Sunteți pe pagina 1din 23

EXHIBIT A

Case 2:17-mj-01235-WED Filed 07/21/17 Page 1 of 23 Document 17-1


No. 2:17-MJ-01235-WED-1

IN THE
UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF WISCONSIN
UNITED STATES OF AMERICA,
v.
TWO EMAIL ACCOUNTS STORED AT GOOGLE INC.

BRIEF OF AMICI CURIAE MICROSOFT CORPORATION,


CISCO SYSTEMS, INC., AND APPLE INC. IN SUPPORT
OF GOOGLE INC.

Katharine Goodloe** Hannah Garden-Monheit*


James M. Garland** Robert M. Loeb**
Alexander A. Berengaut** ORRICK, HERRINGTON &
COVINGTON & BURLING LLP SUTCLIFFE LLP
One City Center 1152 15th Street NW
850 10th Street, NW Washington, DC 20005
Washington, DC 20001 (202) 339-8400
(202) 662-5066
E. Joshua Rosenkranz**
Brian P. Goldman**
Evan Rose**
ORRICK, HERRINGTON &
SUTCLIFFE LLP
51 West 52nd Street
New York, NY 10019
(212) 506-5000

Attorneys for Amicus Curiae Attorneys for Amici Curiae Microsoft


Microsoft Corporation Corporation, Cisco Systems, Inc., and
Apple Inc.
*indicates counsel of record
**indicates of counsel
Counsel for Amici Curiae
July 21, 2017

Case 2:17-mj-01235-WED Filed 07/21/17 Page 2 of 23 Document 17-1


TABLE OF CONTENTS

Page
TABLE OF AUTHORITIES ......................................................................................................... ii
INTERESTS OF AMICI CURIAE ................................................................................................. 1
INTRODUCTION ......................................................................................................................... 2
ARGUMENT ................................................................................................................................. 5
I. THE STORED COMMUNICATIONS ACT DOES NOT AUTHORIZE
WARRANTS FOR SEIZURE OF PRIVATE EMAILS STORED IN A
FOREIGN COUNTRY. ..................................................................................................... 5
A. The conduct relevant to the SCAs focus is intrusion on the privacy of
stored communications. ......................................................................................... 5

B. Executing a warrant seeking email content from a data center in a foreign


country would effect a law enforcement search and seizure on foreign soil. ........ 9

II. ONLY CONGRESS CAN DECIDE WHETHER AND HOW TO UPDATE THE
SCA. ................................................................................................................................. 14
CONCLUSION ............................................................................................................................ 17

-i-
Case 2:17-mj-01235-WED Filed 07/21/17 Page 3 of 23 Document 17-1
TABLE OF AUTHORITIES

Page(s)

Cases

Berger v. New York,


388 U.S. 41 (1967) ...................................................................................................................12

EEOC v. Arabian Am. Oil. Co.,


499 U.S. 244 (1991) ...................................................................................................................2

F. Hoffmann-La Roche Ltd. v. Empagran S.A.,


542 U.S. 155 (2004) .................................................................................................................15

In re Google Inc. Cookie Placement Consumer Privacy Litig.,


806 F.3d 125 (3d Cir. 2015).......................................................................................................8

Katz v. United States,


389 U.S. 347 (1967) .................................................................................................................12

Kyllo v. United States,


533 U.S. 27 (2001) ...................................................................................................................13

Loretto v. Teleprompter Manhattan CATV Corp.,


458 U.S. 419 (1982) .................................................................................................................11

Morrison v. Natl Austl. Bank Ltd.,


561 U.S. 247 (2010) .......................................................................................2, 3, 5, 7, 9, 13, 15

RJR Nabisco, Inc. v. European Cmty.,


136 S. Ct. 2090 (2016) ...........................................................................................................5, 7

Matter of Search of Content that is Stored at Premises Controlled by Google,


No. 16-MC-80263-LB, 2017 WL 1487625 (N.D. Cal. Apr. 25, 2017) .....................................2

