Searches Without Frontiers

MLATs

Law enforcement officials or prosecutors use MLATs to seek assistance from foreign governments to obtain evidence from within another country's borders. For example, U.S. prosecutors might employ MLATs to obtain witness testimony, freeze foreign bank accounts or execute search warrants. Typically, a U.S. prosecutor transmits a request for information to the Department of Justice (DOJ), which in turn transmits the request to the foreign authorities, who will execute it in accordance with local law. With over 70 MLATs in force between the United States and other countries, the MLAT process is viewed as a vital tool for the United States to strengthen its ability to fight terrorism and trans-national crime.

But MLATs are increasingly viewed by U.S. law enforcement as antiquated and insufficient to address the modern-day data storage and privacy issues presented by cloud computing. See, e.g., Chertoff Group, Law Enforcement Access to Evidence in the Cloud Era, http://bit.ly/1MB7t2G. The process is generally regarded as slow, cumbersome and not always likely to succeed. Nations that enter into MLATs retain discretion to decline requests for assistance, often on grounds of public policy or because the requested state finds the United States' intrusion on its territorial borders to be objectionable. And MLATs may also require search warrants to be executed by the foreign government, which wrests control of the process from U.S. law enforcement. Hence, while the MLAT process is designed to promote cross-government collaboration in obtaining evidence overseas, the government has an incentive to sidestep that process and obtain the evidence more quickly through alternative means.

Law enforcement's motivation to work-around the MLAT process will remain unless Congress finds a way to bring the MLAT process in line with the 21st century. Currently, a bipartisan bill known as the Law Enforcement Access to Data Stored Overseas Act, and similar draft laws, are moving through Congress and garnering broad support from technology companies, business organizations, and privacy and civil liberties advocacy groups alike. See http://bit.ly/1WHuO5Y. The proposed law's twin aims are to clarify the scope of the government's authority to search and seize overseas data, and to strengthen and enhance the MLAT process.

The Microsoft Ireland Case

The much-discussed Microsoft Ireland case presents the paradigm- atic problem facing U.S. technology companies today. In December 2013, a Federal Magistrate Judge in New York issued a warrant under the Stored Communications Act, 18 U.S.C. ” 2701-2712, directing Microsoft to disclose all e-mails and other private information associated with a certain e-mail account in Microsoft's possession, custody or control. When Microsoft determined that the target account was hosted in Dublin, Ireland, and that the data content was stored there, it filed a motion to quash the warrant, arguing that the information was beyond the U.S. government's reach.

The Magistrate Judge denied Microsoft's motion to quash the subpoena in April 2014, and U.S. District Court Judge Loretta A. Preska adopted the Magistrate's ruling in August 2014. Judge Preska agreed with the Magistrate that it was a “question of control, not a question of ' location” of the sought-after information. In re: Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, 13-MJ-2814 (S.D.N.Y. July 31, 2014) (ECF 84). Because Microsoft could easily access the data, and no U.S. law enforcement official would step foot in Irish territory, producing the information was “not an intrusion on the foreign sovereign.”

Microsoft appealed to the Court of Appeals for the Second Circuit, where a number of technology companies ' including Amazon, Cisco, Apple and AT&T ' have filed amicus briefs. In re Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, 14-2985-cv (2d Cir. 2014) (hereinafter Microsoft-Ireland ). In recent months, both Microsoft and the government have made further submissions in advance of the hearing of Microsoft's appeal in September.

The central issue is this: Can the government compel Microsoft and other Internet service providers to produce e-mails or other private communications stored in a foreign nation? Microsoft, calling the warrant a bid for “extraordinary power,” argues that the warrant allows the government to “embark on unilateral law enforcement incursions into a foreign sovereign country.” In Microsoft's view, the warrant allows Microsoft to sidestep the MLAT in place between the U.S. and Ireland, raising profound policy problems for the privacy of United States citizens.

Similarly, the international community has expressed concerns about the extent to which the U.S. government can access data in the cloud, particularly after the Edward Snowden revelations. Chinese users, for example, are increasingly placing their data with Chinese cloud service providers ' which, since the U.S. has no treaty with China to secure access to that data, renders it virtually inaccessible to the U.S. Government. See China Tech Firms Benefit from US Spying Allegations, Snowden Revelations (May 30, 2014), http://bit.ly/1MBawb5. Germany has stated that it will not be using U.S. servers for data storage unless the decision is overturned, and is requiring any company providing cloud services to the German government to certify that the stored data will not be subject to seizure by a foreign government. See Microsoft Versus the Federal Government; Round Three (Apr. 10, 2015), http://bit.ly/1E1denB. Thus, the technology sector is put at risk of being indirectly penalized by foreign governments if the warrant is upheld. Individuals, foreign companies and governments might hesitate to store data in the cloud of a U.S.-owned or -controlled company, for fear it is not secure.

