SUSAN L. CARNEY, Circuit Judge:
Microsoft Corporation appeals from orders of the United States District Court for the Southern District of New York denying its motion to quash a warrant ("Warrant") issued under § 2703 of the Stored Communications Act ("SCA" or the "Act"), 18 U.S.C. §§ 2701 et seq., and holding Microsoft in contempt of court for refusing to execute the Warrant on the government's behalf. The Warrant directed Microsoft to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company's electronic communications services. A United States magistrate judge (Francis, M.J.) issued the Warrant on the government's application, having found probable cause to believe that the account was being used in furtherance of narcotics trafficking. The Warrant was then served on Microsoft at its headquarters in Redmond, Washington.
Microsoft produced its customer's non-content information to the government, as directed. That data was stored in the United States. But Microsoft ascertained that, to comply fully with the Warrant, it would need to access customer content that it stores and maintains in Ireland and to import that data into the United States for delivery to federal authorities. It declined to do so. Instead, it moved to quash the
Microsoft and the government dispute the nature and reach of the Warrant that the Act authorized and the extent of Microsoft's obligations under the instrument. For its part, Microsoft emphasizes Congress's use in the Act of the term "warrant" to identify the authorized instrument. Warrants traditionally carry territorial limitations: United States law enforcement officers may be directed by a court-issued warrant to seize items at locations in the United States and in United States-controlled areas, see Fed. R. Crim. P. 41(b), but their authority generally does not extend further.
The government, on the other hand, characterizes the dispute as merely about "compelled disclosure," regardless of the label appearing on the instrument. It maintains that "similar to a subpoena, [an SCA warrant] requir[es] the recipient to deliver records, physical objects, and other materials to the government" no matter where those documents are located, so long as they are subject to the recipient's custody or control. Gov't Br. at 6. It relies on a collection of court rulings construing properly-served subpoenas as imposing that broad obligation to produce without regard to a document's location. E.g., Marc Rich & Co., A.G. v. United States, 707 F.2d 663 (2d Cir. 1983).
For the reasons that follow, we think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user's interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users' 21st — century demands for access and speed and their related, evolving expectations of privacy.
Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term "warrant" in the Act to require pre-disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument's territorial limitations and other constitutional requirements. The application of the Act that the government proposes — interpreting "warrant" to require a service provider to retrieve material from beyond the borders of the United States — would require us to disregard the presumption against extraterritoriality that the Supreme Court re-stated and emphasized in Morrison v. National Australia Bank Ltd., 561 U.S. 247, 130 S.Ct. 2869, 177 L.Ed.2d 535 (2010) and, just recently, in RJR Nabisco, Inc. v. European Cmty., 579 U.S. ___, ___, 136 S.Ct. 2090, 195 L.Ed.2d 476 (2016). We are not at liberty to do so.
We therefore decide that the District Court lacked authority to enforce the Warrant against Microsoft. Because Microsoft has complied with the Warrant's domestic directives and resisted only its extraterritorial aspects, we REVERSE the District Court's denial of Microsoft's motion to quash, VACATE its finding of civil contempt, and REMAND the cause with instructions to the District Court to quash the Warrant insofar as it directs Microsoft
I. Microsoft's Web-Based E-mail Service
The factual setting in which this dispute arose is largely undisputed and is established primarily by affidavits submitted by or on behalf of the parties.
Microsoft Corporation is a United States business incorporated and headquartered in Washington State. Since 1997, Microsoft has operated a "web-based e-mail" service available for public use without charge. Joint Appendix ("J.A.") at 35. It calls the most recent iteration of this service Outlook.com.
Microsoft explains that, when it provides customers with web-based access to e-mail accounts, it stores the contents of each user's e-mails, along with a variety of non-content information related to the account and to the account's e-mail traffic, on a network of servers.
Microsoft currently makes "enterprise cloud service offerings" available to customers in over 100 countries through Microsoft's "public cloud."
One of Microsoft's datacenters is located in Dublin, Ireland, where it is operated by a wholly owned Microsoft subsidiary. According to Microsoft, when its system automatically determines, "based on [the user's] country code," that storage for an e-mail account "should be migrated to the Dublin datacenter," it transfers the data associated with the account to that location. Id. at 37. Before making the transfer, it does not verify user identity or location; it simply takes the user-provided information at face value, and its systems migrate the data according to company protocol.
Under practices in place at the time of these proceedings, once the transfer is complete, Microsoft deletes from its U.S.-based servers "all content and non-content information associated with the account in the United States," retaining only three data sets in its U.S. facilities. Id. at 37. First, Microsoft stores some non-content e-mail information in a U.S.-located "data warehouse" that it operates "for testing and quality control purposes." Id. Second, it may store some information about the user's online address book in a central "address book clearing house" that it maintains in the United States. Third, it may store some basic account information, including the user's name and country, in a U.S.-sited database. Id. at 37-38.
Microsoft asserts that, after the migration is complete, the "only way to access" user data stored in Dublin and associated with one of its customer's web-based e-mail accounts is "from the Dublin datacenter." Id. at 37. Although the assertion might be read to imply that a Microsoft employee must be physically present in Ireland to access the user data stored there, this is not so. Microsoft acknowledges that, by using a database management program that can be accessed at some of its offices in the United States, it can "collect" account data that is stored on any of its servers globally and bring that data into the United States. Id. at 39-40.
II. Procedural History
On December 4, 2013, Magistrate Judge James C. Francis IV of the United States District Court for the Southern District of New York issued the "Search and Seizure Warrant" that became the subject of Microsoft's motion to quash.
Although the Warrant was served on Microsoft, its printed boilerplate language advises that it is addressed to "[a]ny authorized law enforcement officer." Id. at 44. It commands the recipient to search "[t]he PREMISES known and described as the email account [redacted]@MSN.COM, which is controlled by Microsoft Corporation."
Its Attachment A, "Property To Be Searched," provides, "This warrant applies to information associated with [redacted]@msn.com, which is stored at premises owned, maintained, controlled, or operated by Microsoft Corporation...." Id. at 45. Attachment C, "Particular Things To Be Seized,"
After being served with the Warrant, Microsoft determined that the e-mail contents stored in the account were located in its Dublin datacenter. Microsoft disclosed all other responsive information, which was kept within the United States, and moved the magistrate judge to quash the Warrant with respect to the user content stored in Dublin.
As we have recounted, the magistrate judge denied Microsoft's motion to quash. In a Memorandum and Order, he concluded that the SCA authorized the District Court to issue a warrant for "information that is stored on servers abroad." In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 15 F.Supp.3d 466, 477 (S.D.N.Y. 2014) ("In re Warrant"). He observed that he had found probable cause for the requested search, and that the Warrant was properly served on Microsoft in the United States. He noted that, inasmuch as an SCA warrant is served on a service provider rather than on a law enforcement officer, it "is executed like a subpoena in that it ... does not involve government agents entering the premises of the ISP [Internet service provider] to search its servers and seize the e-mail account in question." Id. at 471. Accordingly, he determined that Congress intended in the Act's warrant provisions to import obligations similar to those associated with a subpoena to "produce information in its possession, custody, or control regardless of the location of that information." Id. at 472 (citing Marc Rich, 707 F.2d at 667). While acknowledging that Microsoft's analysis in favor of quashing the Warrant with respect to foreign-stored customer content was "not inconsistent with the statutory language," he saw Microsoft's position as "undermined by the structure of the SCA, its legislative history," and "by the practical consequences that would flow from adopting it." He therefore concluded that Microsoft was obligated to produce the customer's content, wherever it might be stored. He also treated the place where the government would review the content (the United States), not the place of storage (Ireland), as the relevant place of seizure.