Theofel v. Farey-Jones,
359 F.3d 1066 (9th Cir. 2004) ...................................................................................................8

United States v. Bach,


310 F.3d 1063 (8th Cir. 2002) .................................................................................................12

United States v. Comprehensive Drug Testing, Inc.,


621 F.3d 1162 (9th Cir. 2010) .................................................................................................12

United States v. Jacobsen,


466 U.S. 109 (1984) .................................................................................................................11

-ii-
Case 2:17-mj-01235-WED Filed 07/21/17 Page 4 of 23 Document 17-1
United States v. Verdugo-Urquidez,
494 U.S. 259 (1990) .................................................................................................................10

United States v. Warshak,


631 F.3d 266 (6th Cir. 2010) .........................................................................................9, 11, 12

Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained


by Microsoft Corp. (Microsoft I),
829 F.3d 197 (2d Cir. 2016).............................................................3, 4, 5, 6, 7, 8, 9, 12, 14, 15

Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained


by Microsoft Corp. (Microsoft II),
855 F.3d 53 (2d Cir. 2017).................................................................................8, 12, 13, 14, 17

In re Warrant to Search a Target Computer at Premises Unknown,


958 F. Supp. 2d 753 (S.D. Tex. 2013) .....................................................................................11

Constitutional Provisions

Fourth Amendment ..................................................................................................................10, 13

Statutes

Stored Communications Act, 18 U.S.C. 2701, et seq.


18 U.S.C. 2701 ....................................................................................................................6, 7
18 U.S.C. 2701(a) ...................................................................................................................7
18 U.S.C. 2702 ....................................................................................................................7, 8
18 U.S.C. 2702(a) ...................................................................................................................6
18 U.S.C. 2703 ........................................................................................................................7
18 U.S.C. 2703(a) ...............................................................................................................6, 7
18 U.S.C. 2703(g) ...........................................................................................................11, 13
18 U.S.C. 2707 ........................................................................................................................8

Other Authorities

Brief of Amicus Curiae Jan Philipp Albrecht, Member of the European


Parliament, Microsoft I, No. 14 2985, Dkt. 148 (2d Cir. Dec. 19, 2014) ..................................9

Letter from Mythili Raman, Acting Assistant Atty Gen., Criminal Div., U.S.
Dept of Justice, to Reena Raggi, Chair, Advisory Comm. on the Criminal
Rules (Sept. 18, 2013), https://perma.cc/MC3X-RPYH ..........................................................10

Restatement of Foreign Relations 432 cmt. b ...............................................................................9

U.S. Dept of Justice, Office of Legal Education, Executive Office for United
States Attorneys, Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations (2009), https://perma.cc/CK8H-R2RY .........................12

-iii-
Case 2:17-mj-01235-WED Filed 07/21/17 Page 5 of 23 Document 17-1
Council of Europes Convention on Cybercrime, Nov. 23, 2001, S. Treaty Doc.
108-11, 2296 U.N.T.S. 167 ......................................................................................................16

-iv-
Case 2:17-mj-01235-WED Filed 07/21/17 Page 6 of 23 Document 17-1
INTERESTS OF AMICI CURIAE

Amici Microsoft Corporation, Apple Inc., and Cisco Systems, Inc. are leading technology

companies that provide communications and cloud-based computing services and software to

more than one billion customers in more than 90 countries around the world. Customers entrust

Amici to securely store their private emails and the contents of other communications in data

centers. Certain Amici store some of those communications in data centers in foreign countries.

Microsoft, for example, stores European customers communications in a European data center

in order to reduce network delays and to allow customers faster access to their private

correspondence. The U.S. Governmentas well as state and local governmentsfrequently

serves some Amici with warrants issued under the Stored Communications Act (SCA). When

the data sought is stored in a U.S. data center, Amici regularly comply with such warrants. The

Government, however, has attempted to use such warrants to force some Amici to seize private

emails stored in a foreign country, without the consent of that country, and turn them over to the

Government. But the SCA does not authorize warrants that reach into other countries, and

forcing Amici to execute such searches on the Governments behalf would place Amici in the

position of being compelled to risk violating foreign data privacy laws.

