By Leif Swedlow
Just over 20 years ago I wrote a law review note entitled “Three Paradigms of Presence” (22 Okla. City U.L. Rev. 337 (Spr. 1997) about how courts then (in the early 1990’s) were struggling with whether purely “online” conduct, usually in the form of maintaining a website, could be the basis, or not, of a court’s exercise of personal jurisdiction over a defendant. Some judges were leaning towards pinning online conduct to physical “real world” locations (leading to some absurd results), while others were content to declare “cyberspace” some sort of new frontier, apart from the boundaries of physical court districts (leading to equally confounding outcomes). Ultimately, the view that won out was the flexible middle ground of viewing the Internet as the “information superhighway” for conduct that could be said to touch multiple “real world” locations to varying degrees. This model meshed with the flexible test created by the trend-setting Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997). The “Zippo test” began spreading steadily through the federal courts while my article was grinding through the law review editing process. With the question mostly settled, the two extremes posed in my article quickly faded away as courts learned to focus on whether online conduct was intended to be passively available to users coming to find it, or actively seeking to create jurisdictionally significant “contacts” in places far from the originator’s physical home or office. Now, 20 years on, a case moving through the federal courts has me thinking that perhaps the two extremes of either “anchoring” online material to real world places or treating it as being part of a “virtual world” are not dead -- at least, not yet.
The U.S. Supreme Court is presently being asked to review a Second Circuit decision involving Microsoft Corp. resisting a search warrant for email contents. In re: Search Warrant for Certain Email, Docket No. 14-2985 (Second Cir., July 14, 2016). Microsoft was served a warrant for a particular user’s emails, on suspicion of narcotics trafficking, under the venerable Stored Communications Act, 18 USC §2701 et seq. Microsoft resisted compliance on the grounds that parts of the actual emails were housed not in the USA, but on a bank of servers physically in Ireland. The arguments made on both sides seem similar to my extreme paradigms from two decades ago.
The government position so far has relied on warrant compliance cases that focus simply the recipient of the warrant. Under that rubric, because Microsoft is a U.S. corporation, it should expect to comply with a duly issued U.S. warrant for stored digital data – email, social media content, and the like – no matter where its servers and data storage equipment may be actually located. Microsoft, however, has been relying on cases that discuss the presumption against extraterritoriality – a rule for how the United States harmonizes its domestic laws with international law. In most cases, a United States law gets presumed to be effective only up to the physical borders of the nation, and not beyond. The Microsoft warrant case makes it difficult to consider either of these two positions to be the best way to view the facts. Diving into the details does not make it easier. Some of the data subject to the warrant was on storage physically in the U.S.A. Part of it was not. Microsoft proffered that it could not produce the emails in full without compiling the elements from both locations. So, where are these emails in comparison to the “real world”? And how much should that actually matter?
Round one (in the District Court) went the government’s way; round two (at the Second Circuit) was won by Microsoft. In June 2017, the government sought certiorari review and several Supreme Court followers expect it may be granted. I also believe this case is worth a certiorari grant and worth watching because both sides have taken extreme positions based on very narrow paradigms. I hope that if the case is reviewed, the Supremes will seek a dose of reality, similar to Justice Sotomayor’s treatment of GPS tracking devices in the 2012 U.S. v. Jones decision, which dealt with how much privacy a person expects concerning the data generated when they go places in their cars. The Microsoft email subscriber is located somewhere and probably has a perception about Microsoft being a U.S. company probably subject to U.S. search warrants. Chances are that the user about whom this warrant was issued has no idea exactly where his emails are being stored, or that they may be carved up into pieces and stashed in different physical storage places around the globe. It seems persuasive to assert that a company like Microsoft should not be permitted to rely on what seems like a technicality based on the physical location of some of its equipment. However, with European Union privacy laws getting more confining (see, http://www.eugdpr.org/), especially with regard to releasing data stored in Europe to other states, including the United States, expecting large data handlers like Microsoft, Google, Apple, etc., to entirely disregard the distributed nature of their users’ “cloud” data storage could also prove highly disruptive to the global Internet and data services industry.
Perhaps we need a fresh paradigm to avoid these collisions. My suggestion: consider the idea of “data citizenship” – digital information can migrate and be both actually copied into many places and then actually accessed from countless other places, yet it always retains a nexus to the people who created it. In international law, as in the classic Nottebohm case, (Liechtenstein v. Guatemala) 1955 ICJ 4, a person’s citizenship does not necessarily depend merely on his passport, but on his degree of connection to a place he can call home. Perhaps a similar test ought to apply to data as it moves and propagates in multiple storage locations around the world. Should data become exempt from the reach of U.S. law enforcement just because Microsoft deposits some of it in a mass storage facility in Ireland? Probably not. However, Microsoft is in a tricky spot because if it complies with the U.S. warrant, it may be breaking E.U. data privacy rules (or, if “Brexit” happens, UK privacy law). The converse may be equally distasteful. Irish internet users would likely not want their data subject to a U.S. court’s reach if, for example, a local Irish internet provider subcontracted a “cloud storage” service to a company that physically stores data in the USA. If such “cloud” data is imbued with an aspect of citizenship tied to its creators, results that make good sense ought to be possible. The data that happens to be physically on the Irish servers would not be “Irish” data, but would remain virtually tied to its U.S. origins. The U.S. criminal suspect’s emails could be produced because their “nexus” to Ireland would be nil, and they could be treated as “U.S.” emails.
Luckily, because this is a ‘blog post and editing is much faster than it was 20 years ago in law school, I can count on these thoughts being published before we all know how the courts will answer the question.
Download Blog in PDF Format
Posted on Wed, July 12, 2017
by Andrews Davis