An appeals court just sent the American Justice Department a clear message about its ability to reach beyond US borders to collect data with a search warrant: Keep your hands to yourself.
In Thursday’s landmark ruling, a panel of Second Circuit judges decided that Microsoft can’t be forced to turn over the email communications of a criminal suspect in a drug investigation whose emails were stored at Microsoft’s data center in Dublin, Ireland. The judge’s decision states that under the Stored Communications Act, a search warrant sent to Microsoft can’t be applied internationally. That decision overturns a New York court’s ruling and sets a new precedent that limits American prosecutors’ ability to pull foreign communications data out of data centers beyond US borders—even when the company itself is headquartered in the US.
“We conclude that Congress did not intend the [Stored Communications Act’s] warrant provisions to apply extraterritorially,” the judges wrote in their decision. “The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.”
This is a big win for privacy. It circumscribes the US government’s power abroad. EFF attorney Nate Cardozo
This settles a long-running ambiguity in how US law should handle search warrants when data is increasingly scattered in storage centers around the world. And it could represent a new privacy assurance for foreigners under investigation by American authorities and even for Americans whose data ends up in foreign data centers. “This is a big win for privacy,” says Nate Cardozo, an attorney with the Electronic Frontier Foundation. “It circumscribes the US government’s power abroad. It reiterates the rule that US law doesn’t apply outside the US …[And] it keeps foreigners’ data secure from the US government, which has shown again and again that it’s willing to overstep reasonable bounds on its power.”
In a statement, Microsoft celebrated the ruling as a global win for civil liberties. “This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” the company’s chief legal officer Brad Smith wrote in a statement. “As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”
The ruling comes in a case that stretches back to 2013, when Microsoft refused to comply with a warrant for a criminal suspect’s Outlook.com emails stored outside the US. Prosecutors accused Microsoft of contempt of court, but never publicly named their suspect. In just the last month, however, the Times of London reported that the suspect is 28-year-old Gary Davis, an Irish man suspected of being an administrator of the dark web drug marketplace known as the Silk Road.