When Microsoft was faced with such a warrant seeking private emails stored in Ireland, it

challenged the lawfulness of the warranta challenge supported by 28 technology and media

companies, 23 trade associations and advocacy groups, 35 of the nations leading computer

scientists, and the Republic of Ireland. The Second Circuit agreed with Microsoft that the SCA

does not authorize warrants seeking data stored on servers in foreign countries. That court

recognized, as do Amici, that the SCAa statute enacted when the internet was still in its

infancyneeds to be updated to both strengthen its protections of individual privacy in light of

1
Case 2:17-mj-01235-WED Filed 07/21/17 Page 7 of 23 Document 17-1
advances in technology and likewise ensure that those advances do not prevent law enforcement

from being able to do their jobs. But the court also correctly understood that any such

modernization must come from Congress, not the judiciary. Amici submit that this Court should

embrace the Second Circuits ruling and reject the magistrate judges contrary and flawed

approach.1

INTRODUCTION

This case addresses the reach of the Stored Communications Act, 18 U.S.C. 2701 et

seq., which Congress enacted as part of the Electronic Communications Privacy Act of 1986.

Technology has changed dramatically since the SCA became law. The Congress that drafted the

SCA could barely have imagined the notion of storing emails halfway across the globe. That is

why companies, commentators, and privacy advocates alike have long called for the SCA to be

updated in light of the realities of 21st century technology.

The question here, however, is the scope of the SCA as it now stands, not as Congress

might eventually revise it. As written today, the SCA does not contain a clear indication of an

extraterritorial application, and so, under the established presumption against extraterritoriality,

it has none. Morrison v. Natl Austl. Bank Ltd., 561 U.S. 247, 248 (2010).2 That presumption

ensures that courts do not apply statutes in ways that potentially risk unintended clashes

between our laws and those of other nations, EEOC v. Arabian Am. Oil. Co., 499 U.S. 244,

1
Amici are filing this brief with the consent of both parties. More information about individual
Amici is included in the motion for leave to file this brief.
2
The Government has conceded that the SCA does not include the type of clear indication of
congressional intent to regulate extraterritorially that is required to rebut the presumption against
extraterritoriality at step one of the Morrison analysis. See, e.g., Matter of Search of Content
that is Stored at Premises Controlled by Google, No. 16-MC-80263-LB, 2017 WL 1487625, at
*3 (N.D. Cal. Apr. 25, 2017) (The parties do not dispute that at [Morrison] step one, section
2703 and its warrant provisions do not contemplate or permit extraterritorial application.).

2
Case 2:17-mj-01235-WED Filed 07/21/17 Page 8 of 23 Document 17-1
248 (1991). Yet, notwithstanding its agreement that the SCA does not extend outside the United

States, the Government here seeks to use SCA warrants to do just that: reach into data centers in

other countries to seize private email content stored there. The magistrate judge, apparently

believing that granting the Government such power is sound policy, embraced the Governments

flawed argument that a warrant requiring a provider to seize and copy communications stored

overseas at the behest of the Government is a domestic act, so long as the service provider is

located in the United States and is within the courts in personam jurisdiction. But by focusing

solely on where the service provider is located and the location of disclosure to the Government,

the magistrate judge ignored the serious incursion on foreign sovereignty that occurs when a

service provider is compelled by the Government to access a foreign data center, and to copy and

import into the United States the private email content stored there.

To decide whether a statute is being applied outside the United States, the Supreme Court

has held that a court must determine the relevant focus of the statute. Morrison, 561 U.S. at 266-

67. The Second Circuit properly held that the statutory focus of the SCA is protecting the

privacy of communications in electronic storage. See Matter of Warrant to Search a Certain E-

Mail Account Controlled & Maintained by Microsoft Corp. (Microsoft I), 829 F.3d 197 (2d Cir.

