United States District Court, S.D. New York
IN THE MATTER OF A WARRANT TO SEARCH A CERTAIN E-MAIL ACCOUNT CONTROLLED AND MAINTAINED BY MICROSOFT CORPORATION
MEMORANDUM AND ORDER
JAMES C. FRANCIS IV, UNITED STATES MAGISTRATE JUDGE.
" The rise of an electronic medium that disregards geographical boundaries throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules but that cannot be governed, satisfactorily, by any current territorially based sovereign." David R. Johnson & David Post, Law and Borders -- The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367, 1375 (1996). In this case I must consider the circumstances under which law enforcement agents in the United States may obtain digital information from abroad. Microsoft Corporation (" Microsoft" ) moves to quash a search warrant to the extent that it directs Microsoft to produce the contents of one of its customer's e-mails where that information is stored on a server located in Dublin, Ireland. Microsoft contends that courts in the United States are not authorized to issue warrants for extraterritorial search and seizure, and that this is such a warrant. For the reasons that follow, Microsoft's motion is denied.
Microsoft has long owned and operated a web-based e-mail service that has existed at various times under different internet domain names, including Hotmail.com, MSN.com, and Outlook.com. (Declaration of A.B. dated Dec. 17, 2013 (" A.B. Decl." ), ¶ 3). Users of a Microsoft e-mail account can, with a user name and a password, send and receive email messages as well as store messages in personalized folders. (A.B. Decl., ¶ 3). E-mail message data include both content information (the message and subject line) and non-content information (such as the sender address, the recipient address, and the date and time of transmission). (A.B. Decl., ¶ 4).
Microsoft stores e-mail messages sent and received by its users in its datacenters. Those datacenters exist at various locations both in the United States and abroad, and where a particular user's information is stored depends in part on a phenomenon known as " network latency" ; because the quality of service decreases the farther a user is from the datacenter where his account is hosted, efforts are made to assign each account to the closest datacenter. (A.B. Decl., ¶ 6). Accordingly, based on the " country code" that the customer enters at registration, Microsoft may migrate the account to the datacenter in Dublin. (A.B. Decl., ¶ 7). When this is done, all content and most non-content information associated with the account is deleted from servers in the United States. (A.B. Decl., ¶ 7).
The non-content information that remains in the United States when an account is migrated abroad falls into three categories. First, certain non-content information is retained in a data warehouse in the United States for testing and quality control purposes. (A.B. Decl., ¶ 10). Second, Microsoft retains " address book" information relating to certain web-based e-mail accounts in an " address book clearing house." (A.B. Decl., ¶ 10). Finally, certain basic non-content information about all accounts, such as the user's name and country, is maintained in a database in the United States. (A.B. Decl., ¶ 10).
On December 4, 2013, in response to an application by the United States, I issued the search warrant that is the subject of the instant motion. That warrant authorizes
the search and seizure of information associated with a specified web-based e-mail account that is " stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA." (Search and Seizure Warrant (" Warrant" ), attached as Exh. 1 to Declaration of C.D. dated Dec. 17, 2013 (" C.D. Decl." ), Attachment A). The information to be disclosed by Microsoft pursuant to the warrant consists of:
a. The contents of all e-mails stored in the account, including copies of e-mails sent from the account;
b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and sources of payment (including any credit or bank account number);
c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files;
d. All records pertaining to communications between MSN . . . and any person regarding the account, including contacts with support services and records of actions taken.
(Warrant, Attachment C, ¶ I(a)-(d)).
It is the responsibility of Microsoft's Global Criminal Compliance (" GCC" ) team to respond to a search warrant seeking stored electronic information. (C.D. Decl., ¶ 3). Working from offices in California and Washington, the GCC team uses a database program or " tool" to collect the data. (C.D. Decl., ¶ ¶ 3, 4). Initially, a GCC team member uses the tool to determine where the data for the target account is stored and then collects the information remotely from the server where the data is located, whether in the United States or elsewhere. (C.D. Decl., ¶ ¶ 5, 6).
In this case, Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, it filed the instant motion seeking to quash the warrant to the extent that it directs the production of information stored abroad.
The obligation of an Internet Service Provider (" ISP" ) like Microsoft to disclose to the Government customer information or records is governed by the Stored Communications Act (the " SCA" ), passed as part of the Electronic Communications Privacy Act of 1986 (the " ECPA" ) and codified at 18 U.S.C. § § 2701-2712. That statute authorizes the Government to seek information by way of subpoena, court order, or warrant. The instrument law enforcement agents utilize dictates both the showing that must be made to obtain it and the type of records that must be disclosed in response.
First, the Government may proceed upon an " administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena." 18 U.S.C. § 2703(b)(1)(B)(i). In response, the service provider must produce (1) basic customer information, such as the customer's name, address, Internet Protocol connection records, and means of payment for the account, 18 U.S.C. § 2703(c)(2); unopened e-mails that are more than 180 days old, 18 U.S.C. § 2703(a);
and any opened e-mails, regardless of age, 18 U.S.C. § § 2703(b)(1)(B)(i). The usual standards for issuance of compulsory process apply, and the SCA does not impose any additional requirements of probable cause or reasonable suspicion. However, the Government may obtain by subpoena the content of e-mail only if prior notice is given to the customer. 18 U.S.C. § 2703(b)(1)(B)(i).
If the Government secures a court order pursuant to 18 U.S.C. § 2703(d), it is entitled to all of the information subject to production under a subpoena and also " record[s] or other information pertaining to a subscriber  or customer," such as historical logs showing the e-mail addresses with which the customer had communicated. 18 U.S.C. § 2703(c)(1). In order to obtain such an order, the Government must provide the court with " specific and articulable facts showing that there are reasonable grounds to believe that the content of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." 18 U.S.C. 2703(d).
Finally, if the Government obtains a warrant under section 2703(a) (an " SCA Warrant" ), it can compel a service provider to disclose everything that would be produced in response to a section 2703(d) order or a subpoena as well as unopened e-mails stored by the provider for less than 180 days. In order to obtain an SCA Warrant, the Government must " us[e] the procedures described in the Federal Rules of Criminal Procedure" and demonstrate probable ...