Microsoft appealed the magistrate judge's decision to Chief Judge Loretta A. Preska, who, on de novo review and after a hearing, adopted the magistrate judge's reasoning and affirmed his ruling from the bench. In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 1:13-mj-02814
Microsoft timely noticed its appeal of the District Court's decision denying the motion to quash. Not long after, the District Court acted on a stipulation submitted jointly by the parties and held Microsoft in civil contempt for refusing to comply fully with the Warrant.
We now reverse the District Court's denial of Microsoft's motion to quash; vacate the finding of contempt; and remand the case to the District Court with instructions to quash the Warrant insofar as it calls for production of customer content stored out-side the United States.
III. Statutory Background
The Warrant was issued under the provisions of the Stored Communications Act, legislation enacted as Title II of the Electronic Communications Privacy Act of 1986. Before we begin our analysis, some background will be useful.
A. The Electronic Communications Privacy Act of 1986
The Electronic Communications Privacy Act ("ECPA") became law in 1986.
B. The Technological Setting in 1986
When it passed the Stored Communications Act almost thirty years ago, Congress
One historian of the Internet has observed that "before 1988, the New York Times mentioned the Internet only once — in a brief aside." Roy Rosenzweig, Wizards, Bureaucrats, Warriors, and Hackers: Writing the History of the Internet, 103 Am. Hist. Rev. 1530, 1530 (1998). The TCP/IP data transfer protocol — today, the standard for online communication — began to be used by the Department of Defense in about 1980. See Leonard Kleinrock, An Early History of the Internet, IEEE Commc'ns Mag. 26, 35 (Aug. 2010). The World Wide Web was not created until 1990, and we did not even begin calling it that until 1993. Daniel B. Garrie & Francis M. Allegra, Plugged In: Guidebook to Software and the Law § 3.2 (2015 ed.). Thus, a globally-connected Internet available to the general public for routine e-mail and other uses was still years in the future when Congress first took action to protect user privacy. See Craig Partridge, The Technical Development of Internet Email, IEEE Annals of the Hist. of Computing 3, 4 (Apr.-June 2008).
C. The Stored Communications Act
As the government has acknowledged in this litigation, "[t]he SCA was enacted to extend to electronic records privacy protections analogous to those provided by the Fourth Amendment." Gov't Br. at 29 (citing S. Comm. on Judiciary, Electronic Communications Privacy Act of 1986, S. Rep. No. 99-541, at 5 (1986)). The SCA provides privacy protection for users of two types of electronic services — electronic communication services ("ECS") and remote computing services ("RCS") — then probably more distinguishable than now.
As to both services, the Act imposes general obligations of non-disclosure on service providers and creates several exceptions to those obligations. Thus, its initial provision, § 2701, prohibits unauthorized third parties from, among other things, obtaining or altering electronic communications stored by an ECS, and imposes criminal penalties for its violation. Section 2702 restricts the circumstances in which service providers may disclose information associated with and contents of stored communications to listed exceptions, such as with the consent of the originator or upon notice to the intended recipient, or pursuant to § 2703. Section 2703 then establishes conditions under which the government may require a service provider to disclose the contents of stored communications and related obligations to notify a customer whose material has been accessed. Section 2707 authorizes civil actions by entities aggrieved by violations of the Act, and makes "good faith reliance" on a court warrant or order "a complete defense." 18 U.S.C. § 2707(e).
Regarding governmental access in particular, § 2703 sets up a pyramidal structure governing conditions under which service providers must disclose stored communications to the government. Basic subscriber and transactional information can be obtained simply with an administrative subpoena.
As noted, § 2703 calls for those warrants issued under its purview by federal courts to be "issued using the procedures described in the Federal Rules of Criminal Procedure." Rule 41 of the Federal Rules of Criminal Procedure, entitled "Search and Seizure," addresses federal warrants. It directs "the magistrate judge or a judge of a state court of record" to issue the warrant to "an officer authorized to execute it." Rule 41(e)(1). And insofar as territorial reach is concerned, Rule 41(b) describes the extent of the power of various authorities (primarily United States magistrate judges) to issue warrants with respect to persons or property located within a particular federal judicial district. It also allows magistrate judges to issue warrants that may be executed outside of the issuing district, but within another district of the United States. Fed. R. Crim. P. 41(b)(2), (b)(3). Rule 41(b)(5) generally restricts the geographical reach of a warrant's execution, if not in another federal district, to "a United States territory, possession, or commonwealth," and various diplomatic or consular missions of the United States or diplomatic residences of the United States located in a foreign state.
I. Standard of Review
We will vacate a finding of civil contempt that rests on a party's refusal to comply with a court order if we determine that the district court relied on a mistaken understanding of the law in issuing its order. United States ex rel. Touhy v. Ragen, 340 U.S. 462, 464-70, 71 S.Ct. 416, 95 L.Ed. 417 (1951). Similarly, we will vacate a district court's denial of a motion to quash if we conclude that the denial rested
It is on the legal predicate for the District Court's rulings — its analysis of the Stored Communications Act, in particular, and of the principles of construction set forth by the Supreme Court in Morrison v. National Australia Bank Ltd., 561 U.S. 247, 130 S.Ct. 2869, 177 L.Ed.2d 535 (2010) — that we focus our attention in this appeal.
II. Whether the SCA Authorizes Enforcement of the Warrant as to Customer Content Stored in Ireland
A. Analytic Framework
The parties stand far apart in the analytic frameworks that they present as governing this case.
Adopting the government's view, the magistrate judge denied Microsoft's motion to quash, resting on the legal conclusion that an SCA warrant is more akin to a subpoena than a warrant, and that a properly served subpoena would compel production of any material, including customer content, so long as it is stored at premises "owned, maintained, controlled, or operated by Microsoft Corporation." In re Warrant, 15 F.Supp.3d at 468 (quoting Warrant). The fact that those premises were located abroad was, in the magistrate judge's view, of no moment. Id. at 472.
Microsoft offers a different conception of the reach of an SCA warrant. It understands such a warrant as more closely resembling a traditional warrant than a subpoena. In its view, a warrant issued under the Act cannot be given effect as to materials stored beyond United States borders, regardless of what may be retrieved electronically from the United States and where the data would be reviewed. To enforce the Warrant as the government proposes would effect an unlawful extraterritorial application of the SCA, it asserts, and would work an unlawful intrusion on the privacy of Microsoft's customer.
