The un-territoriality of data.

Author:Daskal, Jennifer
Position::Introduction through I. Territorial Presumptions, p. 326-365

ARTICLE CONTENTS INTRODUCTION I. TERRITORIAL PRESUMPTIONS A. The Territorial Fourth Amendment B. Territorial-Based Surveillance Authorities C. Territorial Warrant Authority 1. Rule 41 2. Wiretap Authority 3. The Stored Communications Act II. DATA IS DIFFERENT A. Data's Mobility B. Data's Divisibility and Data Partitioning C. Location Independence 1. Disconnect Between Location of Access and Location of Data 2. Disconnect Between Data and the Data User D. Data's Intermingling E. Third-Party Issues III. WHAT DOES IT ALL MEAN? A. The Fourth Amendment 1. An Equilibrium-Adjusted Fourth Amendment 2. A Presumptive Fourth Amendment 3. A Universalist Fourth Amendment B. Foreign Surveillance: Additional Considerations C. The Microsoft Case: Warrant Jurisdiction and the Stored Communications Act CONCLUSION INTRODUCTION

In December 2013, United States federal law enforcement agents served a seemingly innocuous search warrant on Microsoft, demanding information associated with a Microsoft user's web-based e-mail account. But there was a problem--the e-mails sought by the government were located in a data-storage center in Dublin, Ireland. Consequently, Microsoft refused to turn over the emails, claiming that the government's warrant authority did not extend extraterritorially; the warrant was therefore invalid. The government, along with the magistrate judge and district court, disagreed--concluding that the relevant reference point for purposes of warrant jurisdiction was the location of the provider (in this case Microsoft), not the location of the data. (1) Because the Ireland-based data could be accessed and retrieved by Microsoft employees within the United States, the warrant was territorial--not extraterritorial--and therefore valid. (2)

The question of where the relevant state action takes place when the government compels the production of e-mails from an Internet Service Provider (ISP) is one of first impression and is now being litigated before the Second Circuit. It has garnered the attention of communication companies throughout the United States, the Irish government, the European Parliament, media outlets, the U.S. Chamber of Commerce, and a wide array of commentators. (3) In a strongly worded letter, the former European Union Justice Commissioner warned that execution of the warrant may constitute a breach of international law (4)--a sentiment echoed in the amicus briefs supporting Microsoft. (5) But this statement simply assumes the answer to the key questions that the case poses: where does the key state action occur? At the place where data is accessed or the place where it is stored?

The dispute lays bare the extent to which modern technology challenges basic assumptions about what is "here" and "there." It challenges the centrality of territoriality within the relevant statutory and constitutional provisions governing the search and seizure of digitized information. After all, territorial-based dividing lines are premised on two key assumptions: that objects have an identifiable and stable location, either within the territory or without; and that location matters--that it is, and should be, determinative of the statutory and constitutional rules that apply. Data challenges both of these premises. First, the ease, speed, and unpredictability with which data flows across borders make its location an unstable and often arbitrary determinant of the rules that apply. Second, the physical disconnect between the location of data and the location of its user--with the user often having no idea where his or her data is stored at any given moment--undercuts the normative significance of data's location.

This is not to say that tangible objects are immovable or that they are always co-located with their owner. Both people and objects travel from place to place. And people can be, and often are, separated from their tangible property by an international boundary. But the movement of people and their physical property is a physically observable event, subject to readily apparent technological and physical limitations that affect how quickly bodies and tangible things can travel through space. By contrast, the movement of data from place to place often happens in a seemingly arbitrary way, generally without the conscious choice--or even knowledge--of the data "user" (by which I mean the person with a reasonable expectation of privacy in the data, such as the user associated with a particular e-mail account). (6) An e-mail sent from Germany, for example, may transit multiple nations, including the United States, before appearing on the recipient's device in neighboring France. Contact books created and managed in New York may be stored in data centers in the Netherlands. A document saved to the cloud and accessed from Washington, D.C., may be temporarily stored in a data storage center in Ireland, and possibly even copied and held in multiple places at once. These unique features of data raise important questions about which "here" and "there" matter; they call into question the normative significance of longstanding distinctions between what is territorial and what is extraterritorial. Put bluntly, data is destabilizing territoriality doctrine.