2016). Accordingly, the court held that the Government could not use an SCA warrant to

retrieve email content stored in Ireland. The court recognized that the SCAs text, framework,

and history demonstrate that the relevant provisions focus on protecting the privacy of the

content of a users stored electronic communications, so the statute is applied wherever those

electronic communications are stored. Id. at 217. And because the SCA provides no clear

indication that it applies extraterritorially (as the Government agrees), the statutes provisions

apply to only domestically stored communications.

3
Case 2:17-mj-01235-WED Filed 07/21/17 Page 9 of 23 Document 17-1
Moreover, the Second Circuit properly rejected the fiction that a search and seizure of

foreign-stored communications is a domestic act just because the search and seizure can be

effected from inside the United States. Id. at 220. The relevant conduct is the seizure that

invades a persons privacy in their email content. Id. When a warrant seeks email content from

a foreign data center, that invasion of privacy occurs overseasin the place where the

customers private communications are stored, and where they are copied and from where they

are imported into the United States for the benefit of law enforcement.

The magistrate judges ruling rejecting the Second Circuits approach invites foreign

nations to reciprocate by invading Americans privacyby demanding, for example, that foreign

offices of U.S. technology companies turn over U.S. citizens private communications stored on

U.S. soil. It also places technology companies that store customer data abroad in the untenable

position of being compelled to risk violating foreign data privacy laws to comply with warrants

issued by U.S. courts. While there are difficult questions presented when the location of data is

potentially indeterminate, it is clear that when private email content can demonstrably be shown

to have been stored on a server in a data center in an identifiable foreign country, a service

providers execution of a search and seizure on the U.S. governments behalf is plainly

extraterritorial. Any other outcome would risk offending the sovereignty of the foreign nation

where the email content is stored and put U.S. companies in an untenable legal position between

conflicting legal regimes.

Only Congress can craft a comprehensive framework that takes account of both law

enforcements legitimate interests and foreign countries equally legitimate concerns. But

Congress has never addressed these fundamental questions of sovereigntynot in 1986, when it

enacted the SCA, nor at any point since. Congress should promptly update the SCA to reflect

4
Case 2:17-mj-01235-WED Filed 07/21/17 Page 10 of 23 Document 17-1
todays technological landscape. Until it does, however, courts may not extend the statute to

reach data stored in data centers located in another sovereign country.

ARGUMENT

I. THE STORED COMMUNICATIONS ACT DOES NOT AUTHORIZE


WARRANTS FOR SEIZURE OF PRIVATE EMAILS STORED IN A FOREIGN
COUNTRY.

A. The conduct relevant to the SCAs focus is intrusion on the privacy of stored
communications.

It is a basic premise of our legal system, RJR Nabisco, Inc. v. European Cmty.,

136 S. Ct. 2090, 2100 (2016), that [w]hen a statute gives no clear indication of an

extraterritorial application, it has none. Morrison, 561 U.S. at 248. Thus, at step one of the

Supreme Courts framework for assessing extraterritoriality, a court must ask whether the

statute clearly ha[s] extraterritorial effect[.] RJR Nabisco, 136 S. Ct. 2101. The

Government agrees that the SCA gives no such indication, and so it does not extend

extraterritorially. Simply put, nothing in the SCA purports to regulate or protect in any way

private communications stored overseas.

Because the presumption against extraterritoriality has not been rebutted, the question

here, then, is whether forcing a provider to execute a warrant in another country constitutes an

impermissible extraterritorial application of the SCA. The answer to that question turns on

identifying the conduct relevant to the statutes focus or the objects of the statutes

solicitude. RJR Nabisco, 136 S. Ct. at 2101; Morrison, 561 U.S. at 267. At this second step of

the extraterritoriality analysis, courts examine whether the relevant conduct implicating the

statutory focus occurs abroad. As the Second Circuit correctly held, the relevant location is

where emails are stored, because the focus of the SCAs warrant provisions is on protecting

users privacy interests in stored communications. Microsoft I, 829 F.3d at 220.