Although electronic data may be more mobile, and may seem less concrete, than many materials ordinarily subject to warrants, no party disputes that the electronic data subject to this Warrant were in fact located in Ireland when the Warrant was served. None disputes that Microsoft would have to collect the data from Ireland to provide it to the government in the United States. As to the citizenship of the customer whose e-mail content was sought, the record is silent. For its part, the SCA is silent as to the reach of the statute as a whole and as to the reach of its warrant provisions in particular. Finally, the presumption against extraterritorial application of United States statutes is strong and binding. See Morrison, 561 U.S. at 255, 130 S.Ct. 2869. In these circumstances, we believe we must begin our analysis with an inquiry into whether Congress, in enacting the warrant provisions of the SCA, envisioned and intended those provisions to reach outside of the United States. If we discern that it did not, we must assess whether the enforcement of this Warrant constitutes an unlawful extraterritorial application of the statute. We thus begin with a brief review of Morrison, which outlines the operative principles.
B. Morrison and the Presumption Against Extraterritoriality
When interpreting the laws of the United States, we presume that legislation of Congress "is meant to apply only within the territorial jurisdiction of the United States," unless a contrary intent clearly appears. Id. at 255, 130 S.Ct. 2869 (internal quotation marks omitted); see also RJR Nabisco, Inc. v. European Cmty., 579 U.S. ___, ___, 136 S.Ct. 2090, 195 L.Ed.2d 476 (2016). This presumption rests on the perception that "Congress ordinarily legislates with respect to domestic, not foreign matters." Id. The presumption reflects that Congress, rather than the courts, has the "facilities necessary" to make policy decisions in the "delicate field of international relations." Kiobel v. Royal Dutch Petroleum Co., ___ U.S. ___, 133 S.Ct. 1659, 1664, 185 L.Ed.2d 671 (2013) (quoting Benz v. Compania Naviera Hidalgo, S.A., 353 U.S. 138, 147, 77 S.Ct. 699, 1 L.Ed.2d 709 (1957)). In line with this recognition, the presumption is applied to protect against "unintended clashes between our laws and those of other nations which could result in international discord." Equal Emp't Opportunity Comm'n v. Arabian American Oil Co., 499 U.S. 244, 248, 111 S.Ct. 1227, 113 L.Ed.2d 274 (1991) ("Aramco"); see generally Parkcentral Global Hub Ltd. v. Porsche Auto. Holdings SE, 763 F.3d 198 (2d Cir. 2014) (per curiam).
To decide whether the presumption limits the reach of a statutory provision in a particular case, "we look to see whether `language in the [relevant Act] gives any indication of a congressional purpose to extend its coverage beyond places over which the United States has sovereignty or has some measure of legislative control.'" Aramco, 499 U.S. at 248, 111 S.Ct. 1227 (alteration in original) (quoting Foley Bros., Inc. v. Filardo, 336 U.S. 281, 285, 69 S.Ct. 575, 93 L.Ed. 680 (1949)). The statutory provision must contain a "clear indication of an extraterritorial application"; otherwise, "it has none." Morrison, 561 U.S. at 255, 130 S.Ct. 2869; see also RJR Nabisco, 579 U.S. at ___, 136 S.Ct. 2090.
Following the approach set forth in Morrison, our inquiry proceeds in two parts. We first determine whether the relevant statutory provisions contemplate extraterritorial application. Id. at 261-65, 130 S.Ct. 2869. If we conclude that they do not, by identifying the statute's focus and looking at the facts presented through that prism, we then assess whether the challenged application is "extraterritorial" and therefore outside the statutory bounds. Id. at 266-70, 130 S.Ct. 2869.
C. Whether the SCA's Warrant Provisions Contemplate Extraterritorial Application
We dispose of the first question with relative ease. The government conceded at oral argument that the warrant provisions of the SCA do not contemplate or permit extraterritorial application.
1. Plain Meaning of the SCA
As observed above, the SCA permits the government to require service providers to produce the contents of certain priority stored communications "only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction." 18 U.S.C. § 2703(a), (b)(1)(a). The provisions in § 2703 that permit a service provider's disclosure in response to a duly obtained warrant do not mention any extraterritorial application, and the government points to no provision that even implicitly alludes to any such application. No relevant definition provided by either Title I or Title II of ECPA, see 18 U.S.C. §§ 2510, 2711, suggests that Congress envisioned any extraterritorial use for the statute.
When Congress intends a law to apply extraterritorially, it gives an "affirmative indication" of that intent. Morrison, 561 U.S. at 265, 130 S.Ct. 2869. It did so, for example, in the statutes at issue in Weiss v. National Westminster Bank PLC, 768 F.3d 202, 207 & n. 5 (2d Cir. 2014) (concluding that definition of "international terrorism" within 18 U.S.C. § 2331(1) covers extraterritorial conduct because Congress referred to acts that "occur primarily outside the territorial jurisdiction of the United States") and United States v. Weingarten, 632 F.3d 60, 65 (2d Cir. 2011) (concluding that 18 U.S.C. § 2423(b) applies to extraterritorial conduct because it criminalizes "travel in foreign commerce undertaken with the intent to commit sexual acts with minors" that would violate United States law had the acts occurred in the jurisdiction of the United States). We see no such indication in the SCA.
We emphasize further that under § 2703, any "court of competent jurisdiction" — defined in § 2711(3)(B) to include "a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants" — may issue an SCA warrant. Section 2703(a) refers directly to the use of State warrant procedures as an adequate basis for issuance of an SCA warrant. 18 U.S.C. § 2703(a). We think it particularly unlikely that, if Congress intended SCA warrants to apply extraterritorially, it would provide for such far-reaching state court authority without at least "address[ing] the subject of conflicts with foreign laws and procedures." Aramco, 499 U.S. at 256, 111 S.Ct. 1227; see also American Ins. Ass'n v. Garamendi, 539 U.S. 396, 413, 123 S.Ct. 2374, 156 L.Ed.2d 376 (2003) (describing as beyond dispute the notion that "state power that touches on foreign relations must yield to the National Government's policy").
The government asserts that "[n]othing in the SCA's text, structure, purpose, or legislative history indicates that compelled production of records is limited to those stored domestically." Gov't Br. at 26 (formatting altered and emphasis added). It emphasizes the requirement placed on a service provider to disclose customers' data, and the absence of any territorial reference restricting that obligation. We find this argument unpersuasive: It stands the presumption against extraterritoriality on its head. It further reads into the Act an extraterritorial awareness and intention that strike us as anachronistic, and for which we see, and the government points to, no textual or documentary support.
2. The SCA's Use of the Term of Art "Warrant"
Congress's use of the term of art "warrant" also emphasizes the domestic boundaries of the Act in these circumstances.
In construing statutes, we interpret a legal term of art in accordance with the term's traditional legal meaning, unless the statute contains a persuasive indication that Congress intended otherwise. See F.A.A. v. Cooper, ___ U.S. ___, 132 S.Ct. 1441, 1449, 182 L.Ed.2d 497 (2012) ("[W]hen Congress employs a term of art, `it presumably knows and adopts the cluster of ideas that were attached to each borrowed word in the body of learning from which it was taken.'") (quoting Molzof v. United States, 502 U.S. 301, 307, 112 S.Ct. 711, 116 L.Ed.2d 731 (1992)). "Warrant" is such a term of art.
