Supreme Court Appears Divided on Microsoft Cloud Data Privacy Case

NEWS ANALYSIS: There was no clear winner in the legal arguments before the U.S. Supreme Court in the case of U.S. v. Microsoft, but there was agreement that the current 1986 law was inadequate.

Cyber-Privacy Legislation

U.S. Supreme Court justices heard arguments Feb 27  in the Department of Justice’s effort to overturn a decision by the Second U.S. Circuit Court of Appeals in New York that found that the government did not have the authority to demand information stored on a Microsoft owned server located in Ireland. 

Two conservative justices, Chief Justice John Roberts and Justice Samuel Alito appeared to side with the government. Justice Ruth Bader Ginsburg and Justice Sonia Sotomayor, both liberals, appeared to side with Microsoft position. 

The other five justices said little, although Justice Neil Gorsuch repeatedly questioned the government use of the terms “warrant” and “subpoena” interchangeably as well as the government’s assertion that a request to Microsoft to turn over the contents of an email account was a hybrid of both legal processes. 

Gorsuch repeatedly told Deputy Solicitor General Michael Dreeben that the statute in question, the Stored Communications Act of 1986, only used the term “warrant” which he pointed out could only be used in the district of the judge issuing it. 

Justices Anthony Kennedy and Clarence Thomas were present but did not participate in the questioning. Justice Elena Kagan and Justice Stephen Breyer focused on the requirement that a judge consider comity, which means that it’s necessary to work within international agreements when dealing with extraterritoriality. 

Extraterritoriality is at the core of Microsoft’s position in refusing to turn over email on a server in Ireland. The question boils down to whether the government can use a warrant to demand the information. Because U.S. warrants are invalid outside the U.S., the government’s argument is that because Microsoft is in the U.S., and because it can easily retrieve the information with a few clicks of a mouse, it should produce the information. 

Microsoft’s position, which is supported by Ireland, the European Union and a long list of technology companies in their supporting briefs, is that if the government wants the information, it has to use a method called an Mutual Legal Assistance Treaty (MLAT) in which each party to the treaty agrees to help the other in legal matters. There is an existing MLAT between the U.S. and Ireland, and between the U.S. and the EU, of which Ireland is a member. 

The government’s argument was that the MLAT process is too complicated and too slow. In its response, Microsoft’s attorney, Joshua Rosenkrantz, pointed out that foreign governments make it a point to respond quickly to urgent requests. 

There was considerable discussion about the application of the 1986 statute and how it applies to today’s cloud computing environments in which information can be stored where it’s most efficient. 

To some extent the Justices showed a level of unfamiliarity with how companies manage data in the cloud, with Justice Alito suggesting that the email in question might be broken up into “shards” and portions of it stored in several countries. He suggested that this might require several MLATs. He said that somebody told him that Google’s Gmail works this way. 

After the legal arguments on Feb. 27, both sides will file final legal briefs before the full courts meets behind closed doors to discuss the facts and the law. However, we’ll have to wait until June to find out whether Microsoft will have to turn over the contents of an email account currently residing in Ireland. 

Despite the disagreement on whether the government can demand data stored in another country, there was agreement on one fact, which is that the Stored Communications Act is inadequate to deal with today’s computing environment. 

Both sides of the court agreed as did the attorneys for the government and Microsoft. There were frequent mentions of the CLOUD act, S. 2383, which is currently working its way through the Senate. This act, which attempts to clarify the lawful use of overseas data, is currently being considered by the Senate Judiciary Committee. 

Microsoft president and chief legal officer Brad Smith also called for action by Congress in a blog post immediately before the Supreme Court hearing. “Everyone agrees that new technology poses new problems that need to be solved,” Smith wrote in his blog post. “We’ve argued since the day we filed this case in 2013 that we need modern laws to govern today’s technology. We can’t rely on laws written three decades ago, before the internet as we know it was invented.” 

Smith pointed out that the CLOUD act is a bipartisan bill with support in both houses of Congress as well as from the tech industry and law enforcement. “The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes,” Smith wrote 

“It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world,” Smith asserted. 

“The justices across the spectrum all agree that Congress was better positioned to fashion a rule that could resolve this than the Supreme Court was,” said David Newman, an attorney with Morrison & Foerster who works in the national security area. He’s a former court clerk for Justice Ruth Bader Ginsburg. 

“The challenge in this case is that the 1986 law is not a good fit,” Newman said, “and never contemplated the 21st century storage practices that are now widespread.” In addition, Newman said that the court is struggling with having to make a decision in which there was no choice that was entirely satisfactory. 

While it appears that all of the parties involved seem to think that legislation such as the CLOUD Act is vitally necessary to provide a means for law enforcement in the U.S. to gain access to data stored overseas, and to provide a framework for agreements to provide access to data stored in the U.S. by foreign authorities, it’s unclear whether it has a chance of passage. 

The problem is that in today’s hyper-partisan atmosphere in Congress, few bipartisan bills see the light of day. And that’s too bad, because this is one area where it’s vital that both sides find a way to do their jobs.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...