Privacy Victory or Criminal Loophole?: Implications of Second Circuit’s Decision in Microsoft v. USA

Many are calling the recent Second Circuit decision in Microsoft Corp. v. USA “a victory for privacy.”1 The Second Circuit ruled that a Stored Communication Act (SCA) warrant does not compel production of email content stored exclusively on foreign servers.2 The Stored Communications Act was passed in 1986 with the intent “to protect the privacy of digital communications.”3 The SCA allows a customer to sue a service provider that discloses private data under the law unless the disclosure was made in “good faith reliance on a warrant, order, or subpoena.”4

After asserting that a Microsoft email account was being used to facilitate drug trafficking, federal prosecutors in New York executed a search warrant to Microsoft Corporation seeking disclosure of “information associated with a particular individual’s email address, including the email contents.”1 Microsoft complied in part with the search warrant and provided basic “information about the customer that was being stored” on its United States servers.5 However, Microsoft refused to provide the email contents asserting it was stored on its servers in Dublin, Ireland.6 Microsoft justified its refusal to fully comply with the search warrant on the grounds that the court did not have the authority to compel the production of data maintained outside of the United States.7 The Second Circuit agreed.

The Court reasoned that traditional federal rules dictate that warrants issued by the courts only permit law enforcement officials to search property within the boundaries of the United States.8 Even if the property the government seeks is electronic in nature, the same rules apply. The Second Circuit’s ruling demonstrates the United States’ desire to avoid interfering with the laws of foreign countries.9 Foreign countries should be free to utilize services and technology of American tech companies without having to answer to the United States government.10

On its face this may seem like a victory for privacy, but what are the negative implications of this decision? In theory, this decision has now created a loophole in the system that will allow criminals to conduct illegal business activity through email. Upon registering for a Microsoft email account, an individual is prompted to enter their location and Microsoft takes this information at face value.11 Based on the location entered in the system by the customer, Microsoft will then store the customer’s email contents in a “data center assigned to that country.”12 As long as a criminal enters a location outside of the United States, the content of their emails will remain private if a search warrant is issued. The only way U.S. law enforcement will be able to access the emails it seeks is by collaborating with law enforcement officials in the country where the data is being stored.13 This could significantly thwart law enforcement’s ability to investigate illicit activity. In addition, this decision could have a significant impact on U.S. service “providers’ decisions to exclusively store information abroad.”14 More U.S. based service providers may opt to store data exclusively on foreign servers to protect their customers’ privacy rights and to decrease the likelihood of U.S. government interference with those rights.[Id.]