The 1986 Stored Communications Act1 (SCA) allows the government to obtain a warrant (SCA Warrant) that requires an Internet Service Provider (ISP) to produce customer information, emails, and other materials upon a showing of probable cause.2 While the Internet has transformed since 1986, the Act remains mostly unchanged. Recently, in In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp.,3 a magistrate judge in the Southern District of New York ruled — and a district judge affirmed4 — that an SCA Warrant obligates an ISP like Microsoft5 to produce information stored on overseas servers.6 SCA Warrants, the magistrate judge explained, are part-subpoena, part-warrant hybrids and so are not bound by the same territorial constraints that restrict traditional warrants.7 While the decision is well reasoned, the territorial question raised by this litigation underscores the potential risks of judicial application of the SCA and the corresponding need for Congress to reform the outdated statute by clarifying its application to data stored abroad.
In December 2013, as part of a presently undisclosed criminal investigation, federal prosecutors in the Southern District of New York sought and obtained an SCA Warrant authorizing “the search and seizure of information” — including emails — “associated with a specified web-based e-mail account” stored by Microsoft.8 The warrant, granted by Magistrate Judge Francis, requested the production of responsive material within two weeks and delayed notification to the subscriber for thirty days.9
Upon receipt of the SCA Warrant, Microsoft’s Global Criminal Compliance team determined that while some of the respon-sive account information was stored on U.S. servers,10 the corresponding emails were stored on servers located in Dublin, Ireland.11 Microsoft handed over the data stored in the United States, but moved to “quash the warrant to the extent that it direct[ed] the production of information stored abroad.”12 Microsoft’s argument hinged on the fact that the government here, as required by the SCA, sought the account information pursuant to “a warrant issued using the procedures described in the Federal Rules of Criminal Procedure.”13 Because according to Rule 41 “[f]ederal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States,”14 Microsoft contended that SCA Warrants do not reach data abroad.15
Microsoft’s motion to quash came before Magistrate Judge Francis, who first turned to the text of the SCA to determine whether it permitted the government to demand data stored abroad. He determined that while Microsoft’s interpretation of the SCA was reasonable, the requirement that SCA Warrants be issued “using the procedures described in the Federal Rules of Criminal Procedure”16 could, “equally plausibly,” be read to require only that SCA Warrants comply with the “procedural aspects of the [warrant] application process.”17 Deciding that the text of the SCA was ambiguous, Magistrate Judge Francis proceeded to consider the statute’s structure and legislative history, as well as the practical consequences of Microsoft’s argument.
In examining the structure of the SCA, the magistrate deter-mined that an SCA Warrant “is a hybrid: part search warrant and part subpoena.”18 Like a conventional search warrant, an SCA Warrant is obtained upon application to a neutral magistrate and upon a showing of probable cause.19 However, once an SCA Warrant is issued, it acts like a subpoena in that it is served upon an ISP with the expectation of a response and does not require the government to conduct a physical search and seizure.20 Under subpoena doctrine, the location of the requested documents is ir-relevant; what matters is that the subpoenaed party have control over the requested material.21 Requiring an ISP to produce its records held abroad “does not implicate principles of extraterritoriality,”22 but is considered an extension of the court’s power toward a party over whom it has personal jurisdiction.23
Next, Magistrate Judge Francis considered the legislative history of the SCA.24 While the Senate Report did not address the SCA’s territorial reach, the House Report did, stating that instruments to “access . . . stored . . . communications are intended to apply only to access within the territorial United States.”25 This reference “suggest[ed] that information stored abroad would be beyond the purview of the SCA.”26 However, he noted that these comments more likely indicated that electronic communications intercepted abroad by foreign law enforcement apart from U.S. search and seizure procedures could still be admissible at trial.27 Furthermore, the report failed to clarify whether “access” to data “meant access to the location where the electronic data was stored or access to the location of the ISP.”28 Fortunately, a House Report accompanying a 2001 amendment to the SCA provided some clarity. In describing the operation of Rule 41, that report equated “‘where the property is located’ with the location of the ISP, not the location of any serv-er.”29
Lastly, Magistrate Judge Francis turned to the practical implications of Microsoft’s interpretation, concluding that Congress could not have intended SCA Warrants to be limited to data stored in the United States.30 First, some ISPs attempt to house a customer’s data near her residence, but are not required to verify the residency information provided by customers. Therefore, if SCA Warrants were so limited, criminals could provide false information, have their data stored overseas, and thereby avoid the reach of U.S. law en-forcement.31 Second, if SCA Warrants did not allow for the production of data stored abroad, the government would have to obtain such information through Mutual Legal Assistance Treaty (MLAT) procedures, which are lengthy, cumbersome, and unrelia-ble.32 Since the United States is a party to such treaties with only approximately sixty countries, some data “within the control of an American service provider” would be entirely out of law enforcement authorities’ reach.33
Based on the foregoing, Magistrate Judge Francis determined that SCA Warrants function as subpoenas and require the production of all responsive information, regardless of where it is stored.34 He thus denied Microsoft’s motion to quash the warrant.35 Microsoft appealed Magistrate Judge Francis’s order to the district court. Judge Preska heard argument in July 2014 and orally affirmed Magistrate Judge Francis’s order.36
