Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation Microsoft Corporation

United States Court of Appeals, Second Circuit

January 24, 2017

In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation Microsoft Corporation, Appellant,
v.
United States of America, Appellee.

         At a stated term of the United States Court of Appeals for the Second Circuit, held at the Thurgood Marshall United States Courthouse, 40 Foley Square, in the City of New York, on the 24th day of January, two thousand seventeen.

          E. Joshua Rosenkranz, Orrick, Herrington & Sutcliffe LLP (Robert M. Loeb and Brian P. Goldman, Orrick, Herrington & Sutcliffe LLP, New York, NY; Guy Petrillo, Petrillo Klein & Boxer LLP, New York, NY; James M. Garland and Alexander A. Berengaut, Covington & Burling LLP, Washington, DC; Bradford L. Smith, David M. Howard, John Frank, Jonathan Palmer, and Nathaniel Jones, Microsoft Corp., Redmond, WA; on the brief), for Microsoft Corporation.

          Justin Anderson, Assistant United States Attorney (Serrin Turner, Assistant United States Attorney, on the brief), for Preet Bharara, United States Attorney for the Southern District of New York, New York, NY.

          Brett J. Williamson, David K. Lukmire, Nate Asher, O'Melveny & Myers LLP, New York, NY; Faiza Patel, Michael Price, Brennan Center for Justice, New York, NY; Hanni Fakhoury, Electronic Frontier Foundation, San Francisco, CA; Alex Abdo, American Civil Liberties Union Foundation, New York, NY; for Amici Curiae Brennan Center for Justice at NYU School of Law, American Civil Liberties Union, The Constitution Project, and Electronic Frontier Foundation, in support of Appellant.

          Kenneth M. Dreifach, Marc J. Zwillinger, Zwillgen PLLC, New York, NY and Washington, DC, for Amicus Curiae Apple, Inc., in support of Appellant.

          Andrew J. Pincus, Paul W. Hughes, Mayer Brown LLP, Washington, DC, for Amici Curiae BSA | The Software Alliance, Center for Democracy and Technology, Chamber of Commerce of the United States, The National Association of Manufacturers, and ACT | The App Association, in support of Appellant.

          Steven A. Engel, Dechert LLP, New York, NY, for Amicus Curiae Anthony J. Colangelo, in support of Appellant.

          Alan C. Raul, Kwaku A. Akowuah, Sidley Austin LLP, Washington, DC, for Amici Curiae AT&T Corp., Rackspace US, Inc., Computer & Communications Industry Association, i2 Coalition, and Application Developers Alliance, in support of Appellant.

          Peter D. Stergios, Charles D. Ray, McCarter & English, LLP, New York, NY and Hartford, CT, for Amicus Curiae Ireland.

          Peter Karanjia, Eric J. Feder, Davis Wright Tremaine LLP, New York, NY, for Amici Curiae Amazon.com, Inc., and Accenture PLC, in support of Appellant.

          Michael Vatis, Jeffrey A. Novack, Steptoe & Johnson LLP, New York, NY; Randal S. Milch, Verizon Communications Inc., New York, NY; Kristofor T. Henning, Hewlett-Packard Co., Wayne, PA; Amy Weaver, Daniel Reed, Salesforce.com, Inc., San Francisco, CA; Orin Snyder, Thomas G. Hungar, Alexander H. Southwell, Gibson, Dunn & Crutcher LLP, New York, NY; Mark Chandler, Cisco Systems, Inc., San Jose, CA; Aaron Johnson, eBay Inc., San Jose, CA, for Amici Curiae Verizon Communications, Inc., Cisco Systems, Inc., Hewlett-Packard Co., eBay Inc., Salesforce.com, Inc., and Infor, in support of Appellant.

          Laura R. Handman, Alison Schary, Davis Wright Tremaine LLP, Washington, DC, for Amici Curiae Media Organizations, in support of Appellant.

          Philip Warrick, Klarquist Sparkman, LLP, Portland, OR, for Amici Curiae Computer and Data Science Experts, in support of Appellant.

          Owen C. Pell, Ian S. Forrester, Q.C., Paige C. Spencer, White & Case, New York, NY, for Amicus Curiae Jan Philipp Albrecht, Member of the European Parliament, in support of Appellant.

