[Orin Kerr] The surprising implications of the Microsoft/Ireland warrant case

The Justice Department filed a petition for rehearing last month in the Microsoft/Ireland warrant case. Although I’m skeptical that rehearing will be granted, the Justice Department’s petition includes some fascinating updates about the practical effect of the Second Circuit’s decision. I looked into the Justice Department’s allegations on my own, and I was able to get a better sense of what was happening. At the very least, it suggests that the Microsoft case is having some surprising implications. And in some cases, the result seems to be a significant mess.

The Second Circuit’s decision held that warrants for customer email are unenforceable when the provider opted to store emails on a server outside the United States. The statute only has extraterritorial effect, the Second Circuit reasoned, and that means it doesn’t apply to foreign-stored email. Treating the statute as a way to get email rather than a means of limiting access to email, the court ruled that the government couldn’t use a domestic warrant to compel the disclosure of emails stored abroad.

But here’s the twist. The court’s decision assumed that Internet providers knew where its customer emails were located and that emails could be accessed from those places. The Second Circuit’s opinion therefore left the government with some options. In particular, the government could pursue foreign legal process through Mutual Legal Assistance Treaties for email that was stored abroad.

It turns out that this assumption isn’t necessarily right. And that is creating some significant headaches.

Here’s what the Justice Department says in its petition for rehearing:

Unlike Microsoft, some major providers cannot easily determine where customer data is physically stored, and some store different parts of customer content data in different countries. Major U.S.-based providers like Google and Yahoo! store a customer’s email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic. At least in the case of Google, the information is also currently beyond the reach of a Mutual Legal Assistance Treaty request or any foreign law enforcement authority, because only Google’s U.S.-based employees can access customer email accounts, regardless of where they are stored; indeed, Google cannot reliably identify the particular foreign countries where a customer’s email content may be stored. Thus, critical evidence of crimes now rests entirely outside the reach of any law enforcement anywhere in the world, and the randomness of where within an intricate web of servers the requested content resides at a particular moment determines its accessibility to law enforcement.

The petition adds:

Major service providers like Google and Yahoo!, who store different pieces of information for a single customer account in various datacenters at the same time, and routinely move data around based on their own internal business practices, are now disclosing only those portions of customer accounts stored in the United States at the moment the warrant is served — even though, at least as to Google, the only employees who can access the entirety of a customer’s account, including those portions momentarily stored overseas, are located in the United States. Yahoo! has informed the Government that it will not even preserve data located outside the United States in response to a Section 2703 request, thereby creating a risk that data will be moved or deleted before the United States can seek assistance from a foreign jurisdiction, much less actually serve a warrant and secure the data. In addition, some providers are apparently unable to tell the Government, in response to Section 2703 disclosure orders, where particular data is stored or whether it is stored outside the United States, further frustrating law enforcement’s ability to access such data.

I reached out to various Internet providers to see whether the Justice Department’s claims are correct. While I wasn’t able to get on-the-record responses, I was able to patch together a picture from “on background” discussions. Here’s my best sense of what is happening.

First, the major domestic Internet providers aren’t treating the Second Circuit’s decision as just a decision from one circuit. They have all decided to treat the Second Circuit decision as the law in effect everywhere. Part of that is for a good practical reaso