Microsoft Corp. is appealing the recent decision of U.S. District Judge Loretta A. Preska which requires the company to disclose the contents of e-mails stored at a data center in Dublin, Ireland, in compliance with a warrant issued pursuant to the Stored Communications Act in In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corp.

While the magistrate judge’s underlying 28-page memorandum and order denying Microsoft’s motion to quash the warrant had already attracted significant attention because it effectively granted extraterritorial power to a U.S. search and seizure warrant, Judge Preska’s bench ruling added a new justification for enforcing the warrant by relying on the Bank of Nova Scotia doctrine. Pursuant to the BNS doctrine, a grand jury subpoena can be used to compel a company subject to U.S. jurisdiction to produce evidence stored outside the United States if the evidence is within the company’s possession, custody or control. Judge Preska then proverbially “handcuffed” Microsoft’s appeal by finding that Microsoft had waived its argument that its customers’ e-mails and other personal electronic documents are not Microsoft’s own business records, a critical point in Microsoft’s contention that the BNS doctrine did not apply to the warrant at issue in this matter.

Left unchanged, Judge Preska’s ruling creates significant risks for any company subject to U.S. jurisdiction by weakening its ability to protect its customers’ information, abolishing distinctions between a company’s own business records and its customers’ private correspondence, and subjecting companies to potential sanctions for violating privacy laws of the countries in which they locate their data centers. Given the import of the ruling and the court’s broad application of the BNS doctrine, the Second Circuit ought to fully consider the parties’ positions on this issue and carefully consider the implications on privacy and international law.

Warrant Issued Pursuant to the SCA

This matter began with an application by the United States for a “search and seizure warrant” targeting a specific @msn.com e-mail account provided by Microsoft, and used by a person who is the subject of a government narcotics investigation. Magistrate Judge James C. Francis IV issued the warrant, after which Microsoft undertook to locate the data associated with the account. Microsoft determined that there were two buckets of data related to the account, one stored in the United States and the other in Ireland.

The “noncontent” bucket consisted of information such as the sender and recipient e-mail addresses as well as date and time information. Microsoft stored this information in the United States, and produced it in response to the warrant. The “content” bucket of information included the substance of the e-mails and their subject lines. For this particular user, Microsoft stored this information at a data center operated by a Microsoft subsidiary in Dublin, Ireland. Microsoft did not produce this information and instead moved to quash the warrant to the extent that it required information from the Dublin data center. Notably, Microsoft began the practice of using foreign data centers in 2010 to address the problem of “latency” that occurred when the servers were too far away from the user. The Irish data center would typically serve users that live closer to Ireland than the United States.

Magistrate Judge’s Ruling

Magistrate Judge Francis denied Microsoft’s motion. Based on the SCA’s structure and legislative history, and the anticipated burdens on law enforcement if SCA warrants were limited to information stored in the United States, the magistrate judge found the provider’s “control” of the subject information to be the central issue. The magistrate judge did not consider the information’s geographic location to be a relevant factor in light of precedent (discussed in the parties’ briefing as the BNS doctrine) pursuant to which a U.S. company, subject to U.S. jurisdiction, can be compelled by a subpoena to produce the company’s business records stored outside the United States as long as they are within the company’s “possession, custody or control.”

In objecting to the magistrate judge’s order, Microsoft argued that: (1) SCA warrants are confined to U.S. territory; (2) interpreting SCA warrants to have extraterritorial reach violates international law and raises troubling foreign policy concerns; (3) conscripting Microsoft to perform the search (rather than the government) does not remedy an unlawful search and seizure; (4) the BNS doctrine does not apply to a warrant case, or to the types of private customer correspondence at issue in this case; and (5) the government could and should have used its Mutual Legal Assistance Treaty with Ireland to access the information targeted by the warrant.

The government argued in support of the magistrate judge’s opinion, contending that: (1) the SCA has no “safe harbor” for data that a U.S. company chooses to store in a foreign nation; (2) the warrant did not require extraterritorial application because it did not authorize a search and seizure in Ireland (i.e., the search and seizure is domestic as Microsoft has the ability to access the data located in Ireland from the United States); (3) neither the SCA’s language nor its statutory history limited SCA warrants to information located within U.S. territory; (4) the content of e-mails is akin to “business records” that a party can be compelled to produce under the BNS doctrine; and (5) policy considerations, such as the difficulty in utilizing treaties to request the information from law enforcement authorities in the countries in which the data centers are located, weighed against limiting SCA warrants to U.S. territory.

The BNS Doctrine Comes to the Fore

The hearing over Microsoft’s objections took place on July 31 before Judge Preska. The hearing focused on the BNS doctrine, which was surprising because the doctrine did not appear in the magistrate judge’s memorandum (although the it did cite cases adopting similar principles) and because it was only one of several important issues addressed by the parties’ briefing.