          Owen C. Pell, Ian S. Forrester, Q.C., Paige C. Spencer, White & Case, New York, NY; Edward McGarr, Simon McGarr, Dervila McGirr, McGarr Solicitors, Dublin, Ireland, for Amicus Curiae Digital Rights Ireland Limited, National Council for Civil Liberties, and The Open Rights Group, in support of Appellant.

          Present: Robert A. Katzmann, Chief Judge, Dennis Jacobs, José A. Cabranes, Rosemary S. Pooler, Reena Raggi, Peter W. Hall, Debra Ann Livingston, Denny Chin, Raymond J. Lohier, Jr., Susan L. Carney, Christopher F. Droney, Circuit Judges.

          ORDER

         Following disposition of this appeal, an active judge of the Court requested a poll on whether to rehear the case en banc.[*] A poll having been conducted and there being no majority favoring en banc review, rehearing en banc is hereby DENIED.

          Susan L. Carney, Circuit Judge, concurs by opinion in the denial of rehearing en banc.

          Dennis Jacobs, Circuit Judge, joined by José A. Cabranes, Reena Raggi, and Christopher F. Droney, Circuit Judges, dissents by opinion from the denial of rehearing en banc.

          José A. Cabranes, Circuit Judge, joined by Dennis Jacobs, Reena Raggi, and Christopher F. Droney, Circuit Judges, dissents by opinion from the denial of rehearing en banc.

          Reena Raggi, Circuit Judge, joined by Dennis Jacobs, José A. Cabranes, and Christopher F. Droney, Circuit Judges, dissents by opinion from the denial of rehearing en banc.

          Christopher F. Droney, Circuit Judge, joined by Dennis Jacobs, José A. Cabranes, and Reena Raggi, Circuit Judges, dissents by opinion from the denial of rehearing en banc.

          Susan L. Carney, Circuit Judge, concurring in the order denying rehearing en banc:

         The original panel majority opinion, see Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016), fully explains why quashing the government's warrant is called for by Supreme Court precedent on extraterritoriality and the text of the Stored Communications Act ("SCA"), 18 U.S.C. §§ 2701 et seq. Because the panel opinions did not include a dissent, however, I write again, briefly, to respond with respect to several points raised during our Court's consideration of whether to grant the government's petition for en banc review and reflected in the dissents from denial of rehearing.[1]

         The theme running through the government's petition and the dissents is the concern that, by virtue of the result the panel reached, U.S. law enforcement will less easily be able to access electronic data that a magistrate judge in the United States has determined is probably connected to criminal activity.[2] My panel colleagues and I readily acknowledge the gravity of this concern. But the SCA governs this case, and so we have applied it, looking to the statute's text and following the extraterritoriality analysis of Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010). We recognize at the same time that in many ways the SCA has been left behind by technology. It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose.[3]

         Before going further, it is worth pointing out what is not at issue in this appeal. First, it is common ground that Congress did not intend for the SCA's warrant procedures to apply extraterritorially. See Gov't Pet. for Reh'g 11. Second, although the panel majority determined that the SCA's focus lies on protecting user privacy, this determination was made under the second part of the extraterritoriality analysis set forth as a canon of construction in Morrison and recently developed further in RJR Nabisco, Inc. v. European Community, 136 S.Ct. 2090 (2016). See RJR Nabisco, 136 S.Ct. at 2101 ("If the statute is not extraterritorial, then at the second step we determine whether the case involves a domestic application of the statute, and we do this by looking to the statute's 'focus.'"). Our "focus" analysis did not turn on privacy protections independently derived from the Fourth Amendment. Nor did we express or imply a view about how Congress may permissibly legislate to enable the government to reach data stored abroad and under the control of U.S. companies; our reading of the SCA did no more than adhere to the dictates of Morrison in construing the SCA. Finally, since the instrument was issued by a neutral magistrate judge upon a showing of probable cause, no one disputes that the Microsoft warrant has satisfied the most stringent privacy protections our legal system affords.

         Accordingly, the dispositive question in the case, as we see it, might be framed as whether Microsoft's execution of the warrant to retrieve a private customer's electronic data, stored on its servers in Ireland, would constitute an extraterritorial application of the SCA in light of the statute's "focus, " determined in accordance with Morrison and RJR Nabisco. Again, this is a question of statutory construction. And, unsurprising in light of the need for an extraterritoriality analysis, it requires consideration of the concerns of sovereignty and international comity.

