The Microsoft Ireland Case
The decision of the United States Court of Appeals for the Second Circuit in the case of Microsoft v US – otherwise known as Microsoft Ireland – has brought a breath of fresh air to the law relating to warranted searches for evidence online and whether those warrants can cover material located on servers in other jurisdictions – a concept known as extraterritoriality.
A search warrant was issued by the United States District Court for the Southern District of New York. It directed Microsoft to seize and produce the contents of an e-mail account it maintained for a customer. There was probable cause that the account was being used to further narcotics trafficking.
Microsoft, it must be emphasised, was not charged with any offence. It complied with the warrant as to data that was stored in the United States. However, to comply fully with the warrant it would need to access the customer’s content that was stored and maintained in its servers located in Ireland, and to import that data into the United States to deliver up to the Federal authorities. Microsoft moved to quash the warrant, but this was denied and the lower Court held Microsoft in civil contempt.
It is important to be aware of the legislative context. The warrant was issued under the provisions of the Stored Communications Act (SCA) which was enacted as Title II of the Electronic Communications Privacy Act 1986. The SCA is designed to protect the privacy of the contents of files stored by service providers and records held about subscribers by service providers.
It is also important to note that the SCA was passed in 1986 – thirty years ago when as the Court put it the “technological context was very difference from today’s Internet-saturated reality.” This context had a significant affect upon the way that the Court construed the Statute.
In addition the Federal Rules of Criminal Procedure limited the territorial scope of warrants to United States Territories, possessions or Commonwealth and the diplomatic missions and residencies of the United States in foreign countries.
The argument of the United States Government was based upon the concept of control of data and on that basis extended the reach of the warrant to premises owned, maintained or controlled by Microsoft. The concept of control for the purposes of discovery in civil proceedings may require a party to discover material in another jurisdiction, but could a search warrant have the same effect?
The starting point is the principle that the legislation enacted by Congress is meant to apply within the territorial jurisdiction of the United States unless a contrary intent clearly appears. This presumption is applied to protect against unintended clashes between US laws and those of other nations which could result in international discord. It was conceded that the warrant provisions of the SCA did not permit nor contemplate extraterritorial application. Indeed, the focus of the warrant provisions was upon protecting the privacy interest of users in their stored communications.
Under the focus on privacy if there were to be a warrant issued, the invasion of privacy would take place where the protected content of the customer was accessed which was in the Irish datacenter. That conduct – accessing the data – would take place outside the US, regardless of the fact that Microsoft was a US company. The Court held that the text of the statute, its legislative history, the use of the particular term “warrant” all lead to the conclusion that an SCA warrant could only apply to data held within the boundaries of the US.
It must be remembered that the decision is within the context of a particular statute which had a significant privacy purpose behind it. There are other ways to obatin the information sought such as the application of Mutual Assistance in Criminal Matters Treaties or the provisions of the Convention on Cybercrime 2001 – assuming a State is a signatory and has adopted those treaties into domestic law.
Applicability in New Zealand
Do the provisions of the Search and Surveillance Act 2012 have an extraterritorial reach in the case of computer searches.
Extraterritorial Searches?
There is one school of thought which says that it does, based on the very broad definition of a computer system which could conceivably include the Internet. A properly obtained warrant search warrant or remote access search warrant would allow an investigator to look for and locate data hosted in servers offshore.
In its considerations of search and surveillance procedures the Law Commission suggested that cross border searches could be specifically authorised under a search warrant. In my view that raises some very real difficulties, especially where there are no mutual assistance arrangements in place – although New Zealand has enacted the Mutual Assistance in Criminal Matters Act 1992. The proper course would be to use the provisions of that Act.
The Law Commission acknowledged that while principles of territorial sovereignty should be recognised to the maximum extent possible, observation of such principles may be impossible where the identity of the relevant jurisdiction is unknown.