The term is endowed with a legal lineage that is centuries old. The importance of the warrant as an instrument by which the power of government is exercised and constrained is reflected by its prominent appearance in the Fourth Amendment to the United States Constitution:
U.S. Const. amend. IV. It is often observed that "[t]he chief evil that prompted the framing and adoption of the Fourth Amendment was the indiscriminate searches and seizures conducted by the British under the authority of general warrants." United States v. Galpin, 720 F.3d 436, 445 (2d Cir. 2013) (internal quotation marks omitted). Warrants issued in accordance with the Fourth Amendment thus identify discrete objects and places, and restrict the government's ability to act beyond the warrant's purview — of particular note here, outside of the place identified, which must be described in the document. Id. at 445-46.
As the term is used in the Constitution, a warrant is traditionally moored to privacy concepts applied within the territory of the United States: "What we know of the history of the drafting of the Fourth Amendment ... suggests that its purpose was to restrict searches and seizures which might be conducted by the United States in domestic matters." In re Terrorist Bombings of U.S. Embassies in East Africa, 552 F.3d 157, 169 (2d Cir. 2008) (alteration omitted and ellipses in original) (quoting United States v. Verdugo-Urquidez, 494 U.S. 259, 266, 110 S.Ct. 1056, 108 L.Ed.2d 222 (1990)). Indeed, "if U.S. judicial officers were to issue search warrants intended to have extraterritorial effect, such warrants would have dubious legal significance, if any, in a foreign nation." Id. at 171. Accordingly, a warrant protects privacy in a distinctly territorial way.
The magistrate judge took a different view of the legislative history of certain amendments to the SCA. He took special notice of certain legislative history related to the 2001 amendment to the warrant provisions enacted in the USA PATRIOT ACT. A House committee report explained that "[c]urrently, Federal Rules [sic] of Criminal Procedure 41 requires that the `warrant' be obtained `within the district' where the property is located. An investigator, for example, located in Boston ... might have to seek a suspect's electronic e-mail from an Internet service provider (ISP) account located in California." In re Warrant, 15 F.Supp.3d at 473 (quoting H.R. Rep. 107-236(I), at 57 (2001)). The magistrate judge reasoned that this statement equated the location of property with the location of the service provider, and not with the location of any server. Id. at 474.
But this excerpt says nothing about the need to cross international boundaries; rather, while noting the "cross-jurisdictional nature of the Internet," it discusses only amendments to Rule 41 that allow magistrate judges "within the district" to issue warrants to be executed in other "districts" — not overseas. Id. at 473 (quoting H.R. Rep. 107-236(I), at 58). Furthermore, the Committee discussion reflects no expectation that the material to be searched and seized would be located any place other than where the service provider is located. Thus, the Committee's hypothetical focuses on a situation in which an investigator in Boston might seek e-mail from "an Internet service provider (ISP) account located in California." To our reading, the Report presumes that the service provider is located where the account is — within the United States.
3. Relevance of Law on "Subpoenas"
We reject the approach, urged by the government and endorsed by the District Court, that would treat the SCA warrant as equivalent to a subpoena. The District Court characterized an SCA warrant as a "hybrid" between a traditional warrant and a subpoena because — generally unlike a warrant — it is executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution. Id. at 471; 18 U.S.C. § 2703(a)-(c), (g). As flagged earlier, the subpoena-warrant distinction is significant here because, unlike warrants, subpoenas may require the production of communications stored overseas. 15 F.Supp.3d at 472 (citing Marc Rich, 707 F.2d at 667).
Warrants and subpoenas are, and have long been, distinct legal instruments.
Furthermore, contrary to the Government's assertion, the law of warrants has long contemplated that a private party may be required to participate in the lawful search or seizure of items belonging to the target of an investigation. When the government compels a private party to assist it in conducting a search or seizure, the private party becomes an agent of the government, and the Fourth Amendment's warrant clause applies in full force to the private party's actions. See Coolidge v. New Hampshire, 403 U.S. 443, 487, 91 S.Ct. 2022, 29 L.Ed.2d 564 (1971); Gambino v. United States, 275 U.S. 310, 316-17, 48 S.Ct. 137, 72 L.Ed. 293 (1927); see also Cassidy v. Chertoff, 471 F.3d 67, 74 (2d Cir. 2006). The SCA's warrant provisions fit comfortably within this scheme by requiring a warrant for the content of stored communications even when the warrant commands a service provider, rather than a law enforcement officer, to access the communications. 18 U.S.C. § 2703(a), (b)(1)(A), (g). Use of this mechanism does not signal that, notwithstanding its use of the term "warrant," Congress intended the SCA warrant procedure to function like a traditional subpoena. We see no reason to
The government nonetheless urges that the law of subpoenas relied on by the magistrate judge requires a subpoena's recipient to produce documents no matter where located, and that this aspect of subpoena law should be imported into the SCA's warrant provisions. The government argues that "subpoenas, orders, and warrants are equally empowered to obtain records... through a disclosure requirement directed at a service provider." Gov't Br. at 18-19. It further argues that disclosure in response to an SCA warrant should not be read to reach only U.S.-located documents, but rather all records available to the recipient. Id. at 26-27.
In this, the government rests on our 1983 decision in Marc Rich. There, we permitted a grand jury subpoena issued in a tax evasion investigation to reach the overseas business records of a defendant Swiss commodities trading corporation. The Marc Rich Court clarified that a defendant subject to the personal jurisdiction of a subpoena-issuing grand jury could not "resist the production of [subpoenaed] documents on the ground that the documents are located abroad." 707 F.2d at 667. The federal court had subject-matter jurisdiction over the foreign defendant's actions pursuant to the "territorial principle," which allows governments to punish an individual for acts outside their boundaries when those acts are "intended to produce and do produce detrimental effects within it." Id. at 666. In investigating such a case, the Court concluded, the grand jury necessarily had authority to obtain evidence related to the foreign conduct, even when that evidence was located abroad. Id. at 667. For that reason, as long as the Swiss corporation was subject to the grand jury's personal jurisdiction — which the Court concluded was the case — the corporation was bound by its subpoena. Id. Thus, in Marc Rich, a subpoena could reach documents located abroad when the subpoenaed foreign defendant was being compelled to turn over its own records regarding potential illegal conduct, the effects of which were felt in the United States.
Contrary to the government's assertion, neither Marc Rich nor the statute gives any firm basis for importing law developed in the subpoena context into the SCA's warrant provisions. Microsoft convincingly observes that our Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.
The government also cites, and the District Court relied on, a series of cases in which banks have been required to comply with subpoenas or discovery orders requiring disclosure of their overseas records, notwithstanding the possibility that compliance would conflict with their obligations under foreign law.
We therefore conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially.
D. Discerning the "Focus" of the SCA
This conclusion does not resolve the merits of this appeal, however, because "it is a rare case of prohibited extraterritorial application that lacks all contact with the territory of the United States." Morrison, 561 U.S. at 266, 130 S.Ct. 2869. When we find that a law does not contemplate or permit extraterritorial application, we generally must then determine whether the case at issue involves such a prohibited application. Id at 266-67, 130 S.Ct. 2869. As we recently observed in Mastafa v. Chevron Corp., "An evaluation of the presumption's application to a particular case is essentially an inquiry into whether the domestic contacts are sufficient to avoid triggering the presumption at all." 770 F.3d 170, 182 (2d Cir. 2014).