         The panel majority concluded that "the relevant provisions of the SCA focus on protecting the privacy of the content of a user's stored electronic communications." Microsoft, 829 F.3d at 217. The concurring opinion noted the difficulty in determining a statute's "focus" under Morrison, but agreed that in the absence of any evidence that Congress intended the SCA to reach electronic data stored abroad by a service provider (and relating potentially to a foreign citizen), the effect of the government's demand here impermissibly fell beyond U.S. borders and therefore the Microsoft warrant should be quashed. Id. at 230-31 (Lynch, J., concurring).

         Guided by our determination of the statute's focus and looking at the text of the SCA itself, the panel majority read the statute to treat the locus of the SCA's privacy protections as at the place of data storage. As further detailed in the majority opinion, this conclusion comports with the SCA's reliance on the fact and form of content storage as predicates to its various provisions, as well as its use of the term of art "warrant" and its requirement of compliance with Federal Rule of Criminal Procedure 41, "Search and Seizure"-features usually associated with physical access. See, e.g., 18 U.S.C. § 2701(a) (prohibiting access to "facilit[ies]" where electronic communications are stored); id. § 2702(a)(1)-(2) (prohibiting disclosure of communications "while in electronic storage" or "which [are] carried or maintained" by an electronic communication service); id. § 2703(a) (imposing warrant procedures on electronic communications that are "in electronic storage in an electronic communications system for one hundred and eighty days or less"). We noted that the statute uses "[t]he circumstances in which the communications have been stored . . . as a proxy for the intensity of the user's privacy interests, dictating the stringency of the procedural protection they receive." Microsoft, 829 F.3d at 217. We also noted that § 2701, by proscribing unauthorized access to storage facilities, not only limits disclosure but also "shelters the communications' integrity." Id. at 218. Because the electronic communications to be accessed and disclosed pursuant to the Microsoft warrant are stored in a Dublin datacenter, we reasoned, the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA.[4]

         Characterizing the statute's focus differently, as resting on "disclosure, " and offering a detailed recitation of the available statutory support for that conclusion, [5] the dissents argue primarily that the SCA's effect occurs at the place of disclosure, on U.S. soil.[6] Thus, so long as (1) the warrant is served in the United States on a provider doing business in the United States, and (2) the provider can access the user's content electronically from the United States, extraterritoriality need not even be considered.[7] Since the warrant recipient here is Microsoft, a U.S. corporation (though the reasoning would apply equally well to a foreign provider who is sufficiently present in the United States), and the data is accessible and producible by Microsoft to the U.S. government in the United States, no more is needed to enforce the warrant. The inquiry stops there.

         The panel majority rejected this position, and a few reflections illustrate why we were correct to do so. First: The position of the government and the dissenters necessarily ignores situations in which the effects outside the United States are less readily dismissed, whichever label is chosen to describe the "focus" of the statute. For example, under the dissents' reasoning (as we understand it), the SCA warrant is valid when (1) it is served in the United States on a branch office of an Irish service provider, (2) it seeks content stored in Ireland but accessible at the U.S. branch, (3) the account holding that content was opened and established in Ireland by an Irish citizen, (4) the disclosure demanded by the warrant would breach Irish law, and (5) U.S. law enforcement could request the content through the MLAT process.[8] This hardly seems like a "domestic application" of the SCA. Rather, we find it difficult to imagine that the Congress enacting the SCA envisioned such an application, much less that it would not constitute the type of extraterritorial application with which Morrison was concerned. Indeed, calling such an application "domestic" runs roughshod over the concerns that undergird the Supreme Court's strong presumption against extraterritoriality, and suggests the flaw in an approach to the SCA that considers only disclosure. See Morrison, 561 U.S. at 269 (citing "probability of incompatibility with applicable laws of other countries" as signaling absence of congressional attention to extraterritorial application); EEOC v. Arabian Am. Oil Corp., 499 U.S. 244, 248 (1991) (observing that presumption against extraterritoriality "serves to protect against unintended clashes between our laws and those of other nations").