Forced compliance with the warrant could also put Microsoft between a rock and hard place, having to choose between disobeying a court-sanctioned command to allow a search and seizure and violating Irish and European Union rules governing data privacy. In its brief before the Second Circuit, Microsoft points to the “international outrage” precipitated by the warrant, particularly in the European community, which is now demanding that American companies who offer services to EU consumers be subjected to EU data-protection laws, regardless of the server's physical location. Ireland, for its part, has a series of data-protection laws that forbid disclosure to a third party of data that is stored and processed in Ireland, absent a lawful order issued by the Irish courts. Microsoft-Ireland, Brief for Appellants (Dec. 18, 2014) (Joint Appendix at A116). The warrant issued in the Microsoft-Ireland case would force Microsoft to violate these rules.

The U.S. Government seeks to allay these concerns by arguing that the warrant does not involve a search in Ireland but simply requires Microsoft to provide documents it controls ' just like a subpoena for documents. Microsoft-Ireland, Brief for Appellees (Mar. 9, 2015). Regardless of the storage location, the information is concededly within arms' reach of Microsoft employees in the U.S., who can utilize a computer program to collect the records from a data center in Ireland. The government argues that, as a policy matter, quashing the warrant would “deprive law enforcement of the ability to investigate and prosecute criminals using evidence obtained through a mechanism created by Congress and overseen by the courts.” Id.

Oral argument in Microsoft-Ireland is set for Sept. 9, 2015.

Remote Search Warrants

Meanwhile, the U.S. government is pursuing efforts to reach data overseas along another front: Rule 41 of the Federal Rules of Criminal Procedure. A proposed amendment to Rule 41, submitted in 2013 with revisions in August 2014, would allow the government to execute search warrants via remote access where the physical location of the place to be searched is unknown ' potentially expanding the extraterritorial reach of government search warrants.

Remote search warrants usually describe the place to be searched using language designed to specify the particular account or computer that officers have probable cause to search. But with the increasing use of sophisticated anonymizing technologies that, for example, use proxy services designed to hide a user's true IP address, the government might be able to describe the computer to be searched but not the computer's physical location.

Further, criminals are using multiple computers in many districts simultaneously, as part of complex criminal schemes. Under the Criminal Rules in their current form, investigators may need to coordinate with agents, prosecutors, and magistrate judges in every judicial district in which the computers are known to be located to obtain warrants authorizing the remote access of those computers. The government says the rules need to be updated to clarify the procedural dictates that law enforcement must follow in order to obtain this type of warrant.

The proposed amendment would facilitate the government's ability to obtain a remote search warrant in these situations. See Letter from the Department of Justice, http://bit.ly/1EAHBf9. First, the amendment would authorize a court in a district where “activities related to a crime” have occurred to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district, where: 1) “the district where the media or information is located has been concealed through technological means”; or 2) “investigation of a violation of 18 U.S.C. ' 1030(a)(5) (concerning computer fraud and related activity), the media are protected computers that have been damaged without authorization and are located in five or more districts.”

In comments submitted in December 2014 and February 2015, the U.S. government says the proposed amendment would not run afoul of the Fourth Amendment's requirement that the item to be searched ' in this case, electronic storage media or electronically stored information ' be described with sufficient particularity. The government claims that the relevant issue, instead, is “whether such warrants should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications.” See Comment from David Bitkower, U. S. Department of Justice (submitted Feb. 20, 2015), http://1.usa.gov/1TRT4n0. The government argues that remote search warrants should be allowed even where the computer's physical location is unknown. This will help law enforcement investigate and prosecute botnets and crimes involving Internet anonymizing technologies, both of which pose substantial threats to members of the public.