The suggestion that search warrant authorisation would cure jurisdictional problems arising in a remote cross border search does not, in my view, solve the problem. The Law Commission suggested that if a remote cross border search was sought a warrant application:
(a) would require disclosure of that fact,
(b) that the search was or would likely to be a cross border search,
(c) together with the nature of any mutual assistance arrangements with the relevant country if the identity of that country was known.
Where a warrant was issued without specific authorisation for a cross border search, the enforcement agency would have to return to the issuing officer for further authorisation for a cross border search. Such a situation might become apparent in the course of executing the initial search warrant. This is the preferred option for the Law Commission given the “inconclusive state” of international law.
In the case of Stevenson v R, [2012] NZCA 189.the police applied for a search warrant addressed to Microsoft for records that were kept in the USA. The request was directed to Microsoft in New Zealand who forwarded it to the American parent. The appellant challenged the issue of the warrant. The court held as follows:
‘Fourth, Mr Haskett submits that the warrant issued against Microsoft should be ruled invalid and the evidence obtained from that source excluded. He relies on the same grounds advanced in support of the challenge to the search warrant, which we have rejected. Additionally, however, he submits that the warrant for Microsoft was invalid because it purported to authorise search in the United States of America. The answer to that submission is, as Mr Ebersohn points out, that the Summary Proceedings Act does not require a warrant to be limited to the New Zealand jurisdiction although of course it could not be practically enforced outside of New Zealand.’ [2012] NZCA 189 at [57]
Could this approach – without any developed reasoning – be applied under the Search and Surveillance Act and particularly to remote access searches? The determinative language of the court would suggest it does.
Using the Court’s reasoning in Stevenson a remote access warrant, like a warrant under the Summary Proceedings Act, may not be limited to the New Zealand jurisdiction. No reference to a presumption of territorial application – which was a significant feature in Microsoft Ireland – was mentioned. Indeed the reverse proposition seems to be the position – if the Summary Proceedings Act did not provide that a warrant be limited to New Zealand, it had extraterritorial effect. That flies directly in the fact of established principle which is that the statute must expressly authorise extraterritoral application.
A Forgotten Fundamental Principle of Law
But just because the technology allows it, should extraterritorial searches just happen? Should the issue of a search warrant allow an extraterritorial remote access search, and should the fruits thereof be admissible? A strict ‘crime control’ approach would suggest an affirmative response.
On the other hand a principled approach that recognises the broader issues of the Rule of Law must recognise that there is a customary international law prohibition on conducting investigations in the territory of another state. (see Michael A. Sussman, ‘The Critical Challenges from International High-tech and Computer-related Crime at the Millennium’ Duke Journal of Comparative & International Law Volume 9, Number 2 (Spring 1999), 451 – 489.)
Remote access searches may violate territorial integrity and, whatever the constitutional constraints that exist within the searching country, such searches are prohibited as violations of international law. Notwithstanding the utopian vision of a separate jurisdiction for cyberspace, the reality is that data has a physical location within the territorial jurisdiction of a state.
And this brings us back to the fundamental principle. It was stated by the Second Circuit Court of Appeals. I referred to it a couple of paragraphs ago. If a domestic law is to have extraterritorial effect the statute must clearly say so. It cannot have that effect by some back door interpretation of what amounts to a computer system. This principle of law is hardly “inconclusive”.
Section 144A of the Crimes Act 1961 (NZ) has extraterritorial effect. It deals with sexual conduct with children and young people outside New Zealand. It is clear a clear and unequivocal assertion of extraterritorial application.
It is perhaps astonishing that this elementary principle has been overlooked not only by the Law Commission but also by the Court of Appeal in R v Stevenson.
There are ways of conducting offshore searches both in the digital and real word spaces. The utilisation of Mutual Assistance Treaties under the 1992 Act is one way. Or perhaps it is time to consider adopting the Convention on Cybercrime to adopt a principled approach to the access of data offshore.