Technology has fundamentally changed the way we all store our information, and that has put technology companies on the front lines of the fight to ensure private data are protected as well in the digital age as in the past. This fight is now playing out in a lawsuit in New York, where the US government is urging a court to ignore the true nature of digitally stored information so that it can avoid clear limits on search-and-seizure authority. The court should instead reaffirm limits on government power to preserve critical privacy protections.
Up on appeal is a case from the US District Court in the Southern District of New York in which the government served Microsoft Corp. with a search warrant directing it to produce the contents of a customer’s email account. Microsoft determined that it had stored the content on a server in Dublin. Rather than produce the email content, the company produced only data stored in the United States and moved to dismiss the warrant to conduct an exterritorial search at the government’s behest.
This case presents critically important issues for each of us as we increasingly turn to sophisticated technologies to store and organize our private communications, our photographs, our most sensitive business and personal data. The right to keep that data private is essential — and it requires that we extend and adapt longstanding legal protections to the new context of today’s digital world.
That is what the US Supreme Court recognized unanimously on June 25 in Riley v. California, when it ruled that the federal government cannot conduct warrantless searches of information stored on a cellphone. In that case, the government claimed that past decisions allowing the search of “a cigarette pack, a wallet or a purse” found on a person when he or she was arrested should be applied to the very different context of digitally stored information. The argument that those two types of searches are “materially indistinguishable,” the court found, “is like saying that a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”
The case pending in federal court in New York involves law enforcement officials’ authority to obtain information using warrants, which do not require any advance notice to the person whose information is being sought. Ordinarily, warrants are limited to information located within the United States. But the government claims it can serve a warrant on an Internet service provider in the United States and force that company to turn over emails of non-US customers stored on servers outside this country.
That astonishing overreach is based on a legal fiction — that no search occurs until the digital data are transferred to the United States. But that is simply wrong as a technical matter, because the foreign server must be searched to identify the information at issue and to transfer it to the United States. And it is wrong as a legal matter as well: No one would argue that physical papers stored in Ireland, France or Hong Kong had not been “searched” if they were identified, bundled up and sent to the United States.
The government’s expansive argument also violates a second fundamental legal principle, known as “comity,” which requires US courts to give appropriate respect to the laws and interests of other nations when addressing questions about the application of US law abroad. Another recent Supreme Court decision, Daimler AG v. Bauman, addressed this very point, adopting a narrow rule regarding the jurisdiction of US courts because of concerns about intruding on the interests of other nations. The federal government argued in favor of that narrow approach.
Now it is urging precisely the opposite approach and ignoring the fact that many other countries have laws protecting the privacy of their citizens that make it illegal to send individuals’ personal information outside their borders. The government’s demands therefore would force companies to violate foreign law — and risk criminal penalties — or violate US law by refusing to do so. It’s particularly odd that the government is urging its aggressive legal rule when it has other options. Mutual legal assistance treaties in place with many other nations allow the US government to ask the country in which the information is located to obtain the information using its own, local authority. And the 42-nation Convention on Cybercrime provides for cross-border assistance in obtaining electronically stored data.
The US government’s position is ultimately self-defeating. Extending US law outside our country’s borders would make non-US individuals and companies reluctant to do business with service providers that have operations within the United States. Moreover, if the US government decides it can demand information in other countries, other governments will follow suit and force technology companies to turn over the private information of American citizens. This chaotic and routine infringement of sovereign territory is unsustainable as a framework for collecting private citizens’ communications and other personal information internationally.
Let’s hope the New York court follows the same path as the Supreme Court and rejects the government’s attempt to eviscerate privacy protections that are recognized in the United States and in the laws of other countries around the world.
Reprinted with permission from the July 28 issue of The National Law Journal (c) 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