         Second: My dissenting colleagues take issue with the idea that "privacy" can have a territorial locus at all when it comes to electronic data, given the ease with which the data can be subdivided or moved across borders and our now familiar notion of data existing in the ephemeral "cloud." But, mundane as it may seem, even data subject to lightning recall has been stored somewhere, and the undisputed record here showed that the "somewhere" in this case is a datacenter firmly located on Irish soil.[9] See Microsoft, 829 F.3d at 220 n.28. (Fragmentation, an issue raised by the government in its petition and by the dissents here, was not present in the facts before the panel, and only further emphasizes the need for a modernized statute.) When Congress passed the "Stored Communications Act" in 1986, the statute it enacted protected data by limiting access to the "facility" where the data is stored or through which electronic services are provided. 18 U.S.C. § 2701(a). It did not address the citizenship of the account holder, the nationality of the service provider, or any of the concerns that can be cited, legitimately, as relevant today to defining a sound policy concerning the privacy and disclosure of protected user content in a global setting. Nor have we been pointed to evidence suggesting that sovereigns have relinquished any claim to control over data physically stored within their boundaries. (Ireland certainly did not do so here in its submission amicus curiae.) Although the realities of electronic storage have widely outstripped what Congress envisioned in 1986, we are not so far from the context of the SCA that we can no longer apply it faithfully.

         To connect these two points: Some of my dissenting colleagues, see post at 5 (Jacobs, J., dissenting from the denial of reh'g en banc), like the panel, have noted potential concerns with reciprocity-that if the United States can direct a service provider with operations in the United States to access data of a foreign citizen stored in a foreign country, a foreign sovereign might claim authority to do the same and access data of a U.S. citizen stored in the United States, so long as the data would be disclosed abroad. If this concern holds any intuitive force, it does so only because the location of data storage does still have import, and therefore reaching across physical borders to access electronic data gives us pause when we are on the receiving end of the intrusion. It is for just this sort of reason that the government has entered into MLATs with other sovereigns: to address mutual needs for law enforcement while respecting sovereign borders. And it is for just this sort of reason that the government has in other circumstances taken a position, somewhat in tension with the one it takes here, that courts should be particularly solicitous of sovereignty concerns when authorizing data to be collected in the United States but drawn from within the boundaries of a foreign nation. See, e.g., Br. United States Amicus Curiae Opp'n Pet. Writ Cert. 8-21, Arab Bank, PLC v. Linde, No. 12-1485 (May 2014) (contending, in civil discovery context, that lower courts erred in "failing to accord sufficient weight to the foreign jurisdictions' interests in enforcing their bank secrecy laws").

         Third, and finally: The exercise of selecting a "focus" and then determining its territorial locus highlights some of the difficulties inherent in applying the Morrison extraterritoriality analysis. Where the panel majority and the dissents diverge most sharply and meaningfully is on the better view of the legal consequences of the focus inquiry: where-for purposes of assessing extraterritoriality according to the Supreme Court's precedents-to locate the affected interest. Once we concluded that the statute focuses on protecting privacy, the panel majority had to assess further where privacy might be considered to be physically based-an elusive inquiry, at best. As noted, the dissents emphasize disclosure, and reason from that premise that the place of disclosure establishes whether the proposed application of the statute is domestic. But we saw the overarching goal of the SCA as protecting privacy and allowing only certain exceptions, of which limited disclosure in response to a warrant is one. Considerations of privacy and disclosure cannot be divorced; they are two sides of the same coin. By looking past privacy and directly to disclosure, however, the dissents would move the "focus" of the statute to its exceptions, and away from its goal. The better approach, which in our estimation is more in keeping with the Morrison analysis and the SCA's emphasis on data storage, is one that looks to the step taken before disclosure-access-in determining privacy's territorial locus.

         With a less anachronistic statute or with a more flexible armature for interpreting questions of a statute's extraterritoriality, we might well reach a result that better reconciles the interests of law enforcement, privacy, and international comity. In an analytic regime, for example, that invited a review of the totality of the relevant circumstances when assessing a statute's potential extraterritorial impact, we might be entitled to consider the residency or citizenship of the client whose data is sought, the nationality and operations of the service provider, the storage practices and conditions on disclosure adopted by the provider, and other related factors. And we can expect that a statute designed afresh to address today's data realities would take an approach different from the SCA's, and would be cognizant of the mobility of data and the varying privacy regimes of concerned sovereigns, as well as the potentially conflicting obligations placed on global service providers like Microsoft. As noted above, there is no suggestion that Congress could not extend the SCA's warrant procedures to cover the situation presented here, if it so chose.

         These were not the statutory context and precedent available to the panel, however, nor would they be available to our Court sitting en banc. Under the circumstances presented to us, the Microsoft warrant was properly quashed.