5
Case 2:17-mj-01235-WED Filed 07/21/17 Page 11 of 23 Document 17-1
The magistrate judge here failed to undertake the required careful examination of the

statutes focus. In fact, the decision never even cited Morrisonor any of the Supreme Courts

precedents on extraterritoriality. The magistrate judge simply accepted the Governments

assertion that the SCA confers in personam jurisdiction over internet service providers. That

argument misses the point: Jurisdiction over the service provider has nothing to do with

identifying the focus of the statute, or whether the conduct relevant to the SCAs focus occurs

abroad. Thus, the Government and the magistrate judge elided the key question of whether

Congress intended to authorize federal, state, and local law enforcement officers to compel a

service provider to execute an SCA search warrant for private communications stored in a

foreign country. The existence of jurisdiction over a service provider tells us that it is subject to

a lawfully issued warrant; it does not tell us whether the SCA authorizes such warrants to reach

into data centers in other countries.

As for the conduct relevant under the statute, the Government argued before the

magistrate judge (Br. 22) that the only relevant locus is in the United States, where the email

content is disclosed to the Government. This focus on disclosure, as opposed to the location of

the electronic storage from which a provider would be ordered to copy and retrieve customers

private communications, was, given the current structure of the law, properly rejected by the

Second Circuit. As that court held, the focus of the SCA is on the privacy of the stored

communications. Microsoft I, 829 F.3d at 217. The Governments arguments to the contrary are

wrong for several reasons.

First, the SCAs plain text makes clear that its focus is protecting against the accessing

and removal of private communication[s] in electronic storage. 18 U.S.C. 2702(a),

2703(a). The SCA begins with 2701, which makes it a violation to access[] without

6
Case 2:17-mj-01235-WED Filed 07/21/17 Page 12 of 23 Document 17-1
authorization a service providers servers and thereby obtain[] an electronic communication

while it is in electronic storageirrespective of whether the communication is ever disclosed.

Id. 2701(a). Section 2702 then prohibits providers from voluntarily disclosing private

communication[s] in electronic storage. And 2703 carves out certain exceptions from

2702 for when communication[s] in electronic storage can be revealed to law

enforcement. The Governments reading of the statute as focused exclusively on disclosure

would unmoor 2703 from these substantive provisions that cross-reference it and from which it

carves out limited law-enforcement exceptions. The thread that ties the statute together is the

protection of private stored electronic communications. Microsoft I, 829 F.3d at 217-18.

The Government contends (Br. 22) that 2703 must be viewed only in isolation, but the

Morrison framework requires consideration of interrelated statutory provisions in context. See

Morrison, 561 U.S. at 267 (considering, at Morrison step two, the Exchange Acts prologue,

related provisions of the Exchange Act, and a separate statute enacted by the same Congress

the Securities Act); see also RJR Nabisco, 136 S. Ct. at 2102, 2105 (considering, at Morrison

step one, RICOs substantive provisions in context). In any event, even taking 2703 in

isolation, law enforcement may require the disclosure of private electronic communications

only pursuant to a warrant, 2703(a) (emphasis added)an instrument that has historically

been limited to searches and seizures executed only domestically, and whose purpose is to

constrain, not facilitate, law-enforcement access to private communications.