In making this second-stage determination, we first look to the "territorial events or relationships" that are the "focus" of the relevant statutory provision. Id. at 183 (alterations and internal quotation marks omitted). If the domestic contacts presented by the case fall within the "focus" of the statutory provision or are "the objects of the statute's solicitude," then the application of the provision is not unlawfully extraterritorial. Morrison, 561 U.S. at 267, 130 S.Ct. 2869. If the domestic contacts are merely secondary, however, to the statutory "focus," then the provision's application to the case is extraterritorial and precluded.
1. The SCA's Warrant Provisions
The reader will recall the SCA's provisions regarding the production of electronic communication content: In sum, for priority stored communications, "a governmental entity may require the disclosure... of the contents of a wire or electronic communication ... only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure," except (in certain cases) if notice is given to the user. 18 U.S.C. § 2703(a), (b).
In our view, the most natural reading of this language in the context of the Act suggests a legislative focus on the privacy of stored communications. Warrants under § 2703 must issue under the Federal Rules of Criminal Procedure, whose Rule 41 is undergirded by the Constitution's protections of citizens' privacy against unlawful searches and seizures. And more generally, § 2703's warrant language appears in a statute entitled the Electronic Communications Privacy Act, suggesting privacy as a key concern.
The overall effect is the embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage, and the imposition of procedural restrictions on the government's (and other third party) access to priority stored communications. The circumstances in which the communications have been stored serve as a proxy for the intensity of the user's privacy interests, dictating the stringency of the procedural protection they receive — in particular whether the Act's warrant provisions, subpoena provisions, or its § 2703(d) court order provisions govern a disclosure desired by the government. Accordingly, we think it fair to conclude based on the plain meaning of the text that the privacy of the stored communications is the "object of the statute's solicitude," and the focus of its provisions. Morrison, 561 U.S. at 267, 130 S.Ct. 2869.
2. Other Aspects of the Statute
In addition to the text's plain meaning, other aspects of the statute confirm its focus on privacy.
As we have noted, the first three sections of the SCA contain its major substantive provisions. These sections recognize that users of electronic communications and remote computing services hold a privacy interest in their stored electronic communications. In particular, § 2701(a) makes it unlawful to "intentionally access without authorization," or "intentionally exceed an authorization to access," a "facility through which an electronic communication
Section 2702 generally prohibits providers from "knowingly divulg[ing]" the "contents" of a communication that is in electronic storage subject to certain enumerated exceptions. 18 U.S.C. § 2702(a). Sections 2701 and 2702 are linked by their parallel protections for communications that are in electronic storage. Section 2703 governs the circumstances in which information associated with stored communications may be disclosed to the government, creating the elaborate hierarchy of privacy protections that we have described.
From this statutory framework we find further reason to conclude that the SCA's focus lies primarily on the need to protect users' privacy interests. The primary obligations created by the SCA protect the electronic communications. Disclosure is permitted only as an exception to those primary obligations and is subject to conditions imposed in § 2703. Had the Act instead created, for example, a rebuttable presumption of law enforcement access to content premised on a minimal showing of legitimate interest, the government's argument that the Act's focus is on aiding law enforcement and disclosure would be stronger. Cf. Morrison, 561 U.S. at 267, 130 S.Ct. 2869. But this is not what the Act does.
The SCA's procedural provisions further support our conclusion that the Act focuses on user privacy. As noted above, the SCA expressly adopts the procedures set forth in the Federal Rules of Criminal Procedure. 18 U.S.C. § 2703(a), (b)(1)(A). Rule 41, which governs the issuance of warrants, reflects the historical understanding of a warrant as an instrument protective of the citizenry's privacy. See Fed. R. Crim. P. 41. Further, the Act provides criminal penalties for breaches of those privacy interests and creates civil remedies for individuals aggrieved by a breach of their privacy that violates the Act. See 18 U.S.C. §§ 2701, 2707. These all buttress our sense of the Act's focus.
We find unpersuasive the government's argument, alluded to above, that the SCA's warrant provisions must be read to focus on "disclosure" rather than privacy because the SCA permits the government to obtain by mere subpoena the content of e-mails that have been held in ECS storage for more than 180 days. Gov't Br. at 28-29; see 18 U.S.C. § 2703(a). In this vein, the government submits that reading the SCA's warrant provisions to focus on the privacy of stored communications instead of disclosure would anomalously place newer e-mail content stored on foreign servers "beyond the reach of the statute entirely," while older e-mail content stored on foreign servers could be obtained simply by subpoena, if notice is given to the user. Gov't Br. at 29. This argument assumes, however, that a subpoena issued to Microsoft under the SCA's subpoena provisions would reach a user's e-mail content stored on foreign servers. Although our Court's precedent regarding the foreign reach of subpoenas (and Marc Rich in particular) might suggest this result, the protections rightly accorded user content in the face of
In light of the plain meaning of the statutory language and the characteristics of other aspects of the statute, we conclude that its privacy focus is unmistakable.
3. Legislative History
We consult the Act's legislative history to test our conclusion.
In enacting the SCA, Congress expressed a concern that developments in technology could erode the privacy interest that Americans traditionally enjoyed in their records and communications. See S. Rep. No. 99-541, at 3 ("With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information."); H.R. Rep. No. 99-647, at 19 (1986) ("[M]ost important, if Congress does not act to protect the privacy of our citizens, we may see the gradual erosion of a precious right."). In particular, Congress noted that the actions of private parties were largely unregulated when it came to maintaining the privacy of stored electronic communications. See S. Rep. No. 99-541, at 3; H.R. Rep. No. 99-647, at 18. And Congress observed further that recent Supreme Court precedent called into question the breadth of the protection to which electronic records and communications might be entitled under the Fourth Amendment. See S. Rep. No. 99-541, at 3 (citing United States v. Miller, 425 U.S. 435, 96 S.Ct. 1619, 48 L.Ed.2d 71 (1976), for proposition that because records and private correspondence in computing context are "subject to control by a third party computer operator, the information may be subject to no constitutional privacy protection"); H.R. Rep. No. 99-647, at 23 (citing Miller for proposition that "under current law a subscriber or customer probably has very limited rights to assert in connection with the disclosure of records held or maintained by remote computing services").
Accordingly, Congress set out to erect a set of statutory protections for stored electronic communications. See S. Rep. No. 99-541, at 3; H.R. Rep. No. 99-647, at 19. In regard to governmental access, Congress sought to ensure that the protections traditionally afforded by the Fourth Amendment extended to the electronic forum. See H.R. Rep. No. 99-647, at 19 ("Additional legal protection is necessary to ensure the continued vitality of the Fourth Amendment."). It therefore modeled § 2703 after its understanding of the scope of the Fourth Amendment. As the House Judiciary Committee explained in its report, it appeared likely to the Committee that "the courts would find that the parties to an e-mail transmission have a `reasonable expectation of privacy' and that a warrant of some kind is required." Id. at 22.