Ruling from the bench, Judge Preska adopted the magistrate judge’s memorandum and order.¹ She then explained that the oral argument had uncovered “additional examples of why the structure, language, legislative history, congressional knowledge of precedent, including the BNS doctrine, all lead to the conclusion that Congress intended in this statute for international service providers to produce information under their control, albeit stored abroad, to law enforcement in the United States. As Judge Francis found, it is a question of control, not a question of location of that information.”²

To understand the importance of the court’s focus on the BNS doctrine, it is necessary to understand that the court approved the magistrate judge’s characterization of a SCA warrant as a “hybrid: part search warrant and part subpoena.” By doing so, the court sidestepped the concern about the extraterritorial application of a U.S. search warrant. That is, the warrant itself is not applied extraterritorially because it is actually the subpoena part (under the BNS doctrine) of the hybrid that requires Microsoft to obtain the documents from its Irish data center and bring them to the United States. Once in the United States, the warrant part (previously approved by the magistrate judge) of the hybrid applies, and addresses the Fourth Amendment privacy concerns that arise because users have a reasonable expectation of privacy as to their e-mails.

Under this approach, Judge Preska determined that enforcing the warrant was not an extraterritorial application of U.S. law, and that “the production of [the] information is not an intrusion on the foreign sovereign. It is incidental at best.” She explained that Section 442(1)(a) of the Restatement (Third) of Foreign Relations is dispositive of the matter because it states that: “A court or agency in the U.S., when authorized by statute or rule of court, may order a person subject to its jurisdiction to produce documents, objects or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the U.S.”³ While not explicitly stating as much, the court appeared to reason that the “authoriz[ation]” referenced in Section 442(1)(a) came from the SCA, as interpreted in light of the BNS doctrine, which circles back to the questions of the scope of the BNS doctrine and whether Congress intended SCA warrants to apply extraterritorially.

Misapplication of the Waiver Doctrine

The court also concluded that “Microsoft’s argument that the documents are not Microsoft’s documents but the documents of its customers has been waived because it was not argued below.” This conclusion is not based on accurate facts and misapplies Federal Rule of Criminal Procedure 59. Under that rule, Microsoft was obligated to object to the magistrate judge’s memorandum with sufficient specificity so as reasonably to alert the district court of the true ground for its objections.⁴ Microsoft’s objections easily satisfied this burden. In fact, the first sentence of Microsoft’s July 24, 2014, brief attacked the very issue the court later found to be waived: “The government builds its entire argument on the quicksand foundation of a single flawed premise: that a customer’s electronic letters and personal documents are Microsoft’s own business records.” Moreover, the first eight pages of the brief thoroughly explained why the BNS doctrine does not apply to the e-mail content at issue in this matter.⁵

Disputed Scope of the BNS Doctrine

The Second Circuit’s determination of the waiver issue is critical because Microsoft’s explanation of the distinctions between the e-mail content at issue in this matter and the transactional bank records at issue in the BNS cases would ensure proper consideration of the BNS doctrine’s scope.

The parties’ respective descriptions of the doctrine are roughly the same.⁶ The parties disagree strenuously, however, about whether the doctrine reaches the e-mails targeted by the SCA warrant in this matter. Microsoft contends that the doctrine is limited and does not reach the content of its customers’ e-mails, which are subject to the highest levels of constitutional protection. Rather, the doctrine reaches only a company’s own business records or “other people’s records that have been shared with that company and that therefore have already been exposed.”⁷ In contrast, the government contends Microsoft’s customers’ e-mails are Microsoft’s “own records,” and argued that the BNS doctrine turns only on control and not on ownership.

Microsoft’s interpretation of the doctrine’s reach is factually more consistent with the specific documents at issue in the BNS cases. In those cases,⁸ the Eleventh Circuit considered the Bank of Nova Scotia’s appeals from contempt orders stemming from its failure to comply with orders enforcing a grand jury subpoena duces tecum. The subpoena was served on the bank’s Miami branch and sought (pursuant to a tax and narcotics investigation) financial documents pertaining to two individuals and three companies from its branches in Antigua, Cayman Islands and the Bahamas. The following documents were requested and ultimately produced: certificates of deposit, receipts, requisition forms, deposit slips, statements, slip and credit memos, vouchers, bank forms and checking account statements. The Eleventh Circuit rejected the bank’s argument that it was prohibited from producing such documents by the bank secrecy laws of the countries in which these branches were located.

At the hearing, Microsoft characterized these documents as the bank’s own transactional records, and distinguished them from personal, private documents that a customer may store in a secure lockbox at the bank. Microsoft contended that private e-mails are not comparable to the bank’s transactional records, but instead are essentially electronic versions of private correspondence that are stored in a “digital lockbox.” The government rejected Microsoft’s characterization of BNS doctrine’s limitations, and argued that “control” was the only issue under the BNS doctrine.