Thus, the SCA reflects Congresss judgment that users have a legitimate interest in the

confidentiality of communications in electronic storage at a communications facility. Just as

trespass protects those who rent space from a commercial storage facility to hold sensitive

documents, the [SCA] protects users whose electronic communications are in electronic storage

7
Case 2:17-mj-01235-WED Filed 07/21/17 Page 13 of 23 Document 17-1
with an ISP. Theofel v. Farey-Jones, 359 F.3d 1066, 1072-73 (9th Cir. 2004) (citation omitted);

see also, e.g., In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 145

(3d Cir. 2015) ([T]he Stored Communications Act was born from congressional recognition of

the need to protect against potential intrusions on individual privacy arising from illicit access

to large data banks that stored e-mails.) (emphasis added and internal quotation marks

omitted), cert. denied, 137 S. Ct. 36 (2016). Accordingly, [t]he better approach, which is

more in keeping with the Morrison analysis and the SCAs emphasis on data storage, is one that

looks to the step taken before disclosureaccessin determining privacys territorial locus.

Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft

Corp. (Microsoft II), 855 F.3d 53, 60 (2d Cir. 2017) (Carney, J., concurring in the denial of

rehearing en banc).

Second, if the relevant conduct were disclosure, as the Government asserts (Br. 22), the

SCA provision that prohibits providers from voluntarily disclosing customers communications

( 2702) would offer no protection against a U.S. service provider who copied a U.S. customers

U.S.-stored emails and willfully disclosed them to a foreign tabloid newspaper. So long as the

disclosure occurred overseas, the customer would have no recourse under 2702 and 2707 (the

SCAs private right of action). That cannot be right. The one thing Congress certainly sought to

protect when it enacted the SCA in 1986 was the privacy of U.S. customers electronic

communications stored within the United States. The statutes focus is on the protected stored

communications, not on disclosure, because [t]he primary obligations created by the SCA

protect the electronic communications. Microsoft I, 829 F.3d at 218. Indeed, [d]isclosure is

permitted only as an exception to those primary obligations[.] Id.

8
Case 2:17-mj-01235-WED Filed 07/21/17 Page 14 of 23 Document 17-1
Third, the magistrate judge erred by suggesting (Op. 10) that a customers protected

interest in stored emails is not infringed where a provider retrieves the email content from a data

center overseas and copies it at the Governments behest and without the customers permission.

Such an intrusion violates the customers reasonable expectation of privacy in a way that the

provider moving the customers data in order to ensure fast, secure service does not. See United

States v. Warshak, 631 F.3d 266, 286-87 (6th Cir. 2010) (holding that a service providers right

to access email for business purposes did not diminish the reasonableness of [the customers]

trust in the privacy of his emails). It also is in tension with foreign data protection and privacy

laws, which protect the customers privacy interests in email stored abroad. Thus, as the Second

Circuit held, the infringement is not limited to the disclosure, but rather occurs when the service

provider is required to collect [private email content] from servers located overseas and

import [it] into the United States. Microsoft I, 829 F.3d at 221.

B. Executing a warrant seeking email content from a data center in a foreign


country would effect a law enforcement search and seizure on foreign soil.

As explained further below, the international outrage the Governments actions have

provoked in similar cases only confirms that the relevant conduct for extraterritoriality purposes

is the compelled seizure and importation of emails stored abroad. The magistrate judges

assertion that stored email content lacks any location (Op. 7-8) does not withstand scrutiny. Of

course, data is stored on physical servers in data centers, and other sovereigns quite reasonably

view orders directing the copying and importing into the United States of data from servers

located in a data center within their territory as U.S. law enforcement activity on their shores.

See, e.g., Brief of Amicus Curiae Jan Philipp Albrecht, Member of the European Parliament,

Microsoft I, No. 14 2985, Dkt. 148 (2d Cir. Dec. 19, 2014). Indeed, they view it as an affront to

their sovereignty in much the same way that physically conducting law enforcement activity on

9
Case 2:17-mj-01235-WED Filed 07/21/17 Page 15 of 23 Document 17-1
foreign soil would violate their sovereignty and territorial integrity. See Restatement of Foreign

Relations 432 cmt. b; see also Morrison, 561 U.S. at 269 (The probability of incompatibility

with the applicable laws of other countries is a strong signal that Congress did not intend such a

foreign application). With good reason: Where a service provider is compelled to connect to

and electronically enter a foreign server and then copy and import private content data into the

