Where in the World is Your Data? Who Can Access It?

• Author: Grabar, Katherine

TABLE OF CONTENTS I. INTRODUCTION 159 II. THE STORED COMMUNICATIONS ACT: AN OUTDATED STATUTE 161 APPLIED TO A MODERN-DAY DISPUTE A. THE PROBLEM: THE OUTDATED TEXT OF THE STORED 162 COMMUNICATIONS ACT B. THE STORED COMMUNICATIONS ACT: TOO OLD TO REGULATE 163 THE MICROSOFT CLOUD AND THE DATA WITHIN IT III. MICROSOFT CORP. V. UNITED STATES: ONE OF MANY REASONS THE 165 STORED COMMUNICATIONS ACT REQUIRES AN UPDATE A. RAMIFICATIONS OF MICROSOFT CORP. V. UNITED STATES 165 BEYOND ONE SEARCH WARRANT B. CLOUD INNOVATION: MICROSOFT UNDERWATER DATA CENTER 167 C. CONGRESS' LACK OF IMPACTFUL ACTION LEAVES THE SCA IN 168 THE TWENTIETH CENTURY IV. SUGGESTED AMENDMENTS TO MODERNIZE THE STORED 170 COMMUNICATIONS ACT A. FIRST PROPOSED AMENDMENT: UNITED STATES LAW 171 ENFORCEMENT HAS JURISDICTION OVER UNITED STATES CITIZEN'S DATA B. SECOND PROPOSED AMENDMENT: UNITED STATES LAW 173 ENFORCEMENT HAS JURISDICTION OVER DATA PHYSICALLY STORED IN THE UNITED STATES C. THIRD PROPOSED AMENDMENT : LAW ENFORCEMENT NEEDS A 174 SEARCH WARRANT AND NOTICE REQUIREMENT FOR SEARCH OF ANY ELECTRONIC COMMUNICATIONS D. AMENDMENT APPLICATION TO MICROSOFT CORP. V. UNITED 176 STATES AND MICROSOFT'S UNDERWATER DATA CENTERS V. CONCLUSION 177 I. INTRODUCTION

People take pictures on their Apple iPhones, save documents to Google Drive, or send emails using Microsoft's Outlook.com. Companies, like Microsoft, Apple, and Google, make these services available to their users and store the user-created data on their own servers, as opposed to on the device used to create the work product. (1) This storage function is called the "cloud." (2) Customers using the cloud can access their data from any Internet-enabled device and share the data with others while preventing data loss. (3) The cloud is a large number of grounded servers located across the globe, and in the United States alone, the cloud is responsible for two percent of the country's electricity usage. (4) The servers powering the cloud must be stored at a location with a low temperature because if they overheat, the servers will crash. (5) When these servers, hosted in data centers, overheat, users' devices cannot access the content they need. (6) In response, Microsoft developed Project Natick to solve this problem of overheated servers by operating data centers in the ocean. (7) The ocean keeps the data centers cool so consumers can access their data without delay, and the technology companies furnishing the servers save money on their electricity bill. (8)

The Stored Communications Act ("SCA"), which is part of Title II of the Electronic Communications Privacy Act ("ECPA"), is the "primary law governing government and private actor access to our stored online communications" written in 1986. (9) Courts differ on how to interpret the anachronistic statute, some choosing to protect electronic communications that did not exist at the time of the SCA'S passage, like data stored in the cloud, while others fail to modernize their interpretation. (10) Without legal protection, the technological process will be inhibited if consumers and businesses do not have confidence that their data will be secure in new technologies like the cloud. (11)

The Second Circuit recently grappled with the SCA's applicability to cloud data stored in Dublin in a Microsoft data center. (12) The Court denied the government's search warrant application to access data in the Dublin data center because the SCA did not specifically mention that the law governs data extraterritorially. (13) An obsolete SCA thus produces an environment where online cloud data does not possess the same privacy protections as data stored on a home computer or in a filing cabinet. (14)

Congress has repeatedly failed to update the SCA to govern privacy rights in the massive amounts of data consumers store in the cloud. (15) This creates an even larger challenge when applied to the underwater data centers Microsoft is developing. The Second Circuit held that the United States does not have jurisdiction to access data that is not stored domestically. (16) Accordingly, the United States likely does not have jurisdiction over data stored at sea in places like underwater data servers in Microsoft's Project Natick.