          Dennis Jacobs, Circuit Judge, joined by José A. Cabranes, Reena Raggi, and Christopher F. Droney, Circuit Judges, dissenting from the denial of rehearing in banc:

         The United States has ordered Microsoft to provide copies of certain emails pursuant to the Stored Communications Act. A magistrate judge found probable cause to believe those emails contain evidence of a crime. (The instrument functions as a subpoena though the Act calls it a warrant.) A panel of this Court directed the district court to quash the warrant as an unlawful extraterritorial application of the Act. Now, in a vote split four-four, we decline to rehear the case in banc. I respectfully dissent from the denial.

         I subscribe to the dissents of Judge Cabranes, Judge Raggi, and Judge Droney, which set out in detail the doctrinal basis for the right result in this appeal. I write separately to describe an approach that is perhaps more reductionist.

         I

         As all seem to agree, and as the government concedes, the Act lacks extraterritorial reach. However, no extraterritorial reach is needed to require delivery in the United States of the information sought, which is easily accessible in the United States at a computer terminal. The majority nevertheless undertakes to determine whether this case presents a forbidden extraterritorial application by first "look[ing] to the 'territorial events or relationships' that are the 'focus' of the relevant statutory provision." Majority Op., 829 F.3d at 216 (quoting Mastafa v. Chevron Corp., 770 F.3d 170, 183 (2d Cir. 2014)). Oddly, the majority then holds that the relevant "territorial" "focus" is user privacy. But privacy, which is a value or a state of mind, lacks location, let alone nationality.[1]Territorially, it is nowhere. Important as privacy is, it is in any event protected by the requirement of probable cause; so a statutory focus on privacy gets us no closer to knowing whether the warrant in question is enforceable.

         Extraterritoriality need not be fussed over when the information sought is already within the grasp of a domestic entity served with a warrant. The warrant in this case can reach what it seeks because the warrant was served on Microsoft, and Microsoft has access to the information sought. It need only touch some keys in Redmond, Washington. If I can access my emails from my phone, then in an important sense my emails are in my pocket, notwithstanding where my provider keeps its servers.

         The majority opinion relies on an implicit analogy to paper documents: "items" and "material" and "content" that are "located" and "stored" and that the government seeks to "collect" and "import." But electronic data are not stored on disks in the way that books are stored on shelves or files in cabinets. Electronic "documents" are literally intangible: when we say they are stored on a disk, we mean they are encoded on it as a pattern. At stake in this case is not whether Microsoft can be compelled to import and deliver a disk (or anything else), but whether Microsoft can be compelled to deliver information that is encoded on a disk in a server and that Microsoft can read.

         The panel's approach is unmanageable, and increasingly antiquated. As explained in an article Judge Lynch cites in his concurrence (829 F.3d at 229): "[T]he very idea of online data being located in a particular physical 'place' is becoming rapidly outdated, " because electronic "files [can] be fragmented and the underlying data located in many places around the world" such that the files "only exist in recognizable form when they are assembled remotely." Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373, 408 (2014). The underlying data can be fragmented or recombined, copied or transferred, for convenience or maintenance or economy - or (not incidentally) to evade the police. And all that can be done at the direction of the user or without the user's knowledge, and without a care for national boundaries, tariffs or postage. Nothing moves but information.

         To enforce the warrant, there is no practical alternative to relying upon access, and no need to seek an alternative. We can conclude that warrants can reach what their recipients can deliver: if the recipient can access a thing here, then it can be delivered here; and if statutory and constitutional standards are met, it should not matter where the ones-and-zeroes are "stored."

         Localizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a denizen of the North Pole. Problems arise if one over-thinks the problem, reifying the notional: Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the snows of yesteryear?

         II

         The majority has found no indication that Congress considered in 1986 whether a warrant issued under the Act would reach data stored on servers outside the United States; and Judge Lynch's concurrence, having recognized the flaws in the majority opinion, calls on Congress to modernize the statute. I too would like to see Congress act, chiefly to consider certain ramifications, such as whether the United States might be vulnerable to reciprocal claims of access through local offices of American companies abroad. But we are not in a position to punt when it comes to construing a statute that either does or does not allow execution of a warrant in a case that is before us now. Holding, as the panel did, that the statute does not allow enforcement of this warrant is an interpretation of the statute, not a deferential bow to Congress. So though it would best if Congress could form a consensus on the issue, that preference is not a principle of statutory construction.

         Nor can it matter how we would order legislative priorities (this would seem to be a bit down the list), or how much we would welcome bipartisan consideration of a bill that has not been enacted. Legislative proposals are myriad, and they fall as leaves. Come what may, we are left for now with ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.