Off-Shore Search Warrants

The Microsoft Ireland Case

The decision of the United States Court of Appeals for the Second Circuit in the case of Microsoft v US – otherwise known as Microsoft Ireland – has brought a breath of fresh air to the law relating to warranted searches for evidence online and whether those warrants can cover material located on servers in other jurisdictions – a concept known as extraterritoriality.

A search warrant was issued by the United States District Court for the Southern District of New York. It directed Microsoft to seize and produce the contents of an e-mail account it maintained for a customer. There was probable cause that the account was being used to further narcotics trafficking.

Microsoft, it must be emphasised, was not charged with any offence. It complied with the warrant as to data that was stored in the United States. However, to comply fully with the warrant it would need to access the customer’s content that was stored and maintained in its servers located in Ireland, and to import that data into the United States to deliver up to the Federal authorities. Microsoft moved to quash the warrant, but this was denied and the lower Court held Microsoft in civil contempt.

It is important to be aware of the legislative context. The warrant was issued under the provisions of the Stored Communications Act (SCA) which was enacted as Title II of the Electronic Communications Privacy Act 1986. The SCA is designed to protect the privacy of the contents of files stored by service providers and records held about subscribers by service providers.

It is also important to note that the SCA was passed in 1986 – thirty years ago when as the Court put it the “technological context was very difference from today’s Internet-saturated reality.” This context had a significant affect upon the way that the Court construed the Statute.

In addition the Federal Rules of Criminal Procedure limited the territorial scope of warrants to United States Territories, possessions or Commonwealth and the diplomatic missions and residencies of the United States in foreign countries.

The argument of the United States Government was based upon the concept of control of data and on that basis extended the reach of the warrant to premises owned, maintained or controlled by Microsoft. The concept of control for the purposes of discovery in civil proceedings may require a party to discover material in another jurisdiction, but could a search warrant have the same effect?

The starting point is the principle that the legislation enacted by Congress is meant to apply within the territorial jurisdiction of the United States unless a contrary intent clearly appears. This presumption is applied to protect against unintended clashes between US laws and those of other nations which could result in international discord. It was conceded that the warrant provisions of the SCA did not permit nor contemplate extraterritorial application. Indeed, the focus of the warrant provisions was upon protecting the privacy interest of users in their stored communications.

Under the focus on privacy if there were to be a warrant issued, the invasion of privacy would take place where the protected content of the customer was accessed which was in the Irish datacenter. That conduct – accessing the data – would take place outside the US, regardless of the fact that Microsoft was a US company. The Court held that the text of the statute, its legislative history, the use of the particular term “warrant” all lead to the conclusion that an SCA warrant could only apply to data held within the boundaries of the US.

It must be remembered that the decision is within the context of a particular statute which had a significant privacy purpose behind it. There are other ways to obatin the information sought such as the application of Mutual Assistance in Criminal Matters Treaties or the provisions of the Convention on Cybercrime 2001 – assuming a State is a signatory and has adopted those treaties into domestic law.

Applicability in New Zealand

Do the provisions of the Search and Surveillance Act 2012 have an extraterritorial reach in the case of computer searches.

Extraterritorial Searches?

There is one school of thought which says that it does, based on the very broad definition of a computer system which could conceivably include the Internet. A properly obtained warrant search warrant or remote access search warrant would allow an investigator to look for and locate data hosted in servers offshore.

In its considerations of search and surveillance procedures the Law Commission suggested that cross border searches could be specifically authorised under a search warrant. In my view that raises some very real difficulties, especially where there are no mutual assistance arrangements in place – although New Zealand has enacted the Mutual Assistance in Criminal Matters Act 1992. The proper course would be to use the provisions of that Act.

The Law Commission acknowledged that while principles of territorial sovereignty should be recognised to the maximum extent possible, observation of such principles may be impossible where the identity of the relevant jurisdiction is unknown.

The suggestion that search warrant authorisation would cure jurisdictional problems arising in a remote cross border search does not, in my view, solve the problem. The Law Commission suggested that if a remote cross border search was sought a warrant application:

(a) would require disclosure of that fact,

(b) that the search was or would likely to be a cross border search,

(c) together with the nature of any mutual assistance arrangements with the relevant country if the identity of that country was known.

Where a warrant was issued without specific authorisation for a cross border search, the enforcement agency would have to return to the issuing officer for further authorisation for a cross border search. Such a situation might become apparent in the course of executing the initial search warrant. This is the preferred option for the Law Commission given the “inconclusive state” of international law.

In the case of Stevenson v R, [2012] NZCA 189.the police applied for a search warrant addressed to Microsoft for records that were kept in the USA. The request was directed to Microsoft in New Zealand who forwarded it to the American parent. The appellant challenged the issue of the warrant. The court held as follows:

‘Fourth, Mr Haskett submits that the warrant issued against Microsoft should be ruled invalid and the evidence obtained from that source excluded. He relies on the same grounds advanced in support of the challenge to the search warrant, which we have rejected. Additionally, however, he submits that the warrant for Microsoft was invalid because it purported to authorise search in the United States of America. The answer to that submission is, as Mr Ebersohn points out, that the Summary Proceedings Act does not require a warrant to be limited to the New Zealand jurisdiction although of course it could not be practically enforced outside of New Zealand.’ [2012] NZCA 189 at [57]

Could this approach – without any developed reasoning – be applied under the Search and Surveillance Act and particularly to remote access searches? The determinative language of the court would suggest it does.

