Drawing Lines in the Cloud: Implications of Extraterritorial Limits to the Stored Communications Act

• Publication year: 2022

51 Creighton L. Rev. 75. DRAWING LINES IN THE CLOUD: IMPLICATIONS OF EXTRATERRITORIAL LIMITS TO THE STORED COMMUNICATIONS ACT

Drawing Lines in the Cloud: Implications of Extraterritorial Limits to the Stored Communications Act

Andrew J. Pecoraro(fn)*

ABSTRACT

Just how private are individuals' private email accounts? This question has become more relevant in light of the Edward Snowden leaks in 2013, revealing that the United States was bulk-collecting the information of not only foreigners, but also the information of its own citizens. Courts have struggled to strike the right balance between practical concerns of privacy, on one hand, and the government's legitimate interest in prosecuting crimes on the other. These complex considerations are only multiplied when a case involves access to data stored across borders. Recently, the Second Circuit departed from other case holdings to find that the presumption of extraterritoriality prevents the government from using Stored Communication Act ("SCA") warrants-or perhaps any domestic legal process-to access data that is stored overseas.

This Article explores the rationale employed by the Second Circuit and other cases to conclude that such decisions will have significant implications for other provisions of the SCA and potentially undermine long-standing Fourth Amendment doctrines, such as the Bank of Nova Scotia doctrine and the third-party doctrine. This Article highlights two conclusions that may impact these other doctrines: first, the conclusion that a provider accessing data on one of its servers constitutes a search under the Fourth Amendment; and second, that the location of the data is a determinative factor in deciding jurisdiction over that data.

Arguing against the prevailing trend in the academic literature in this area, this Article concludes that providers' access to their own servers cannot be a search under the Fourth Amendment and, further, that the location of data is a problematic factor to rely upon. It argues that the SCA should be interpreted to reach data stored overseas held by electronic service providers that are subject to U.S. jurisdiction. It argues that the jurisdictional test for what service providers should be subject to the SCA obligation is much narrower than currently employed and should follow from cases such as Daimler A.G. v. Baumer and its progeny. Further, it proposes a new test for the validity of SCA warrants, positing that such warrants should be quashed upon a prima facie showing that either the target of the investigation is not a U.S. national or the target is not acting in the United States, or that retrieving the data would violate the laws of the country in which the data is being stored. Such a proposal allows law enforcement the flexibility to investigate as needed, but respects both the international sovereignty of other nations and the privacy interests of the owners of the data.

I. INTRODUCTION................................... 77

II. GOVERNMENT ACCESS TO ELECTRONIC DATA.............................................. 82

A. THE STORED COMMUNICATIONS ACT............... 83

B. THE PRESUMPTION AGAINST

EXTRATERRITORIALITY AND THE SCA.............. 85

1. Is the SCA Intended to Operate Extraterritorially? ........................... 87

2. What is the Focus of the SCA?............... 90

3. Does an SCA Disclosure Occur Extraterritorially? ........................... 92

III. THE IMPLICATIONS FOR THE SCA AND THE FOURTH AMENDMENT........................... 96

A. THE SCA SUBPOENA AND COURT ORDER PROVISIONS...................................... 96

B. THE BANK OF NOVA SCOTIA DOCTRINE............ 99

C. THE THIRD-PARTY DOCTRINE..................... 102

IV. MOVING FORWARD WITH THE SCA.............. 104

A. PROBLEMS WITH DATA AS DETERMINANT........... 105

B. A NEW APPROACH FOR ASSESSING JURISDICTION OF SCA WARRANTS .............................. 109

1. Focusing on the Nationality of the Target..... 109

2. Focusing on the Location of the Service

Provider..................................... 111

V. CONCLUSION ..................................... 117

I. INTRODUCTION

People are more attached to their electronic devices,(fn1) and expect those devices-and the information they contain-to be available at a moment's notice, connecting "seamlessly and continuously through the 'Internet of Everything.'"(fn2) Customers have the option of storing emails on private servers in their home or business, or electing to have their service provider host and store all their private communications. Companies have gone from being single-solution specialists to offering full-service storage and security for the private email accounts of their customers.(fn3)

But just how private are these commercial email accounts? This question has become more relevant due to Edward Snowden's leaks in 2013,(fn4) which revealed that the United States was bulk-collecting the information of not only foreigners, but also the information of its own citizens.(fn5) People began to question when, how, why, and even if the government should be able to access electronic data about an individual. And just as relevant, when should law enforcement be able to go to your service provider-Microsoft, Google, Apple, etc.-and demand that the provider disclose the contents of an email account?

In light of allegations that technology firms cooperated with this massive surveillance, these companies have begun to push back against giving the government access to their customers' data.(fn6) In addition to the straightforward privacy issues, these companies have a practical interest in protecting the data that they are entrusted; they fear losing massive amounts of foreign business if they are seen to be "in the pocket" of the U.S. government.(fn7) Therefore, companies like Nokia, Google, and Apple have been announcing their independence from the government.(fn8) Nokia, in particular, has adopted policies reaffirming its commitment to its customers' privacy and demanding more government transparency regarding surveillance methods.(fn9) "Similarly, several nations are considering, or have passed, mandatory data localization requirements, pursuant to which companies doing business in their jurisdiction are required to store certain data, or copies of such data, locally."(fn10) These laws and policies are aimed at preventing the United States from being able to obtain an individual's data from a third party, particularly without informing the individual.

Such action, while appealing to privacy concerns, raises significant issues for law enforcement. When investigating serious crimes, law enforcement officers are often stymied by the sophisticated communications offenders use to plan their crimes.(fn11) Often the only evidence investigators begin with is a snippet of electronic information or part of a communication concerning illicit activity; as will be discussed below, the identity and even the citizenship of suspects is often unknown.(fn12) Thus, law enforcement claims that access to data is imperative for the government to be able to conduct effective investigations.(fn13)

In response to this need, the government enacted statutes that allow law enforcement to obtain this information. The Electronic Communications Privacy Act(fn14) ("ECPA") is a part of that law enforcement arsenal.(fn15) Title II of the ECPA is the Stored Communications Act(fn16) ("SCA"), which "protects the privacy of the files stored by service providers" but permits law enforcement to obtain these electronic files under narrow circumstances.(fn17) Far from the bulk data collection under the PATRIOT Act(fn18) and the PRISM program,(fn19) the SCA requires the government to tailor search warrant and subpoena requests to information that they can show are materially relevant to an ongoing investigation.(fn20) Yet the SCA, and tools like it, were enacted before the widespread adoption of email and the introduction of the "cloud." The provisions are outdated when applied to twenty-first-century technology and present unique challenges when examined under the traditional Fourth Amendment concept of a reasonable expectation of privacy.(fn21) A handful of scholars are now exploring the complicated jurisdictional, privacy, and security questions that are posed by the intersection of modern technology and statutory provisions ill-equipped to handle such technology.(fn22)

Striking the right balance between these practical concerns of privacy on one hand, and the government's interest in prosecuting crimes on the other, has proven to be a difficult task. Courts have differed in determining what privacy interest, if any, a person has in electronic data,(fn23) or if accessing such data even constitutes a search at all.(fn24) Traditional tools such as warrants raise new questions about territoriality when applied to the electronic landscape, rather than to a physical location; for example, is a warrant issued in the Eastern District of Virginia violating the territorial limitations of a warrant if it allows law enforcement to gather data from a computer located in California?(fn25)

These concerns are only complicated when a case involves access to data stored across borders. Courts have differed on whether having a service provider access data located outside the United States constitutes a search or seizure of that data, and if so, where the actual search or seizure takes place. For example, the United States Court of Appeals for the Second Circuit has held that the...