Data also challenges territoriality's twentieth-century companion criteria--citizenship and national ties--as determinative of the constitutional and statutory rules that apply. It is now widely accepted that both citizens and noncitizens with substantial voluntary connections to the United States enjoy basic constitutional protections (including the protections of the Fourth Amendment) even when they are located outside the United States' borders. (7) Conversely, the Fourth Amendment does not protect noncitizens outside the United States, absent sufficient voluntary connections to the nation. (8) Thus, territoriality doctrine, at least for constitutional purposes, involves a two-part inquiry into territoriality and target identity--with target identity turning on the depth of the target's connections to the United States.

But just as data highlights the arbitrariness of malting the location of mobile zeroes and ones determinative of the rights and obligations that apply, data also exposes the problems with making identity determinative of such rights and obligations. Digital footprints are neither observable nor readily identifiable as "belonging" to a particular person. While an Internet Protocol (IP) address might reveal a user's location, the use of anonymizing services and other tools designed to protect the user's privacy (or evade detection) can make even the task of identifying a data user's location exceedingly difficult, let alone the user's citizenship or depth of connection to the United States. (9) While similar identification problems occur in the world of tangible property, the ubiquitous and intermingled nature of data compounds the problem of identification in both degree and kind. This problem is particularly acute in the context of mass surveillance, where the sheer quantity of data collected necessitates the use of presumptions as a basis for establishing identity. The vast quantity of data collected means that even a low error rate will yield large quantities of data associated with misidentified users.

This Article takes up the challenge that data-in particular its mobility, interconnectedness, and divisibility--poses to territoriality doctrine and its focus on user identity. To be clear from the outset, I do not purport to provide all of the answers, a task that requires far more than a single article. Rather, the aim of this Article is threefold: first, to expose the fiction of territoriality in a world of highly mobile, intermingled, and divisible data; second, to highlight flaws in the territoriality doctrine; and third, to suggest alternative approaches to thinking about the scope of the Fourth Amendment, the rules governing the acquisition of foreign intelligence information, and the territorial limits on law enforcement jurisdiction.

In so doing, this Article fills an important gap in the literature. While there was, beginning in the 1990s, a surge of scholarship on the borderless Internet's effect on sovereignty, the literature focused largely on private law (such as e-commerce and trademarks) and associated regulatory issues. (10) In contrast, scholarly literature has devoted comparatively little attention to the constitutional and sovereignty implications of the government reaching or sending its agents across borders to search and seize. Orin Kerr offers perhaps the most sustained attention to the issue, but he does so while focusing primarily on border searches and with the goal of maintaining the Fourth Amendment's territorial-based distinctions. (11) I, by contrast, argue that data challenges territoriality doctrine at its core, requiring us to reconsider--and in some cases reject--the territorial-based distinctions as they apply to the search and seizure of digital data.

The Article proceeds in three parts. Part I begins by analyzing the longstanding presumption against extraterritoriality, examining its dominant (and often confused) constitutional, statutory, and jurisdictional applications. It explores the underpinnings of the now-dominant view that only certain "people"--namely U.S. citizens, noncitizens with substantial voluntary connections to the United States, and those physically present in the United States--are entitled to Fourth Amendment rights and heightened statutory protections with respect to foreign intelligence surveillance.

This Part also highlights the very different purposes that territoriality serves within the context of the Fourth Amendment doctrine (and, by extension, surveillance law) and within the context of warrant jurisdiction. The Fourth Amendment imposes restrictions on the government's authority to search and seize; by contrast, warrants provide the government the affirmative authorization to do so. Thus,...

To continue reading