Using the Court’s reasoning in Stevenson a remote access warrant, like a warrant under the Summary Proceedings Act, may not be limited to the New Zealand jurisdiction. No reference to a presumption of territorial application – which was a significant feature in Microsoft Ireland – was mentioned. Indeed the reverse proposition seems to be the position – if the Summary Proceedings Act did not provide that a warrant be limited to New Zealand, it had extraterritorial effect. That flies directly in the fact of established principle which is that the statute must expressly authorise extraterritoral application.

A Forgotten Fundamental Principle of Law

But just because the technology allows it, should extraterritorial searches just happen? Should the issue of a search warrant allow an extraterritorial remote access search, and should the fruits thereof be admissible? A strict ‘crime control’ approach would suggest an affirmative response.

On the other hand a principled approach that recognises the broader issues of the Rule of Law must recognise that there is a customary international law prohibition on conducting investigations in the territory of another state. (see Michael A. Sussman, ‘The Critical Challenges from International High-tech and Computer-related Crime at the Millennium’ Duke Journal of Comparative & International Law Volume 9, Number 2 (Spring 1999), 451 – 489.)

Remote access searches may violate territorial integrity and, whatever the constitutional constraints that exist within the searching country, such searches are prohibited as violations of international law. Notwithstanding the utopian vision of a separate jurisdiction for cyberspace, the reality is that data has a physical location within the territorial jurisdiction of a state.

And this brings us back to the fundamental principle. It was stated by the Second Circuit Court of Appeals. I referred to it a couple of paragraphs ago. If a domestic law is to have extraterritorial effect the statute must clearly say so. It cannot have that effect by some back door interpretation of what amounts to a computer system. This principle of law is hardly “inconclusive”.

Section 144A of the Crimes Act 1961 (NZ) has extraterritorial effect. It deals with sexual conduct with children and young people outside New Zealand. It is clear a clear and unequivocal assertion of extraterritorial application.

It is perhaps astonishing that this elementary principle has been overlooked not only by the Law Commission but also by the Court of Appeal in R v Stevenson.

There are ways of conducting offshore searches both in the digital and real word spaces. The utilisation of Mutual Assistance Treaties under the 1992 Act is one way. Or perhaps it is time to consider adopting the Convention on Cybercrime to adopt a principled approach to the access of data offshore.

Cybersearches – Computer and Remote Access Searches

In 2007 the New Zealand Law Commission released an extensive report on search and surveillance laws and suggested that all then rules relating to searches be incorporated in an omnibus piece of legislation.

The subsequent enactment of the Search and Surveillance Act 2012 was not without controversy, but it is not the purpose of this post to discuss that. Of particular interest in the new legislation are the provisions governing computer searches and, more significantly, remote access searches – that is searches of remotely located data. What the legislation does not cover is how data that has been seized may be handled, examined and dealt with, together with the implications of the “plain view” doctrine which has been incorporated in the Act.

The Act is seen as an all-embracing piece of legislation. Its purpose is set out in s 5. It modernises the law of search, seizure and surveillance. It takes into account advances in technologies and regulates the use of those technologies in the process of search, seizure and surveillance. It emphasises the importance of the provisions of the New Zealand Bill of Rights Act 1990, the Privacy Act 1993 and the Evidence Act 2006, and recognises that the exercise of coercive powers by the state should be subject to clear and principled controls. The Act also ensures that investigative tools are effective and adequate for law enforcement needs.

Prior to the Act, the law relating to search and seizure was framed as if most information was held in hard copy. The recognition of the existence of electronic information was partial and inadequate. This created difficulties for law enforcement agencies in obtaining evidence needed to prosecute and convict offenders. The Law Commission observed that a search and seizure regime that clearly provided for access to and preservation of computer based information in a form that could be used in court was long overdue.

The paper that follows considers the structure of the search and seizure provisions as they relate to data and to computer systems. I shall then comment upon whether or not these provisions provide the answer to the problems identified by the Law Commission. It will be argued that although the legislation provides generalised solutions, considerable care will have to be undertaken by the authority seeking a search warrant and the officer issuing a search warrant to ensure that:

(a) the warrant is properly issued,

(b) it is properly grounded in terms of the pre-requisites before the issue of a search warrant, and

(c) it properly describes the target or subject of the search.

These issues will involve, at times, a consideration of the way in which a particular technology operates or the use of programs that are employed, especially in the field of remote searches.

The issue of data acquisition by search can often involve large quantities of data some of which will be relevant and some irrelevant. The Act does not address any processes that should be undertaken in assessing relevance or protecting privilege, although ss 136 to 147 of the Act address issues of privilege and confidentiality. This is in contrast to the procedures that are in place for example for examination orders. These are quite specific in terms of process and the provision of protections. The vexed question of remote access will be considered together with a discussion of issues arising in the context of extraterritorial searches. I shall consider the applicability of the ‘plain view’ doctrine as it applies to computer searches, and some of the problems that arise from Cloud based materials.