The parties also disagreed about whether the BNS doctrine is an appropriate tool for assessing the application of a SCA warrant. The government contended that courts had previously approved, in a domestic context, the approach of using a subpoena and warrant together to get particular evidence, with the subpoena utilized to get evidence from a particular source, and the warrant utilized to actually search and seize that evidence. Accordingly, the government contended it could use the same subpoena-warrant model to retrieve documents stored abroad. Microsoft pointed out, however, that the BNS doctrine (which applies to documents stored abroad) had never previously been applied to a warrant case. Microsoft argued that this distinction was critical and should be honored with respect to documents stored abroad because subpoenas issued pursuant to the BNS doctrine require that a court apply a balancing test that (among other things) considers the interests of the foreign sovereign, and because subpoenas and warrants have different procedural safeguards that are diminished when the two processes are conflated with each other.

The court sided with the government in concluding that Congress intended the SCA to be consistent with the BNS doctrine because Congress knew about the BNS cases (decided between 1982 and 1984) when it passed the SCA in 1986. While it appears that the court was relying on the canon of statutory construction that Congress is aware of existing law when it passes legislation, it is difficult to apply that canon where, as here, there is significant disagreement about the whether the BNS doctrine (and cases applying similar principles) apply to warrant cases, and whether it just applies to a company’s own records or also to records that it holds on behalf of its own customers.

Importance of the Second Circuit’s Resolution

The Second Circuit’s resolution of whether the BNS doctrine applies to a SCA warrant case matters significantly to companies that store their customers’ private information outside the United States and also to consumers. In light of Judge Preska’s application of the BNS doctrine, consumers face the situation that what they consider as their own private electronic documents and correspondence may now constitute business records of the companies that provide electronic document storage services abroad. At the same time, any company subject to the jurisdiction of a U.S. court that stores its customers’ electronic data abroad and maintains control of that data must be aware that such data is subject to disclosure pursuant to a SCA warrant, regardless of whether such disclosure would violate the laws of the foreign sovereign.

More broadly, this matter showcases the difficulties in applying the “control” factor in the current technological setting. The differentiation between “company documents” versus “customer documents” hinges on the definition of control. If “control” over data stored abroad simply is defined as the ability of ISPs to access private e-mail content and other documents of their customers, then consumers’ privacy expectations are excluded from the analysis and the meaning of “control” will broadly expand in today’s digital landscape, in which it is rare that ISPs are completely unable to access their customers’ stored data. As such, the “control” factor may lose a meaningful definition in the disclosure context in the digital age unless courts begin to erect new limits and boundaries for a company’s control over its customers’ electronic data. Privacy expectations of consumers cannot be left out of the equation.

Endnotes

1 Transcript of Oral Argument (July 31, 2014), In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp (hereinafter, “Tr.”) at 68:24-25.

2 Tr. 69:1-8 (emphasis added).

3 See Restatement (Third) of Foreign Relations § 442(1)(a), which the Court partially quoted at Tr. 69:9-19.

4 John K. Rabiej, 28 MOORE’S FED. PRAC. - - CRIM. PROCEDURE § 659.11 (2014).

5 Doc. 70, Reply in Support of Microsoft’s Objections to the Magistrate’s Order Denying Microsoft’s Motion to Vacate in Part a Search Warrant Seeking Customer Information Located Outside the United States, at 1-8 (1:13-mj-02814-UA).

6 See Doc. 60, Government’s Brief in Support of the Magistrate Judge’s Decision to Uphold a Warrant Ordering Microsoft to Disclose Records Within Its Custody and Control, at 14 (1:13-mj-02814-UA) (the BNS doctrine “expressly authorizes the Government to obtain through compulsory process records stored abroad, even though no U.S. court could authorize entry into the location where the records are stored so that they could be seized directly.”); Doc. 6, Memorandum in Support of Microsoft’s Motion to Vacate in part an SCA Warrant Seeking Customer Information Located Outside the United States, at 7 (1:13-mj-02814-UA) (the BNS doctrine “stand[s] for the proposition that a party subject to U.S. jurisdiction can be compelled by grand jury subpoena to produce evidence stored outside the United States so long as the evidence is within the party’s ‘possession, custody, or control.’”).

7 Tr. 36:20-24.

8 In re Grand Jury Proceedings (U.S. v. Bank of Nova Scotia), 740 F.2d 817 (11th Cir. 1984); In re Grand Jury Proceedings (U.S. v. Bank of Nova Scotia), 722 F.2d 657 (11th Cir. 1983); In re Grand Jury Proceedings (U.S. v. Bank of Nova Scotia), 691 F.2d 1384 (11th Cir. 1982).

This article was published in Law360 on September 8, 2014. © Copyright 2014, Portfolio Media, Inc., publisher of Law360. It is reprinted here with permission.