The proposals are now the subject of vigorous criticism and opposition. The period for public comment, which began in August 2014 and ended this February, saw a number of high-profile submissions from technology leaders and privacy rights advocates. Google, for example, submitted comments in February, arguing that the proposed amendment “raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns.” Comment from Richard Salgado, Google Inc. (submitted Feb. 13, 2015), http://1.usa.gov/1URgmGC. Google asserts that, “in reality,” the amendment would impermissibly expand the extraterritorial reach of Rule 41, since it will in many cases end up authorizing the government to conduct searches outside the United States. Google has long encouraged the efforts of the United States and Congress to improve the MLAT process, but the proposed amendment, in Google's view, undermines those efforts. Google has urged the Committee to reject the proposed amendment and leave the matter to Congress.

U.S. Companies Take Stock

It is critical that in today's increasingly globalized world, companies that employ cloud-based computing or otherwise store data outside the United States pay close attention to the rapidly changing legal landscape regarding U.S. law enforcement's ability to search and seize overseas evidence. The Microsoft-Ireland case is a bellwether case that will signal ' both to U.S. companies and the international community ' how American courts view the government's attempts to expand its reach beyond U.S. borders. Similarly, companies should take note of whether Congress passes legislation to streamline the MLAT process or if the government successfully loosens requirements for obtaining remote search warrants. Regardless of the outcome of these efforts, one can bet that this is merely an early chapter in what will be a long and multifaceted debate over the limits on the U.S. government's law enforcement powers in the digital age.

Jonathan B. New, a member of this newsletter's Board of Editors, is a former federal prosecutor and a partner in the New York office of BakerHostetler. David M. McMillan is a litigation associate.

In order to keep up with the continuing evolution of electronic communications, U.S. law enforcement agencies are now, more than ever, setting their sights on data stored overseas. Private communications, such as e-mails, are increasingly being collected by U.S. companies and then processed and stored using cloud computing and data servers located abroad. Law enforcement theoretically has at its disposal Mutual Legal Assistance Treaties (MLATs) ' agreements between two or more countries that facilitate cross-governmental collaboration in criminal investigations and prosecutions. But the MLAT process is complicated, time-consuming and ill-equipped to handle 21st-century data storage and privacy issues. The result is that law enforcement agencies conducting criminal investigations or prosecutions increasingly find that vital data evidence lies beyond their jurisdictional reach.

Background

The first half of 2015 has seen vigorous debate over U.S. law enforcement's authority to seize data evidence stored overseas. The government is pressing along a number of fronts ' in litigation and through proposed amendments to the Federal Rules of Criminal Procedure ' to sidestep the MLAT process and gain quick access to such evidence. But technology companies and providers of cloud computing services are echoing concerns in the international community that such efforts undermine mutually agreed-upon limits on cross-border intrusion. The government's efforts also raise serious questions about the limits of Fourth Amendment protections. U.S. companies that store data overseas should therefore take stock of the current state of play: U.S. law enforcement is pressing forward ' sometimes successfully ' to reach data stored beyond U.S. borders. Whatever the outcome of these efforts, companies will need to adjust to the new realities and adopt appropriate protocols for handling their data and for responding to government inquiries while respecting local data privacy requirements.

MLATs

Law enforcement officials or prosecutors use MLATs to seek assistance from foreign governments to obtain evidence from within another country's borders. For example, U.S. prosecutors might employ MLATs to obtain witness testimony, freeze foreign bank accounts or execute search warrants. Typically, a U.S. prosecutor transmits a request for information to the Department of Justice (DOJ), which in turn transmits the request to the foreign authorities, who will execute it in accordance with local law. With over 70 MLATs in force between the United States and other countries, the MLAT process is viewed as a vital tool for the United States to strengthen its ability to fight terrorism and trans-national crime.

But MLATs are increasingly viewed by U.S. law enforcement as antiquated and insufficient to address the modern-day data storage and privacy issues presented by cloud computing. See, e.g., Chertoff Group, Law Enforcement Access to Evidence in the Cloud Era, http://bit.ly/1MB7t2G. The process is generally regarded as slow, cumbersome and not always likely to succeed. Nations that enter into MLATs retain discretion to decline requests for assistance, often on grounds of public policy or because the requested state finds the United States' intrusion on its territorial borders to be objectionable. And MLATs may also require search warrants to be executed by the foreign government, which wrests control of the process from U.S. law enforcement. Hence, while the MLAT process is designed to promote cross-government collaboration in obtaining evidence overseas, the government has an incentive to sidestep that process and obtain the evidence more quickly through alternative means.