Congress must amend the SCA to protect privacy interests and empower the government to engage in effective investigative searches. Law enforcement, armed with a search warrant, needs the ability to access the data of United States citizens stored on domestically and internationally. Companies that operate their own cloud services should not be able to store data wherever they please, based on a company policy designed to avoid potential government seizure. An updated Stored Communications Act should include: (i) jurisdiction to search overseas data of United States citizens; (ii) jurisdiction to search data physically stored in the United States; and (iii) a warrant and notice requirement for search of any electronic communications. These solutions are necessary to create clear procedures for searches and search warrant applications to protect law enforcement investigations, individual privacy, and the business of technology companies.

This Note proceeds in three parts. Part II outlines the text and legislative history of the Stored Communications Act and the Second Circuit's interpretation of the SCA in Microsoft Corp. v. United States. Part III addresses the consequences of inaction through a review of the lack of law enforcement search tools abroad without extraterritorial application of the SCA, Microsoft's development of underwater data servers, and a review of proposed and unsuccessful legislation to amend the SCA. Part IV proposes jurisdictional and privacy amendments to the SCA that provide law enforcement with the ability to search data with a warrant based on probable cause for electronically stored data of any United States citizen or data geographically stored within the United States. This proposed jurisdictional power is balanced with a warrant requirement for any stored data and notification requirement to any user whose data is seized.

2. THE STORED COMMUNICATIONS ACT: AN OUTDATED STATUTE APPLIED TO A MODERN-DAY DISPUTE

   The Stored Communications Act was enacted to protect electronic communications from unreasonable searches and seizures. (17) However, the law has not been substantively updated in the thirty years since it was introduced. (18) An outdated law, in combination with developing technology, yields uncertain privacy protection for individuals over data stored using cloud technology. (19) The SCA inhibits an individual's attempt to protect data and law enforcement's endeavors to engage in lawful searches of data to investigate unlawful activity. (20) The Second Circuit interpreted the Stored Communications Act and concluded that the law does not authorize application of a United States search warrant to data stored overseas. (21) According to the Second Circuit's interpretation, the statute failed to grant law enforcement the power to search data overseas because there was no explicit provision discussing extraterritorial application or cloud data. (22) This outdated statute creates ambiguity as to an individual's privacy rights such that a corporation's decision of where to store data determines whether the data receives Fourth Amendment protections. (23)

   1. The Problem: The Outdated Text of the Stored Communications Act

      Congress enacted the ECPA and the SCA to extend the application of the Fourth Amendment privacy right to electronic communications. (24) Before the statute, there was no explicit regulation governing who could access electronically stored data and when access was granted. (25) The statute outlines with whom network providers may share a customer's data, since customers may not store their own data when using electronic services. (26) The SCA instructs providers of electronic communication services on when they can share customers' information and communications (27) and dictates the proper standards for law enforcement to gain access to this data. (28) Service providers undertake the obligation to protect users and their data, with the exception of subpoenas and warrants based on probable cause. (29) The statute "allows law-enforcement agencies to obtain stored e-mail, account records, or subscriber information from a service provider." (30) Even though the statute has not been meaningfully updated since its passage, courts now interpret the SCA to govern electronic content, such as emails, YouTube videos, Facebook messages, and metadata related to Internet transactions. (31)

      Under the SCA, an administrative subpoena can grant the government access to basic subscriber and transactional information. (32) However, law enforcement needs more than just a subpoena to access the actual content of stored communications because the SCA requires a warrant for "the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less." (33) For any communications older than 180 days, the government must notify the subscriber or customer, or obtain a warrant. (34) Classifications within the statute dictate different protections for the same email if it is in transit, opened and stored in remote storage, stored on a home computer, unopened and stored for 180 days or less in remote storage, or in remote storage for more than 180 days while unopened. (35)

   2. The Stored Communications Act: Too Old to Regulate the Microsoft Cloud and the Data Within It

      On December 4, 2013, Magistrate Judge James C. Francis IV granted the United States government's warrant, in accordance with the SCA, for data stored by the Microsoft Corporation ("Microsoft") for a criminal narcotics investigation. (36) Microsoft stored most of the data relating to the government's request in one of its data centers in Dublin, and the rest in the United States...