Microsoft argued before the Supreme Court Tuesday that it should be Congress, not the courts, that decides a major issue regarding law enforcement access to data stored overseas.
The court heard arguments in United States v. Microsoft Corp., a case that will decide whether a digital communications provider has to comply with a U.S. search warrant for user data if the information being sought is stored outside of the country.
Microsoft argues that laws have not caught up to modern computing infrastructure and it should not hand over data stored internationally. The Justice Department argues that refusing to turn over easily accessible data impedes criminal investigations. DOJ attorney Michael Dreeben said law enforcement has not heard complaints from its international partners regarding cross-border data grabbing.
“These are all questions that only Congress can answer,” Josh Rosenkranz, the attorney for Microsoft, said in his closing argument. “If you try to tinker with this without the tools that only Congress has, you’re as likely to break the cloud as you are to fix it.”
The law the DOJ is relying on in this case, the Stored Communications Act of 1986, is too old and outdated to apply to modern internet infrastructure or cloud computing, Microsoft has argued.
Justices Ruth Bader Ginsberg and Sonia Sotomayor asked Dreeben why the court should rule on this case when Congress is considering passing legislation that would render the issue moot.
A bipartisan group of senators this month introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would let countries and the U.S. enter into agreements for cross-border access to digital information, so long as the partner countries meet certain privacy and human rights standards.
Microsoft, Facebook, Google and Apple support this legislation.
White House cybersecurity coordinator Rob Joyce said in a tweet on Tuesday that he agrees with Microsoft. “We are looking for Congress to move on the Cloud act, which resolves these issues and is supported by leading tech firms,” he wrote.
However, some experts worry this type of law could infringe on state sovereignty for countries that do not have a bilateral agreement with the U.S.
“If India or Brazil or huge countries don’t meet the standards, we’re telling them our internet companies can go there and make lots of money, but [the law will] stand in the way with their compliance to law enforcement requests in those countries,” said Andrew Keane Woods, an assistant professor of law at the University of Kentucky. “That is a huge affront to those countries’ sovereignty.”
On Tuesday, Dreeben argued that it’s not feasible for the courts to wait for Congress to act. The CLOUD Act is still in the early stages of the legislative process.
This case began back in 2013. Prosecutors served Microsoft a warrant in Redmond, Washington, for emails and information associated with an account involved in a criminal investigation. Microsoft turned over data stored on its U.S servers, but some information was stored on a server in Ireland, but refused to hand over information that was stored on a server in Ireland.
A lower court judge initially approved the warrant, but a three-judge panel for the U.S. Court of Appeals for the Second Circuit ruled in Microsoft’s favor and overturned that judge.
Some of the justices on Tuesday spent time asking about the actual process involved in pulling information from an overseas data center. Microsoft argues data physically stored in another country falls outside of the DOJ’s jurisdiction, even if an employee in the U.S. is the one getting the data. Rosenkranz said Microsoft employees in the U.S. can access data stored in overseas servers, but it’s not as simple as pressing a button.
“If you sent a robot into a foreign land to seize evidence, it would certainly implicate foreign interests,” Rosenkranz said.
The decision could have major consequences for digital privacy and international data sharing.
Privacy advocates argue that if the U.S. can use a warrant to seize data held overseas, other countries will use their own laws to access data stored in the U.S. Microsoft has previously warned that allowing governments to access foreign-stored data could put Americans’ emails at risk of seizure by foreign governments, though Rosenkranz did not make that a major focus of his arguments Tuesday.
Cloud providers’ business in foreign countries could be affected if the DOJ wins. A collection of French and German trade groups filed an amicus brief in support of Microsoft saying global pressure for data could jeopardize the privacy of both EU and American citizens.
“In the EU, because cultural and legal privacy norms are so different than what we’re used to in the U.S., there’s a higher expectation in Europe that individual privacy rights will be respected,” said Craig A. Newman, chair of the Data Privacy Practice at Patterson Belknap in New York. “It wouldn’t surprise me to see that if the Supreme Court reverses, that there will be substantial backlash against U.S.-based cloud providers.”
Newman said that he believes Congress must still act to pass new laws addressing the shifting digital landscape, regardless of what the court decides.
“It doesn’t fix the fundamental problem,” he said. “With technological advances and the fact that data is much more complicated than it was 30 years ago, it’s going to take Congress to fix the problem.”