of what could be critical evidence directly from the ISP. The concurrence rightfully recognized the oddity of this outcome, noting “it would be remarkably formalistic to classify such a demand as an extraterritorial application of what is effectively the subpoena power of an American court.”71 Even Microsoft acknowledges that this is not a favorable state of affairs, expressing its support72 for the International Communications Privacy Act, which would allow law enforcement officials to obtain electronic communications “regardless of where those communications are located,” pursuant to a warrant.73
Of course, it is entirely possible that the court would have considered the “un-territoriality” of data and still decided for Microsoft, similar to the position of the concurring opinion.74 There would have been good reasons for them to do so. First, the debate over the territorial nature of data is just that — a debate. There are those who believe that “despite the wizardry and wonder of modern technological advances, cloud-based data is not conceptually novel enough” to be deemed exceptional.75 Second, the presumption against extraterritoriality exists, in part, because the “extraterritorial application [of U.S. laws] may offend foreign governments,”76 and it is clear that at least some foreign officials were offended by the government’s position in Microsoft.77 Third, deciding in favor of the government would have had negative policy implications of its own.78 Indeed, Daskal herself has noted that neither position in this case is “satisfying,”79 but even so the majority may have come to the “correct” conclusion.80
The Microsoft court, as courts are trained to do, applied the words of the statute and relevant precedent to the issue at hand. But with advances in technology, rote application of existing legal doctrine is not enough. At best, the Microsoft court accidently arrived at the right decision. At worst, the court issued an Olmstead, and missed the chance to adapt legal doctrine to modern technology. If this is the case, hopefully the correction does not take forty years to surface.