We believe this legislative history tends to confirm our view that the Act's privacy provisions were its impetus and focus. Although Congress did not overlook law enforcement needs in formulating the statute, neither were those needs the primary motivator for the enactment. See S. Rep. No. 99-541, at 3 (in drafting SCA, Senate Judiciary Committee sought "to protect privacy interests in personal and proprietary information, while protecting the Government's legitimate law enforcement needs").
E. Extraterritoriality of the Warrant
Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act. See Morrison, 561 U.S. at 266-67, 130 S.Ct. 2869; RJR Nabisco, 579 U.S. at ___, 136 S.Ct. 2090.
The information sought in this case is the content of the electronic communications of a Microsoft customer. The content to be seized is stored in Dublin. J.A. at 38. The record is silent regarding the citizenship and location of the customer. Although the Act's focus on the customer's privacy might suggest that the customer's actual location or citizenship would be important to the extraterritoriality analysis, it is our view that the invasion of the customer's privacy takes place under the SCA where the customer's protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government.
The magistrate judge suggested that the proposed execution of the Warrant is not extraterritorial because "an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored.... [I]t places obligations only on the service provider to act within the United States." In re Warrant, 15 F.Supp.3d at 475-76. We disagree. First, his narrative affords inadequate weight to the facts that the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government's benefit, and that the data lies within the jurisdiction of a foreign sovereign. Second, the magistrate judge's observations overlook the SCA's formal recognition of the special role of the service provider vis-à-vis the content that its customers entrust to it. In that respect, Microsoft is unlike the defendant in Marc Rich and other subpoena
The government voices concerns that, as the magistrate judge found, preventing SCA warrants from reaching data stored abroad would place a "substantial" burden on the government and would "seriously impede" law enforcement efforts. Id. at 474. The magistrate judge noted the ease with which a wrongdoer can mislead a service provider that has overseas storage facilities into storing content outside the United States. He further noted that the current process for obtaining foreign-stored data is cumbersome. That process is governed by a series of Mutual Legal Assistance Treaties ("MLATs") between the United States and other countries, which allow signatory states to request one another's assistance with ongoing criminal investigations, including issuance and execution of search warrants. See U.S. Dep't of State, 7 Foreign Affairs Manual (FAM) § 962.1 (2013), available at fam.state.gov/FAM/07FAM/07FAM0960.html (last visited May 12, 2016) (discussing and listing MLATs).
These practical considerations cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art "warrant," all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries. Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross-boundary criminal investigations. Admittedly, we cannot be certain of the scope of the obligations that the laws of a foreign sovereign — and in particular, here, of Ireland or the E.U. — place on a service provider storing digital data or otherwise conducting business within its territory. But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign's interests are unaffected when a United States judge issues an order requiring a service provider to "collect" from servers located overseas and "import" into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.
Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer's communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.
We conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user's privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer's electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer's e-mail account stored exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.
GERARD E. LYNCH, Circuit Judge, concurring in the judgment:
I am in general agreement with the Court's conclusion that, in light of the presumption against extraterritorial application of congressional enactments, the Stored Communications Act ("SCA" or the "Act") should not, on the record made by the government below, be construed to require Microsoft to turn over records of the content of emails stored on servers in Ireland. I write separately to clarify what, in my view, is at stake and not at stake in this case; to explain why I believe that the government's arguments are stronger than the Court's opinion acknowledges; and to emphasize the need for congressional action to revise a badly outdated statute.
An undercurrent running through Microsoft's and several of its amici's briefing is the suggestion that this case involves a government threat to individual privacy. I do not believe that that is a fair characterization of the stakes in this dispute. To uphold the warrant here would not undermine basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country.
As the majority correctly points out, the SCA presents a tiered set of requirements for government access to electronic communications and information relating to them. Although Congress adopted the Act in order to provide some privacy protections to such communications, see H.R. Rep. No. 99-647, at 21-23 (1986); S. Rep. No. 99-541, at 3 (1986), those requirements are in many ways less protective of privacy than many might think appropriate. See, e.g., United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010) (holding that the SCA violates the Fourth Amendment to the extent that it allows government agents to obtain the contents of emails without a warrant);
That point bears significant emphasis. In this case, the government proved to the satisfaction of a judge that a reasonable person would believe that the records sought contained evidence of a crime. That is the showing that the framers of our Bill of Rights believed was sufficient to support the issuance of search warrants. U.S. Const. amend. IV ("[N]o Warrants shall issue, but upon probable cause...."). In other words, in the ordinary domestic law enforcement context, if the government had made an equivalent showing that evidence of a crime could be found in a citizen's home, that showing would permit a judge to authorize law enforcement agents to forcibly enter that home and search every area of the home to locate the evidence in question, and even (if documentary or electronic evidence was sought) to rummage through file cabinets and to seize and examine the hard drives of computers or other electronic devices. That is because the Constitution protects "[t]he right of the people to be secure in their persons, houses, papers and effects" not absolutely, but only "against unreasonable searches and seizures," id. (emphasis added), and strikes the balance between the protection of privacy and the needs of law enforcement by requiring, in most cases, a warrant supported by a judicial finding of probable cause before the most intrusive of searches can take place. See, e.g., Riley v. California, ___ U.S. ___, 134 S.Ct. 2473, 2482, 189 L.Ed.2d 430 (2014).
Congress, of course, is free to impose even stricter requirements on specific types of searches — and it has occasionally done so, for example in connection with the real-time interception of communications (as in wiretapping and electronic eavesdropping). See 18 U.S.C. § 2518(3)(a) (permitting the approval of wiretap applications only in connection with investigations of certain enumerated crimes); id. § 2518(3)(c) (requiring that a judge find that "normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous" before a wiretap application can be approved). But it has not done so for permitting government access to any category of stored electronic communications, and Microsoft does not challenge the constitutional adequacy of the protections provided by the Act to those communications. Put another way, Microsoft does not argue here that, if the emails sought by the government were stored on a server at its headquarters in Redmond, Washington, there would be any constitutional obstacle to the government's acquiring them by the same means that it used in this case. Indeed, as explained above, the showing made by the government would support a warrant that permitted agents to forcibly enter those headquarters and seize the server itself.
I emphasize these points to clarify that Microsoft's argument is not that the government does not have sufficiently solid information, and sufficiently important interests, to justify invading the privacy of the customer whose emails are sought and acquiring records of the contents of those emails. Microsoft does not ask the Court to
That discretion raises another point about privacy. Under Microsoft's and the Court's interpretation of the SCA, the privacy of Microsoft's customers' emails is dependent not on the traditional constitutional safeguard of private communications — judicial oversight of the government's conduct of criminal investigations — but rather on the business decisions of a private corporation. The contract between Microsoft and its customers does not limit the company's freedom to store its customers' emails wherever it chooses, and if Microsoft chooses, for whatever reasons of profit or cost control, to repatriate the emails at issue here to a server in United States, there will be no obstacle to the government's obtaining them. As the Court points out, Microsoft does in fact choose to locate the records of anyone who says that he or she resides in the United States on domestic servers. It is only foreign customers, and those Americans who say that they reside abroad, who gain any enhanced protection from the Court's holding. And that protection is not merely enhanced, it is absolute: the government can never obtain a warrant that would require Microsoft to turn over those emails, however certain it may be that they contain evidence of criminal activity, and even if that criminal activity is a terrorist plot.
