The Empire Strikes Back
- James McCarthy, Esq.|
- January 30, 2017
Microsoft had a good week. On Tuesday, a federal appeals court in New York quashed a search warrant seeking to compel Microsoft to turn over customer emails it stores overseas.  The day before, Microsoft defended itself against a US Department of Justice (DOJ) motion to dismiss its lawsuit to protect its customers from “Secrecy Orders,” a procedure where Microsoft is compelled to turn over customer’s email and data and then restrained from advising its customers of the search.  The fever pitched privacy battles in 2016 are shaping up to be an undercard for larger title fights in 2017, if the first few weeks of the New Year are any harbinger of what is to come.
To be certain, this issue is far from one sided. Law enforcement requires all available investigational tools necessary to fight increasingly more sophisticated criminals and terrorism while American tech companies cannot compete in world markets selling cloud based services if compelled to participate in secret governmental searches of any of its billions of customers and businesses world-wide. Underlying these turf battles, a seemingly existential question- where does data exist?
Faced with practical problems as to the reach of US law overseas and emerging technology, the law enforcement community challenges conventional thinking and posits that courts should not equate the physical place of cloud based storage with where it may search. This argument contends that if territorial restrictions apply to search warrants based on the physical location of a server environment, it would be easy for criminals and terrorists to easily evade investigations. Rather, law enforcement would have the courts adopt a wholistic view that sees data as something that lacks precise location or nationality because data is as movable as the device from which it is accessed.
In an ironic twist, Microsoft and its fellow third party providers may well adopt a more conservative definition of the nature of data and assert a location driven legal status when taking on US law enforcement. In the search warrant case, Second Circuit Appeals Judge Sarah Carney found that, “[w]e think Microsoft has the better of the argument” finding that the dated 1986 ECPA law cited by the DOJ was never meant to apply “extraterritorially.” Clearly, the Second Circuit does not subscribe to a ubiquitous definition of data. Perhaps, the question whether data truly has a home may be addressed in the Microsoft v DOJ case, where the battle has now shifted to the concept of “standing.” The DOJ filed a motion to dismiss arguing Microsoft has no standing and cannot advance unreasonable search and seizure claims under the 4th Amendment on behalf of its customers. Microsoft counters that it’s a “catch22” because its customers are not aware that their property is being searched and cannot assert those rights because ECPA has Secrecy Orders so that Microsoft may not notify its customers of the search. Microsoft also contends this prior restraint on communication with their customers is a violation of Microsoft’s First Amendment rights. In that case, federal district Judge Robart is expected to rule on the government’s dismissal motion in the next few weeks. While in prior rulings, Judge Robart found that only the aggrieved person can assert rights on their own behalf, the court signaled this case may be different. “I’m disturbed by the idea that you can have an invasion of rights or privacy without ever disclosing it,” he said. “Microsoft customers have a reasonable expectation of privacy in the content they have stored.”
As for the global resolution, Microsoft submits that the answer lies in a multi-jurisdictional approach citing a new European law promulgated by the EU and a proposed new US law.  For the immediate moment, however, tech giants appear to be poised to exploit the limitations of current US law, differing standards of privacy expectations, and demands of new international business norms. At the same time, we expect law enforcement to pursue aggressively all new investigational tools available to them while defining their mission in terms of security rather than financial.
So, stay tuned! 2017 should be exciting as we see this fight play out in US and EU courts, K Street and Congress.
In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft
Corporation Docket No. 14‐2985 (US Ct. Appeals, 2d Cir.).
 Microsoft Corporation v. The United States Department of Justice and Loretta Lynch, Docket No. 2:16-cv-00538 (U.S. Dist. Ct. Wash.).
 The International Communications Privacy Act—ICPA (Introduced 5/25/16 Sen Hatch, Orrin G (R-UT)) to replace the Electronic Communications Privacy Act, 18 U.S.C. § 2510-22 would use the Mutual Legal Assistance Treaty (MLAT) process to establish more accessibility, transparency and accountability. The General Data Protection Regulation (GDPR) created by the EU Court of Justice to replace the 1995 Data Protective Directorate would set clearer rules and impose substantial fines for mishandling of personal data beginning in 2018.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
James M. McCarthy graduated from Christian Brothers Academy in 1982; Rutgers College, Rutgers University in 1986; and Western New England College School of Law in 1989. Mr. McCarthy was admitted to the New Jersey State Bar in 1989; the United States District Court for the District of New Jersey in 1989 and the United States Court of Appeals for the Third Circuit in 1991.