Search Warrants in the Cloud: Reconciling Divergent Rulings
When is a search warrant valid for documents stored in the cloud? That's not a simple question to answer, particularly given to recent, divergent rulings. In July, the Second Circuit ruled that the federal government could not force Microsoft to turn over emails stored on the cloud -- or rather, Microsoft's server in Ireland. Just a week after an equally divided Second Circuit declined to rehear the case en banc, a U.S. district court in Philadelphia came to the opposite conclusion, ordering Google to comply with a warrant for documents stored on the cloud.
Can these two rulings be reconciled?
Courts Split on the SCA
At issue in both cases was the reach of the Stored Communications Act and the application of its warrant provisions to documents stored on the cloud. In the Microsoft case, the Second Circuit found that the SCA's warrant provisions had no extraterritorial reach:
The focus of those provisions is protection of a user's privacy interests. Accordingly, the SCA does not authorize a US court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer's electronic communications stored on servers located outside the United States.
The District Court for the Eastern District of Pennsylvania went the other direction. In the Google case, the court ruled that, despite the data being pulled from abroad, "the conduct relevant to the SCA's focus," mainly, the inspection of the communications, "will occur in the United States."
Where Is Your Cloud?
The key distinction between the two cases was the type of cloud storage used. The "cloud," after all, isn't some amorphous data storage center in the sky -- it's just someone else's server far away. In the Microsoft case, the emails at issue were all stored on a server in Ireland. That allowed the court to locate the privacy concerns abroad, limiting the SCA's reach.
Google had a bit more complicated cloud. Google's data had no permanent residence, it seems. Google's system broke the emails into parts, storing those parts at various geographic points throughout its system and moving that data around with frequency. Google, unlike Microsoft, couldn't say where the requested information was. It could only say that it wasn't sure it was in the U.S. That allowed the court to place the SCA's privacy concerns in the U.S., where the information would be searched, and not abroad, allowing it to differentiate Google from Microsoft.
There's no final answer for the questions raised by these two rulings yet. But if there's a takeaway for practitioners at this time, it's that an SCA warrant's reach is more likely to be limited when the documents it targets are physically located outside the United States. Conversely, diffuse, transitory cloud storage may allow greater enforcement of SCA warrants.
Related Resources:
- Two Concerns Over Cloud-Based Software for Lawyers (FindLaw's Technologist)
- Is It Time for a Law Firm Cloud Computing Security Standard? (FindLaw's Technologist)
- Should Anyone Expect Privacy in the Cloud? (FindLaw's Technologist)