Block on Trump's Asylum Ban Upheld by Supreme Court
Back in July, Microsoft lost a battle to protect data stored on Irish email servers, wholly owned and controlled by Microsoft, from the U.S. Justice Department. All we know about these email MacGuffins is that they have something to do with drugs.
Appealing to the Second Circuit Court of Appeals, Microsoft argues that, because the magnetic particles comprising the data are physically located in Ireland, those particles -- and the data they represent -- are protected by Irish and European privacy laws, meaning Microsoft can't be compelled to turn them over.
Cough Up Those Bits
The case presents a question of first impression for the Electronic Communications Privacy Act (ECPA): Does it matter where the bits that make up the data the governments wants are stored? There's no question about the validity of the subpoena the government's using to get these data, or if there are, that's a separate issue. Questions about the wisdom of the ECPA aside (because whether the ECPA needs to be updated to reflect 28 years of technological changes is not only a foregone conclusion in the affirmative, but a whole other discussion), one result of the Internet is that geography doesn't matter.
In the olden days, before YouTube cat videos, law enforcement executing a warrant to search a location would have to be physically present in that location. If that involved breaching the geographic border of a foreign country, that country had to consent, usually by way of some sort of treaty. Microsoft says that's still the case in the 21st century.
So, Have We Moved Beyond Borders or Not?
It's a contentious issue, though I have to say I'm not a fan of the introduction in Microsoft's brief, which begins with an analogy to the Stasi, the East German secret police. Really, Microsoft? Godwin's Law was your opening volley?
About the only thing squarely in Microsoft's favor is the presumption against extraterritoriality: If Congress wants U.S. law to apply outside the geographic boundaries of the United States, it has to say so explicitly. The ECPA is silent on this issue, raising this presumption. On the other hand, no one needs to be physically present in Ireland to obtain these data. A Microsoft employee in Redmond, Washington, could remotely access the Irish server and obtain all the data the government's requesting.
The reductio ad absurdum (which isn't all that absurd) is that if a U.S. court orders the parent company of its Irish subsidiary to access information stored abroad, Internet norms become changed. Suddenly, the Chinese government could order Microsoft to release emails stored in the United States in order to prosecute Chinese citizens for, say, speaking out against the government. (Hence the Stasi analogy.) But if the Internet transcends borders, must it do so in all circumstances, or only in those instances where it's normatively acceptable to us? "The Internet is governed by geographic borders when I agree with it" seems kind of capricious.