Reasonable people might conclude that extremely stringent safeguards ought to apply to government investigators' acquisition of the contents of private email communications, and that the provisions of the SCA, as applied domestically, should be enhanced to provide even greater privacy, at an even higher cost to criminal investigations. Other reasonable people might conclude that, at least in some cases, investigators should have freer access to stored communications. It is the traditional task of Congress, in enacting legislation, and of the courts, in interpreting the Fourth Amendment, to strike a balance between privacy interests and law enforcement needs. But neither privacy interests nor the needs of law enforcement vary depending on whether a private company chooses to store records here or abroad — particularly when the "records" are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company. The issue facing the Court, then, is not actually about the need to enhance privacy protections for information that Americans choose to store in the "cloud."
In emphasizing the foregoing, I do not for a moment mean to suggest that this
The courts have a significant role in the protection of privacy, because the Constitution sets limits on what even the elected representatives of the people can authorize when it comes to searches and seizures. Specifically, the courts have an independent responsibility to interpret the Fourth Amendment, an explicit check on Congress's power to authorize unreasonable searches. What searches are unreasonable is of course a difficult question, particularly when courts are assessing statutory authorizations of novel types of searches to deal with novel types of threat. In that context, courts need to be especially cautious, and respectful of the judgments of Congress. See, e.g., ACLU v. Clapper, 785 F.3d 787, 824-25 (2d Cir. 2015). But it is ultimately the courts' responsibility to ensure that constitutional restraints on searches and seizures are respected.
Whether American law applies to conduct occurring abroad is a different type of question. That too is sometimes a difficult question. It will often be tempting to attempt to protect American interests by extending the reach of American law and undertaking to regulate conduct that occurs beyond our borders. But there are significant practical and policy limitations on the desirability of doing so. We live in a system of independent sovereign nations, in which other countries have their own ideas, sometimes at odds with ours, and their own legitimate interests. The attempt to apply U.S. law to conduct occurring abroad can cause tensions with those other countries, most easily appreciated if we consider the likely American reaction if France or Ireland or Saudi Arabia or Russia proclaimed its right to regulate conduct by Americans within our borders.
But the decision about whether and when to apply U.S. law to actions occurring abroad is a question that is left entirely to Congress. See Benz v. Compania Naviera Hidalgo, S.A., 353 U.S. 138, 147, 77 S.Ct. 699, 1 L.Ed.2d 709 (1957) (Congress "alone has the facilities necessary to make fairly [the] important policy decision" whether a statute applies extraterritorially). No provision of the Constitution limits Congress's power to apply its laws to Americans, or to foreigners, abroad, and Congress has on occasion done so, expressly or by clear implication. The courts' job is simply to do their best to understand what Congress intended. Where Congress has clearly indicated that a law applies extraterritorially, as for example in 18 U.S.C. § 2332(a), which prohibits the murder of U.S. citizens abroad, the courts apply the law as written. See RJR Nabisco, Inc. v. European Cmty., 579 U.S. ___, ___, 136 S.Ct. 2090, 195 L.Ed.2d 476 (2016). We do the same when a law clearly applies only domestically.
The latter situation is far more common, so common that it is the ordinary presumption. When Congress makes it a crime to "possess a controlled substance," 21 U.S.C. § 844(a), it does not say that it is a crime to possess dangerous or addictive drugs in the United States. It speaks absolutely, as if proclaiming a universal rule, but we understand that the law applies only here; it does not prohibit the possession of marijuana by a Dutchman, or even by an American, in the Netherlands. "Congress generally legislates with domestic
I have little trouble agreeing with my colleagues that the SCA does not have extraterritorial effect. As the Supreme Court recently made clear in RJR Nabisco, the presumption applies not only to statutes that straightforwardly regulate or criminalize conduct, but also to jurisdictional, procedural and remedial statutes. Id. at ___, 136 S.Ct. 2090; see also Loginovskaya v. Batratchenko, 764 F.3d 266, 272 (2d Cir. 2014) (rejecting the argument that the presumption "governs substantive (conduct-regulating) provisions rather than procedural provisions"). Moreover, RJR Nabisco also reemphasized that the relevant question is not whether we think Congress "would have wanted" the statute to apply extraterritorially had it foreseen the precise situation before us, but whether it made clear its intention to give the statute extraterritorial effect. RJR Nabisco, 579 U.S. at ___, 136 S.Ct. 2090. There is no indication whatsoever in the text or legislative history that Congress intended the Act to have application beyond our borders. It would be quite surprising if it had. The statute was adopted in the early days of what is now the internet, when Congress could hardly have foreseen that multinational companies providing digital services of all sorts would one day store vast volumes of communications and other materials for ordinary people and easily be able to move those materials across borders at lightning speed. See Majority Op. at 205-06.
The tricky part, in a world of transnational transactions taking place in multiple jurisdictions at once, is deciding whether a proposed application of a statute is domestic or extraterritorial. That determination can be complicated even for criminal acts when they touch on multiple jurisdictions, but the problem is particularly acute when we deal not with a simple effort to regulate behavior that — given the physical limitations of human bodies — can often be fixed to a specific location, but with statutes that operate in more complex fashions. If SCA warrants were traditional search warrants, permitting law enforcement agents to search a premises and seize physical objects, the extraterritoriality question would be relatively easy: a warrant authorizing a search of a building physically located in Ireland would plainly be an extraterritorial application of the statute (and it would be virtually inconceivable under ordinary notions of international law that Congress would ever attempt to authorize any such thing). But as the government points out, this case differs from that classic scenario with respect to both the nature of the legal instrument involved and the nature of the evidentiary material the government seeks.
First, the "warrant" required for the government to obtain the emails sought in this case does not appear to be a traditional search warrant. Significantly, the SCA does not describe the warrant as a search warrant. Nor does it contain language implying (let alone saying outright) that the warrant to which it refers authorizes government agents to go to the premises of a service provider without prior notice to the provider, search those premises until they find the computer, server or other device on which the sought communications reside, and seize that device (or duplicate and "seize" the relevant data it contains).
This difference is significant if we are looking to determine the "focus" of the SCA for purposes of determining whether a particular application of the statute is or is not extraterritorial. See Morrison v. Nat'l Australia Bank Ltd., 561 U.S. 247, 266-69, 130 S.Ct. 2869, 177 L.Ed.2d 535 (2010). A search warrant "particularly describing the place to be searched, and the persons or things to be seized," U.S. Const. amend. IV, is naturally seen as focused on the place to be searched; as explained above, if the government argued that a statute authorized a search of a place outside the United States, that would clearly be an extraterritorial application of the statute. Here, however, the SCA warrant provision does not purport to authorize any such thing. Just like the parallel subpoena and court order provisions, it simply authorizes the government to require
The nature of the records demanded is also relevantly different from that of the physical documents sought by traditional
Electronic "documents," however, are different. Their location on a computer server in a foreign country is, in important ways, merely virtual. See Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373, 408 (2014) (explaining that "the very idea of online data being located in a particular physical `place' is becoming rapidly outdated," because computer files can be fragmented and dispersed across many servers). Corporate employees in the United States can review those records, when responding to the "warrant" or subpoena or court order just as they can do in the ordinary course of business, and provide the relevant materials to the demanding government agency, without ever leaving their desks in the United States. The entire process of compliance takes place domestically.
