Your contacts
On 3 February 2017 Judge Rueter from the United States District Court for the Eastern District of Pennsylvania ordered Google Inc. to turn over e-mail content demanded by the FBI even though those contents are stored outside of the USA (Case No. 16-960-M-01). The decision seems to contradict another court decision in which Microsoft was supported in its refusal of handing over e-mails located on a server in Ireland (see BR-News of 25 July 2016). A closer look into the decisions reveals, however, that the facts of the two cases differ significantly. Nonetheless, the decision is no good news for cloud service providers in the USA.
Court-Approved Search Warrant by the FBI
In August 2016 the United States District Court for the Eastern District of Pennsylvania issued two search warrants – based on the Stored Communication Act – that required Google Inc. to disclose to the FBI certain electronic data held in the accounts of targets in two separate criminal investigations. The targets both reside in the USA, the alleged crimes occurred in the USA, and the electronic data at issue was exchanged between persons located in the USA.
Google partially complied with the warrants and disclosed data was stored on its servers located in the USA. It refused, however, to produce other content as the respective content was stored abroad.
Microsoft Case
Google refused to disclose content stored abroad based on a decision of the United States Court of Appeals for the Second Circuit of 14 July 2016 (United States Court of Appeal for the Second Circuit of 14 July 2016). In that decision the Court of Appeals held that the Stored Communication Act has no extraterritorial reach and that requesting Microsoft to disclose e-mails stored on servers in Ireland would constitute an unlawful extraterritorial application of the statute (see BR-News of 25 July 2016). On 24 January 2017 the Court of Appeal denied a rehearing of the case (see Washington Post of 24 January 2017).
It is still possible that the government is going to appeal against the decision of the Court of Appeals to the US Supreme Court.
What are the main differences between the Microsoft and the Google Case?
The main difference is that in the Microsoft case the e-mails to be disclosed were sufficiently specified and could clearly be located. The e-mails were stored on a server in Ireland and Microsoft confirmed that the e-mails remain stored there during the proceeding. The US government had therefore been able to get control of the e-mails by international judicial assistance.
On the other side Google confirmed that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
In the decision Judge Rueter described the storage of data by Google as follows:
“Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google’s network to another as frequently as needed to optimize for performance, reliability, and other efficiencies. As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served.”
Google had to admit that solely Google personnel in Google’s legal team are authorized to access the content of communications. All such Google personnel are located in the USA. Because Google is not always capable of locating the data at any particular point in time, there is no other available process to obtain specific data.
Apart from the factual difference between the Microsoft and Google case, Judge Rueter also interpreted the Stored Communication Act in a different way.
Judge Rueter did not contest in the Google case that the Stored Communication Act does not apply extraterritorial. He came, however, to the conclusion that requiring Google to produce e-mails that may be stored abroad is not an unlawful extraterritorial application of the Stored Communication Act. In order to determine this question, Judge Rueter considered where the conduct relevant to the statutes “focus” occurred. The focus of the Stored Communication Act is the privacy of the communication participants. Contrary to the Judges in the Microsoft case, Judge Rueter held that the warrants at issue constitute neither a seizure nor a search of targets in a foreign country. Pursuant to Judge Rueter the invasion of privacy takes place in the USA.
Main Legal Arguments
The following arguments are relevant for that conclusion:
“Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data. Even if the transfer interferes with the account owner’s control over his information, this interference is de minimis and temporary.”
“When Google produces the electronic data in accordance with the search warrants and the Government views it, the actual invasion of the account holders’ privacy – the searches – will occur in the United States. Even though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.”
“That is, the invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania. These cases, therefore, involve a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”
No Risk of International Comity / Reasonable Interpretation
The court in the Microsoft case also mentioned international comity reasons for its decision. The seizure of the data stored on a server located in Ireland could affect the sovereignty of Ireland.
Judge Rueter held that international comity is not an issue in the Google case:
“Even if the interference with a foreign state’s sovereignty is implicated, the fluid nature of Google’s cloud technology makes it uncertain which foreign country’s sovereignty would be implicated when Google accesses the content of communications in order to produce it in response to legal process.”
Finally, Judge Rueter considered that the Stored Communication Act should not be interpreted in a way that is inconsistent with common sense. Interpretation of the Stored Communication Act as it was done in the Microsoft case would lead pursuant to Judge Rueter to unreasonable results. If interpreted as in the Microsoft case, the US authorities would be forced to request the data stored abroad by means of international judicial assistance. Yet, Google’s cloud architecture creates insurmountable obstacles for the US authorities with respect to judicial assistance as the location of data is changing on a regular basis.
Implications
Google already announced that it will appeal against the decision of Judge Rueter.
The decision of Judge Rueter is, if it should be upheld, a set back for the technology industry. Whereas the tech industry was rather happy after the Microsoft decision, the Google decision demonstrates that the extraterritorial reach of US search warrant might still be broader than desired.
The decision is, in particular, rather negative for cloud service providers in the USA. Various arguments of Judge Rueter have their main basis in the cloud architecture of Google (for example with respect to the international comity arguments or the argument that another interpretation of the Stored Communication Act would lead to an unreasonable result).
The main consequence for individuals and companies outside the USA is that data stored in clouds operated by companies with seat in the USA are still not safe from the access by US authorities.
Further information: