A STEP IN THE WRONG DIRECTION: THE CASE FOR RESTRAINING THE EXTRATERRITORIAL APPLICATION OF THE STORED COMMUNICATIONS ACT.

• Author: Battey, Alexander Dugas, Jr.

1. INTRODUCTION 262 II. PROVIDERS OF ELECTRONIC COMMUNICATION SERVICES AND THE WARRANT 265 PROCEDURES OF THE STORED COMMUNICATIONS ACT III. THE MICROSOFT WARRANT CASE 271 IV. THE STORED COMMUNICATIONS ACT AND THE PRESUMPTION AGAINST 276 EXTRATERRITORIALITY V. EUROPEAN LAW AND RECIPROCITY 281 VI. AMENDING THE STORED COMMUNICATIONS ACT 289 VII. CONCLUSION 298 I. INTRODUCTION

   Individuals should not have to worry about a foreign government unilaterally gathering their emails when under criminal investigation. However, a recent U.S. case threatens to turn such an unthinkable scenario into a reality. In the last few years, the United States approach to data protection and privacy emerged to the forefront of public and diplomatic concern. The Edward Snowden revelations and Wikileaks reports of domestic spying by the National Security Agency caused national outcry in the United States. (1) Similarly, the disclosure that the United States conducted spy operations on a number of world leaders triggered global condemnation. (2) These scandals shocked the global conscience, leaving officials and citizens alike to question the proper role of governmental supervision over private and personal data. Together with these disconcerting covert methods exist transparent statutory avenues for U.S. law enforcement to access electronic personal data.

   Among the purposes of the Stored Communications Act (SCA) is to provide the permissible methods that U.S. law enforcement may use to acquire the data of individuals. (3) Law enforcement can serve judicially mandated orders, subpoenas, and warrants on providers of electronic communication services (ECS providers) such as Google, Microsoft, and Yahoo, and compel these entities to surrender the requested information. (4) This is the standard practice when law enforcement seeks electronically stored information (ESI) belonging to a U.S. citizen for data held in the United States.

   Sometimes American law enforcement may require access to ESI about a foreign citizen or from a foreign-stored location in the course of an investigation. In these scenarios, when an ECS provider determines the information sought is not held within the United States, law enforcement is directed to the applicable mutual legal assistance treaty (MLAT). An MLAT, in the context of a criminal matter, is a treaty between nations that provides the mechanisms for equivalent law enforcement agencies in each respective country to exchange evidence and information to resolve the criminal matter. (5) The MLAT between the United States and the country that holds the sought data is the traditional method by which law enforcement secures such "international" data.

   However, a recent revolutionary case threatens to subvert the traditional process. In 2014, a magistrate judge ruled that United States law enforcement may use a warrant properly issued under the Stored Communications Act (SCA Warrant) to access emails, stored in Ireland by the U.S.-based provider Microsoft, without utilizing MLAT procedures. (6) While the nationality of the person controlling the email account has not been released and was not addressed by the magistrate, (7) the emails likely belong to a customer of Microsoft who is a citizen of the European Union. The magistrate's order was confirmed on appeal. (8)

   This decision places ECS providers in a legal bind. ECS providers are required to comply with the domestic law in which they operate, and the European Union has very stringent laws with regard to personal data privacy. (9) If an ECS provider must hand over data that belongs to an EU citizen, it may run afoul of EU law. Conversely, an ECS provider's failure to turn over emails to U.S. law enforcement could result in a contempt of court charge for failing to comply with the SCA Warrant. (10)

   This Note argues that the extraterritorial power of U.S. law enforcement to access emails held abroad via an SCA Warrant cannot be given carte blanche, but must be carefully limited both by Congressional amendments to the SCA and treaty-based mechanisms.

   Part II of this Note provides background information for the discussion to follow, detailing the process in which a person creates an email account, how that email is stored by an ECS provider, and the traditional process by which law enforcement accesses an email- domestically and internationally. Part III outlines the facts and rationale of In re A Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. [hereinafter Microsoft Warrant Case]. Part IV argues that the Stored Communications Act triggers the presumption against extraterritoriality and lacks the clear Congressional intent necessary to rebut the presumption. Part V explains the issuance of an SCA Warrant for emails created by E.U. citizens but stored by American ECS providers in Europe would result in a conflict of laws between the strict data privacy regulatory regime in the European Union and the requirement for ECS providers to hand personal data to American authorities. This section will also consider the practical implications for ECS providers if SCA Warrants can be issued for foreign data, including the problem of reciprocity. Part VI will advocate for the amendment of the SCA in order to modernize the practice of data transfer between nations, taking into account for the first time the nationality of the email's owner as well as the territorial location of the servers where the emails are stored while acknowledging the fundamental need for MLAT reform.

2. PROVIDERS OF ELECTRONIC COMMUNICATION SERVICES AND THE WARRANT PROCEDURES OF THE STORED COMMUNICATIONS ACT

   People rely on webmail providers to send and store e-mails everyday. When a customer creates an email account with a cloud service, the ECS provider stores emails that are sent and received. Simply put, "cloud computing" is the storage and access of data over the Internet instead of on the computer's internal hard drive of an individual. (11) The stored e-mail data includes content information (the message and subject line of the email), as well as non-content information (including the sender address, and the date and time of the email). (12)

   ECS providers store these messages in datacenters. A datacenter is a facility that "centralizes an organization's IT operations and equipment" and "stores, manages, and disseminates its data" and the data it is responsible for. (13) As ECS providers are responsible for controlling and processing information to expand their business globally, they have built datacenters around the world to meet this high demand. (14) Indeed, many ECS providers incorporated in the United States now maintain datacenters around the world. (15)

   Network latency, the delay in time for data to travel from the requested location to the delivered one, determines which datacenter a particular customer's emails are stored in. (16) In order to decrease the network latency between a datacenter and the location of the email subscriber's computer, an ECS provider will try to store a customer's emails in the closest possible datacenter. Additionally, datacenter selection may depend on the customer selecting a country code when registering the email account. (17) For example, if a customer tells the email service they live in France upon registration, then the ECS provider, via an automated process, would find the nearest datacenter to France and store the emails there. After the email is transferred to the closest datacenter to the user, and that datacenter is outside of the United States, the email content information (again, message and subject line information) is deleted from the U.S. servers while non-content information (sender address, date and time) can remain on U.S. servers. (18)

   Often, U.S. law enforcement will require ESI in the furtherance of a criminal investigation. The Fourth Amendment of the U.S. Constitution protects the right of people "to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...." (19) Of course, when authored, the possibility of electronically stored information was unforeseeable and the Fourth Amendment's protections traditionally extended only to the tangible realm. (20) Thus, Congress enacted the Stored Communications Act in 1986 to fill that gap to apply to our "virtual homes." (21)

   The SCA created Fourth Amendment-like protections for electronic communications. (22) It has been described as "creat[ing] a zone of privacy to protect internet subscribers from having their personal information wrongfully used and publicly disclosed." (23) The protections outlined by Congress in the SCA are to be balanced with the legitimate need for governmental agencies to access electronically held information in criminal matters. (24)

   The SCA provides the steps that the U.S. government and its law enforcement arms must take to access the contents of stored communications, including e-mails. (25) Section 2703 illustrates five ways that a government entity can use to compel the disclosure of electronic information. They are, in ascending order of the required threshold showing: (1) subpoena; (2) subpoena with prior notice; (3) section 2703(d) court order; (4) section 2703 court order with prior notice; and (5) a search warrant. (26) These various orders are served on an ECS provider to compel the disclosure of electronic records.

   For the purposes of this Note, exclusive focus is placed on warrants issued under the Stored Communications Act. An investigator can obtain the full contents of an electronic account such as e-mail with a search warrant, and the customer does not have to be notified when agents acquire the information from the customer's ECS provider. (27) An SCA Warrant requires a provider to disclose an electronic communication that has been in storage for 180 days or less, "using the procedures described in the Federal Rules of Criminal Procedure(FRCP)" or, in a state...