While Magistrate Judge Francis’s order accords with the SCA, the court’s decision was not the only potential outcome.37 The statute was not written for today’s Internet and the huge amounts of data stored across the globe. It is startling that issues concerning the production of data stored overseas are only being raised for the first time in this litiga-tion38 and their importance will only continue to grow.39 In re Warrant is illustrative of the problems that arise from the SCA’s age and ambiguity. As it currently stands, judicial application of the vague statute carries a high risk of problematic outcomes. The SCA can, and should, be re-vised40 in a way that clarifies the ter-ritorial questions raised by this case and weighs the govern-ment’s legitimate law enforcement needs against valid privacy interests and practical concerns.41
When Congress passed the Electronic Communications Privacy Act of 198642 (ECPA), which included the SCA, the Internet was in its infancy. It was unclear whether existing Fourth Amendment doctrine would apply to stored electronic communications,43 and there was a concern that emails would not be subject to any privacy protections whatsoever. As a result, the ECPA was intended to balance privacy concerns with law enforcement needs.44 It also included provisions granting law enforcement investigatory tools to legally gather stored communications.45 While the SCA was amended in 1994 and 2001, “the basic structure of the 1986 statute remains in place today.”46
There is no doubt the Internet has changed dramatically in the nearly thirty years since the SCA was enacted. Two of the most transformative technological shifts were integral to this litigation. First, because at the time of the SCA’s passage, storage of data was prohibitively expensive and rare, Congress did not envision stored communications as a central privacy concern.47 Since the 1980s, however, the cost of storing data has decreased exponentially and the amount of stored personal data has increased commensurately.48 Second, the Internet has evolved from a predominantly American network into a global one, both in usage and infrastructure.49 As a result of these unforeseen developments, the stakes of misapplying the ambiguous SCA have ballooned. Stored electronic communications have assumed a pivotal importance that the statute can no longer ade-quately manage.
If Magistrate Judge Francis had come to a different, but permissible, interpretation of the SCA Warrant and the vague text authorizing it, the outcome could have been highly problematic. Relying on national borders in today’s cloud-based Internet is untenable.50 Microsoft, in particular, stores data around the world.51 This is particularly problematic because there is no obligation that an ISP verify a customer’s professed residence, which can dictate where her data is stored.52 Tying an SCA Warrant to the location of the requested data rather than the location of a provider would severely hinder the efforts of law enforcement and draw a nonsensical distinction. Furthermore, Microsoft’s position is incongruous when set against Fourth Amendment doctrine. Courts have already determined, in the context of conventional search warrants, that when a search occurs outside of the United States, non-U.S. persons have no Fourth Amendment rights53 while U.S. persons are shielded only by a “reasonableness” requirement.54 Because individuals already have fewer or no constitutional privacy protections abroad, it would be strange for Magistrate Judge Francis to have ruled that a search that would be legal if conducted on U.S. soil is prohibited if conducted abroad.
At the same time, however, an extraterritorial SCA Warrant does raise privacy and practical concerns, particularly for foreign subscribers. For example, Microsoft and other technology companies have received complaints from “both current and potential customers overseas about the U.S. Government’s extraterritorial access to their user information” that might “substantially undermine[]” the companies’ positions in cloud computing.55
The resolution of the SCA’s territorial reach should fall to Congress as the body most capable of clarifying the statute to better regulate access to stored communications in light of such communications’ current outsized importance. The government has a legitimate interest in uncovering and combating criminal activity that should not be hindered by the location of a company’s servers or other factors unrelated to an individual’s privacy interests. To the extent that the SCA’s language referencing the Federal Rules of Criminal Procedure is ambiguous, it should be revised to more closely align with the tool it authorizes: a subpoena requiring a showing of probable cause to a neutral magistrate. Additionally, because this issue is bound to reappear, the revision should include precise wording that clearly specifies the obligation of an American service provider when the data requested is stored overseas. With cloud-computing systems, data, including fragments and copies, can be stored everywhere; it is important that the SCA explicitly acknowledge that the location of the data is not the crucial consideration.56 Rather, the location of the service provider should govern. Finally, because at least in the case of Microsoft, where a customer’s data is stored is based on user-provided information that is never independently verified, Congress could mandate a vetting requirement that obligates a service provider to base the location of storage upon a subscriber’s IP address, rather than her self-reported location.
Despite the importance of law enforcement prerogatives, Congress should also endeavor to safeguard privacy and U.S. business interests to the extent possible. First, any revised policy should include a heightened burden on the government when seeking a warrant for the information of non-U.S. persons. A reviewing court can look to see if the prosecutor met a substantial evidence burden rather than probable cause.57 Second, Congress can specify the types of crimes where an SCA Warrant can be used to obtain data belonging to non-U.S. persons and those where MLATs must be used. Thus, SCA Warrants can be reserved only for the most serious and time-sensitive crimes. While this proposal may not be sufficient to satisfy all privacy concerns expressed by foreign customers of an American provider, it would be an important step. Such a limitation would strengthen the privacy considerations of the statute without severely impacting its law enforcement prerogatives.
An SCA Warrant allows the government to obtain private emails upon a showing of probable cause. Despite its moniker, an SCA Warrant is akin to a subpoena in that the location that matters is that of the service provider and not the requested data. Despite the ruling in this case, the transformations in communications technology and the ubiquity of data stored across the globe demand a clarification of the SCA only Congress can provide.