Law enforcement's motivation to work-around the MLAT process will remain unless Congress finds a way to bring the MLAT process in line with the 21st century. Currently, a bipartisan bill known as the Law Enforcement Access to Data Stored Overseas Act, and similar draft laws, are moving through Congress and garnering broad support from technology companies, business organizations, and privacy and civil liberties advocacy groups alike. See http://bit.ly/1WHuO5Y. The proposed law's twin aims are to clarify the scope of the government's authority to search and seize overseas data, and to strengthen and enhance the MLAT process.

The Microsoft Ireland Case

The much-discussed Microsoft Ireland case presents the paradigm- atic problem facing U.S. technology companies today. In December 2013, a Federal Magistrate Judge in New York issued a warrant under the Stored Communications Act, 18 U.S.C. ” 2701-2712, directing Microsoft to disclose all e-mails and other private information associated with a certain e-mail account in Microsoft's possession, custody or control. When Microsoft determined that the target account was hosted in Dublin, Ireland, and that the data content was stored there, it filed a motion to quash the warrant, arguing that the information was beyond the U.S. government's reach.

The Magistrate Judge denied Microsoft's motion to quash the subpoena in April 2014, and U.S. District Court Judge Loretta A. Preska adopted the Magistrate's ruling in August 2014. Judge Preska agreed with the Magistrate that it was a “question of control, not a question of ' location” of the sought-after information. In re: Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, 13-MJ-2814 (S.D.N.Y. July 31, 2014) (ECF 84). Because Microsoft could easily access the data, and no U.S. law enforcement official would step foot in Irish territory, producing the information was “not an intrusion on the foreign sovereign.”

Microsoft appealed to the Court of Appeals for the Second Circuit, where a number of technology companies ' including Amazon, Cisco, Apple and AT&T ' have filed amicus briefs. In re Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, 14-2985-cv (2d Cir. 2014) (hereinafter Microsoft-Ireland ). In recent months, both Microsoft and the government have made further submissions in advance of the hearing of Microsoft's appeal in September.

The central issue is this: Can the government compel Microsoft and other Internet service providers to produce e-mails or other private communications stored in a foreign nation? Microsoft, calling the warrant a bid for “extraordinary power,” argues that the warrant allows the government to “embark on unilateral law enforcement incursions into a foreign sovereign country.” In Microsoft's view, the warrant allows Microsoft to sidestep the MLAT in place between the U.S. and Ireland, raising profound policy problems for the privacy of United States citizens.

Similarly, the international community has expressed concerns about the extent to which the U.S. government can access data in the cloud, particularly after the Edward Snowden revelations. Chinese users, for example, are increasingly placing their data with Chinese cloud service providers ' which, since the U.S. has no treaty with China to secure access to that data, renders it virtually inaccessible to the U.S. Government. See China Tech Firms Benefit from US Spying Allegations, Snowden Revelations (May 30, 2014), http://bit.ly/1MBawb5. Germany has stated that it will not be using U.S. servers for data storage unless the decision is overturned, and is requiring any company providing cloud services to the German government to certify that the stored data will not be subject to seizure by a foreign government. See Microsoft Versus the Federal Government; Round Three (Apr. 10, 2015), http://bit.ly/1E1denB. Thus, the technology sector is put at risk of being indirectly penalized by foreign governments if the warrant is upheld. Individuals, foreign companies and governments might hesitate to store data in the cloud of a U.S.-owned or -controlled company, for fear it is not secure.

Forced compliance with the warrant could also put Microsoft between a rock and hard place, having to choose between disobeying a court-sanctioned command to allow a search and seizure and violating Irish and European Union rules governing data privacy. In its brief before the Second Circuit, Microsoft points to the “international outrage” precipitated by the warrant, particularly in the European community, which is now demanding that American companies who offer services to EU consumers be subjected to EU data-protection laws, regardless of the server's physical location. Ireland, for its part, has a series of data-protection laws that forbid disclosure to a third party of data that is stored and processed in Ireland, absent a lawful order issued by the Irish courts. Microsoft-Ireland, Brief for Appellants (Dec. 18, 2014) (Joint Appendix at A116). The warrant issued in the Microsoft-Ireland case would force Microsoft to violate these rules.

