NW software giant Microsoft is in federal court today over the privacy of emails. The issue revolves around the protection of emails held outside U.S. borders and whether a US warrant can force access. Below is a defense of email privacy by Brad Smith who represents general counsel for Microsoft.
By Brad Smith
Microsoft will oppose the U.S. government at a hearing in federal court in New York, arguing that it can’t force American tech companies to turn over customer emails stored exclusively in company data centers in other countries. This dispute should be important to you if you use email, because it could well turn on who owns your email—you or the company that stores it in the cloud. In December the government sent Microsoft a search warrant seeking a consumer’s emails as part of a narcotics investigation. While the company appreciates the vital importance of public safety, it seeks to ensure that governments access customers’ communications only through a valid legal process. In this case, the emails are stored in Dublin, Ireland, where Microsoft maintains a data center to service some of its customers outside the U.S.
Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail. This means, in our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution’s Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.
The government seeks to sidestep these rules, asserting that emails you store in the cloud cease to belong exclusively to you. In court filings, it argues that your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
Courts have long recognized the distinction between a company’s business records and an individual’s personal communications. For example, the government can serve a subpoena on UPS to disclose business records that show where a customer shipped packages, but it must establish probable cause and get a warrant from a judge to look at what a customer put inside.
Similarly, the government can use a subpoena to obtain bank records that show when a customer accessed a safe-deposit box, but it needs a warrant to search the private papers kept inside. It may subpoena the business records containing a hotel’s guest registry, but it cannot take the diary in a guest’s hotel-room drawer except through a legal search and seizure.
Even under current rules for telephone calls, the government can more readily obtain the metadata contained in company records about who called what phone numbers and when than it can listen to an individual’s conversations. For that it needs a court order.
Microsoft believes the higher legal protection for personal conversations should be preserved for new forms of digital communication, such as emails or text and instant messaging.
It’s worth heeding the words of a unanimous Supreme Court last month when it concluded that the police must get a warrant from a court before searching a cellphone. As Chief Justice John Roberts wrote in Riley v. California, an individual’s emails and electronic files contain “[t]he sum of an individual’s private life,” including “a record of all his communications,” “a thousand photographs,” and materials like “a prescription, a bank statement, a video.” The court concluded that an individual’s email account is an electronic “cache of sensitive personal information” that is entitled to the highest level of Constitutional privacy protection.
The company’s case in New York’s federal court involves not only vital constitutional principles, but important practical considerations as well. If the U.S. government prevails in reaching into other countries’ data centers, other governments are sure to follow. One already is. Earlier this month the British government passed a law asserting its right to require tech companies to produce emails stored anywhere in the world. This would include emails stored in the U.S. by Americans who have never been to the U.K.
It’s hard to believe that the American people will blithely accept that foreign governments can obtain their emails stored in U.S. data centers without letting them know or notifying the U.S. government. Yet the U.S. government is taking precisely this position toward emails stored in Microsoft’s data center in Ireland.
Microsoft believes the public gets it. The company recently commissioned a poll by Anzalone Liszt Grove Research that found 83% of American voters believe personal information stored in the cloud deserves the same protections as personal information stored on paper.
This makes the equation clear. Technology should advance. But timeless values should endure, and digital common sense should prevail.