The government's characterization of the warrant at issue as domestic, rather than extraterritorial, is thus far from frivolous, and renders this, for me, a very close case to the extent that the presumption against extraterritoriality shapes our interpretation of the statute. One additional potential fact heightens the complexity. We do not know, on this record, whether the customer whose emails were sought by the government is or is not a United States citizen or resident. It is not clear that whether the customer is a United States person or not matters to the rather simplistic "focus" test adopted by the Supreme Court in Morrison, although it would have mattered to the more flexible test utilized by the Second Circuit in that case. See Morrison v. Nat'l Australia Bank Ltd., 547 F.3d 167, 171 (2d Cir. 2008). But it seems to me that it should matter. The Supreme Court has rightly pointed out that the presumption against extraterritoriality is more than simply a means for avoiding conflict with foreign laws. See Morrison, 561 U.S. at 255, 130 S.Ct. 2869. At the same time, the presumption that Congress legislates with domestic concerns pre-eminent in its collective mind does not fully answer the question what those domestic concerns are in any given case. See id. at 266, 130 S.Ct. 2869. Particularly in connection with statutes that provide tools to law enforcement, one imagines that Congress is concerned with balancing liberty interests of various kinds against the need to enforce domestic law. Thus, when Congress authorizes the (American) government to obtain access to certain information, one might imagine that its focus is on balancing the liberty interests of Americans (and of other persons residing in the U.S.) against the need to enforce American laws. Congress might also reasonably be concerned about the diplomatic consequences of over-extending the reach of American law enforcement officials. This suggests a more complex balancing exercise than identifying a single "focus" of the legislation, the latter approach being better suited to determining whether given
Because Microsoft relies solely on customers' self-reporting in classifying customers by residence, and stores emails (but only for the most part, and only in the interests of efficiency and good customer service) on local servers — and because the government did not include in its warrant application such information, if any, as it had about the target of its investigation — we do not know the nationality of the customer. If he or she is Irish (as for all we know the customer is), the case might present a troubling prospect from an international perspective: the Irish government and the European Union would have a considerable grievance if the United States sought to obtain the emails of an Irish national, stored in Ireland, from an American company which had marketed its services to Irish customers in Ireland. The case looks rather different, however — at least to me, and I would hope to the people and officials of Ireland and the E.U. — if the American government is demanding from an American company emails of an American citizen resident in the U.S., which are accessible at the push of a button in Redmond, Washington, and which are stored on a server in Ireland only as a result of the American customer's misrepresenting his or her residence, for the purpose of facilitating domestic violations of American law, by exploiting a policy of the American company that exists solely for reasons of convenience and that could be changed, either in general or as applied to the particular customer, at the whim of the American company. Given that the extraterritoriality inquiry is essentially an effort to capture the congressional will, it seems to me that it would be remarkably formalistic to classify such a demand as an extraterritorial application of what is effectively the subpoena power of an American court.
These considerations give me considerable pause about treating SCA warrants as extraterritorial whenever the service provider from whom the government seeks to require production has chosen to store the communications on a server located outside the United States. Despite that hesitation, however, I conclude that my colleagues have ultimately reached the correct result. If we frame the question as whether Congress has demonstrated a clear intention to reach situations of this kind in enacting the Act, I think the better answer is that it has not, especially in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country. The use of the word "warrant" may not compel the conclusion that Congress intended to reach only domestically-stored communications that could be reached by a conventional search warrant, because,
Despite ultimately agreeing with the result in this case, I dwell on the reasons for thinking it close because the policy concerns raised by the government are significant, and require the attention of Congress. I do not urge that Congress write the government's interpretation into the Act. That is a policy judgment on which my own views have no particular persuasive force. My point is simply that the main reason that both the majority and I decide this case against the government is that there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case. The SCA became law at a time when there was no reason to do so. But there is reason now, and it is up to Congress to decide whether the benefits of permitting subpoena-like orders of the kind issued here outweigh the costs of doing so.
Moreover, while I do not pretend to the expertise necessary to advocate a particular answer to that question, it does seem to me likely that a sensible answer will be more nuanced than the position advanced by either party to this case. As indicated above, I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely "domestic" statute. That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals. Nor is it likely that the ideal balance would allow the government free rein to demand communications, wherever located, from any service provider, of whatever nationality, relating to any customer, whatever his or her citizenship or residence, whenever it can establish
Congress need not make an all-or-nothing choice. It is free to decide, for example, to set different rules for access to communications stored abroad depending on the nationality of the subscriber or of the corporate service provider. It could provide for access to such information only on a more demanding showing than probable cause, or only (as with wiretapping) where other means of investigation are inadequate, or only in connection with investigations into extremely serious crimes rather than in every law enforcement context. Or it could adopt other, more creative solutions that go beyond the possibilities evident to federal judges limited by their own experience and by the information provided by litigants in a particular case.
In addition, Congress need not limit itself to addressing the particular question raised by this case. The SCA was adopted in 1986, at a time when the kinds of services provided by "remote computing services" were not remotely as extensive and complex as those provided today, and when the economic and security concerns presented by such services were not remotely as important as they are now. More than a dozen years ago, a leading commentator was expressing the need to reform the Act. See Kerr, A User's Guide, supra, at 1233-42. It would seem to make sense to revisit, among other aspects of the statute, whether various distinctions, such as those between communications stored within the last 180 days and those that have been held longer, between electronic communication services and remote computing services, or between disclosures sought with or without notice to the customer, should be given the degree of significance that the Act accords them in determining the level of privacy protection it provides, or whether other factors should play some role in that determination.
Congress has, in the past, proven adept at adopting rules for adapting the basic requirements of the Fourth Amendment to new technologies. The wiretapping provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510-22, for example, proved to be a remarkably stable and effective structure for dealing with the privacy and law enforcement issues raised by electronic
* * *
For these reasons, I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy.
Restatement of Foreign Relations Law (3d) § 442(1)(a) (1987). We are not persuaded. The predicate for the Restatement's conclusion is that the court ordering production of materials located outside the United States is "authorized by statute or rule of court" to do so. Whether such a statute — the SCA — can fairly be read to authorize the production sought is precisely the question before us.
Microsoft attempts to distinguish the cases cited above on the ground that the subpoenas in those cases required their recipients to disclose only the contents of their own business records, and not the records of a third party "held in trust" by the recipients. Appellant's Br. 48. "Email correspondance," Microsoft explains, is unlike bank records because it "is personal, even intimate," and "can contain the sum of an individual's private life." Id. at 44 (internal quotation marks omitted). Even assuming, however, that Microsoft accurately characterizes the cases it seeks to distinguish, but cf. In re Horowitz, 482 F.2d 72 (2d Cir. 1973) (partially upholding a subpoena requiring an accountant to produce the contents of three locked file cabinets belonging to a client), this privacy-based argument is, as explained above, a red herring. Microsoft does not dispute that the government could have required the disclosure of the emails at issue here if they were stored in the United States, and Microsoft's decision to store them abroad does not obviously entitle their owner to any higher degree of privacy protection.