A U.S. judge has ordered Google to hand over emails stored outside the country in order to comply with an FBI search warrant. The warrant in question pertains to a domestic fraud probe.
The ruling is notable because it goes against an appeals court judgement last year — recently upheld — pertaining to Microsoft customer data held in servers outside the US. In that instance a federal court ruled the company did not have to hand over data stored on its servers in Ireland to the US government, declining to “disregard the presumption against extraterritoriality,” as the judge put it.
However in the Google case, U.S. Magistrate Judge Thomas Rueter ruled on Friday that the act of transferring emails from a foreign server did not qualify as a seizure. According to Reuters, the judge ruled there is no “meaningful interference” with the account holder’s “possessory interest”, going on to assert that any privacy infringement occurs “at the time of disclosure in the United States”, rather than when the data itself is transferred.
Google’s legal team had sought to use the Microsoft ruling as precedent to challenge the warrant’s scope. The company had turned over data that was stored in the US only. In a statement it said it will be appealing the judgement. “The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants,” it said.
Both cases involve warrants issued under a 1986 federal law called the Stored Communications Act, which — as you can imagine, given its date-stamp — has long been described as a “woefully outdated” piece of legislation vs the technology it is now being used to regulate.
The judge in the recent Microsoft appeals case wrote that the Act is “overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose”.
The Department of Justice certainly appears intent on applying pressure on Congress via multiple cases in the courts — pressing the question of where the line should be drawn on extraterritoriality applications to access stored data.
And with the confusion of conflicting legal judgements being issued in circuit courts, there will be growing pressure for clarity — either by Congress revising the legislation, or by cases being pushed to the Supreme Court for a definitive ruling.
For privacy advocates this data access tug-of-war remains one to watch. Not least given that any concrete moves to expand the scope of domestic warrants outside the US could undermine international treaties by conflicting with data protection laws elsewhere. While, on the flip side, any legal clarity limiting the jurisdiction of search warrants to data stored domestically could push US legislators towards data localization rules.
In one related development late last year, Congress approved a controversial Supreme Court rule change expanding FBI search powers by enabling a judge to sign off a warrant for searches outside their own district — which could in theory be used to issue remote access warrants for the FBI to hack devices that are physically located out of their jurisdiction or even overseas.
Critics argued a procedural change was being used to push through hugely expanded powers for state agents.