The U.S. Government seeks to allay these concerns by arguing that the warrant does not involve a search in Ireland but simply requires Microsoft to provide documents it controls ' just like a subpoena for documents. Microsoft-Ireland, Brief for Appellees (Mar. 9, 2015). Regardless of the storage location, the information is concededly within arms' reach of Microsoft employees in the U.S., who can utilize a computer program to collect the records from a data center in Ireland. The government argues that, as a policy matter, quashing the warrant would “deprive law enforcement of the ability to investigate and prosecute criminals using evidence obtained through a mechanism created by Congress and overseen by the courts.” Id.

Oral argument in Microsoft-Ireland is set for Sept. 9, 2015.

Remote Search Warrants

Meanwhile, the U.S. government is pursuing efforts to reach data overseas along another front: Rule 41 of the Federal Rules of Criminal Procedure. A proposed amendment to Rule 41, submitted in 2013 with revisions in August 2014, would allow the government to execute search warrants via remote access where the physical location of the place to be searched is unknown ' potentially expanding the extraterritorial reach of government search warrants.

Remote search warrants usually describe the place to be searched using language designed to specify the particular account or computer that officers have probable cause to search. But with the increasing use of sophisticated anonymizing technologies that, for example, use proxy services designed to hide a user's true IP address, the government might be able to describe the computer to be searched but not the computer's physical location.

Further, criminals are using multiple computers in many districts simultaneously, as part of complex criminal schemes. Under the Criminal Rules in their current form, investigators may need to coordinate with agents, prosecutors, and magistrate judges in every judicial district in which the computers are known to be located to obtain warrants authorizing the remote access of those computers. The government says the rules need to be updated to clarify the procedural dictates that law enforcement must follow in order to obtain this type of warrant.

The proposed amendment would facilitate the government's ability to obtain a remote search warrant in these situations. See Letter from the Department of Justice, http://bit.ly/1EAHBf9. First, the amendment would authorize a court in a district where “activities related to a crime” have occurred to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district, where: 1) “the district where the media or information is located has been concealed through technological means”; or 2) “investigation of a violation of 18 U.S.C. ' 1030(a)(5) (concerning computer fraud and related activity), the media are protected computers that have been damaged without authorization and are located in five or more districts.”

In comments submitted in December 2014 and February 2015, the U.S. government says the proposed amendment would not run afoul of the Fourth Amendment's requirement that the item to be searched ' in this case, electronic storage media or electronically stored information ' be described with sufficient particularity. The government claims that the relevant issue, instead, is “whether such warrants should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications.” See Comment from David Bitkower, U. S. Department of Justice (submitted Feb. 20, 2015), http://1.usa.gov/1TRT4n0. The government argues that remote search warrants should be allowed even where the computer's physical location is unknown. This will help law enforcement investigate and prosecute botnets and crimes involving Internet anonymizing technologies, both of which pose substantial threats to members of the public.

The proposals are now the subject of vigorous criticism and opposition. The period for public comment, which began in August 2014 and ended this February, saw a number of high-profile submissions from technology leaders and privacy rights advocates. Google, for example, submitted comments in February, arguing that the proposed amendment “raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns.” Comment from Richard Salgado, Google Inc. (submitted Feb. 13, 2015), http://1.usa.gov/1URgmGC. Google asserts that, “in reality,” the amendment would impermissibly expand the extraterritorial reach of Rule 41, since it will in many cases end up authorizing the government to conduct searches outside the United States. Google has long encouraged the efforts of the United States and Congress to improve the MLAT process, but the proposed amendment, in Google's view, undermines those efforts. Google has urged the Committee to reject the proposed amendment and leave the matter to Congress.

U.S. Companies Take Stock

It is critical that in today's increasingly globalized world, companies that employ cloud-based computing or otherwise store data outside the United States pay close attention to the rapidly changing legal landscape regarding U.S. law enforcement's ability to search and seize overseas evidence. The Microsoft-Ireland case is a bellwether case that will signal ' both to U.S. companies and the international community ' how American courts view the government's attempts to expand its reach beyond U.S. borders. Similarly, companies should take note of whether Congress passes legislation to streamline the MLAT process or if the government successfully loosens requirements for obtaining remote search warrants. Regardless of the outcome of these efforts, one can bet that this is merely an early chapter in what will be a long and multifaceted debate over the limits on the U.S. government's law enforcement powers in the digital age.

Jonathan B. New, a member of this newsletter's Board of Editors, is a former federal prosecutor and a partner in the New York office of BakerHostetler. David M. McMillan is a litigation associate.