United States, it is in essence effectuating a search and seizure on foreign soil on the

Governments behalf.3 Indeed, there is no question that if Government officials did exactly what

they are commandeering the service provider to do, the act would be deemed extraterritorial in

nature.4

Law enforcement agencies may not execute search warrants for property in foreign

countries at all: Any warrant issued by a judicial officer in this country would be a dead letter

outside the United States. United States v. Verdugo-Urquidez, 494 U.S. 259, 274 (1990). Thus,

a warrant issued under the SCA plainly would not authorize FBI officials to enter or access a

foreign data center themselves and seize customers emails. The crucial flaw with the magistrate

judges ruling is that it treats the SCA as a tool for forcing technology companies to do on the

3
This is not to suggest that the extraterritoriality inquiry is coextensive with the Fourth
Amendment. The question for purposes of the extraterritoriality analysis is not whether the
invasion of privacy has been justified by issuance of a warrant upon a finding of probable cause.
The question is where the relevant conducthere, the interference with the privacy of stored
communicationsoccurs. A search or seizure undoubtedly interferes with those
communications privacy, regardless of whether that interference is justified under the Fourth
Amendment.
4
The U.S. Department of Justice has recognized that a U.S. search warrant cannot authorize law
enforcement agents to remotely access electronic storage media located in another country
because to do so would be an extraterritorial application of U.S. law. See Letter from Mythili
Raman, Acting Assistant Atty Gen., Criminal Div., U.S. Dept of Justice, to Reena Raggi,
Chair, Advisory Comm. on the Criminal Rules 1, 4-5 (Sept. 18, 2013), https://perma.cc/MC3X-
RPYH.

10
Case 2:17-mj-01235-WED Filed 07/21/17 Page 16 of 23 Document 17-1
Governments behalf that which warrants do notand cannotempower Government agents to

do themselves.

Contrary to the Governments suggestion that a warrant issued under the SCA merely

functions like a subpoena for business records (Br. 9-10, 14-16), the SCA describes the

companys role in complying with the Governments demand as execut[ing the] search

warrant. 2703(g). In so doing, the service providercompelled to locate, seize, and copy the

private emails of its customerseffects a law enforcement search and seizure. See United States

v. Jacobsen, 466 U.S. 109, 113 (1984) (explaining that search or seizure conducted by a private

individual is treated as governmental action where that individual is acting as an agent of the

government). And when the customers private information is stored outside the United States,

executing the warrant requires the technology company to conduct, at the Governments behest,

a search and seizure in foreign territory. See In re Warrant to Search a Target Computer at

Premises Unknown, 958 F. Supp. 2d 753, 755 (S.D. Tex. 2013) (rejecting argument that

computer software that compiles data from a target computer and transmits it to agents in a

particular district effects a search only in that district).

Similarly, the intrusion upon customer privacy that the warrant authorizes occurs where

the provider, acting under orders from the Government, gathers up and copies customers private

communications from electronic storage. See Warshak, 631 F.3d at 288. Contrary to the

magistrate judges suggestion that there is no interference with a possessory interest of the

customer overseas when the customers private emails are copied and exported (Op. 10), such

actions are wholly inconsistent with the customers right to exclude and limit access to her

emails. See Loretto v. Teleprompter Manhattan CATV Corp., 458 U.S. 419 (1982). If a bank

opened a customers safe deposit box without the permission of the customer, copied the

11
Case 2:17-mj-01235-WED Filed 07/21/17 Page 17 of 23 Document 17-1
customers private letters stored in that box, and then shipped them to law enforcement, that

would no doubt be considered an extreme violation of the customers privacy and right to limit

access and control the letters. The same is true of the electronic communications at issue here.

The Governments (and the Second Circuit dissenters) attempt to avoid this conclusion

by characterizing emails as ephemeral, intangible property is unpersuasive. See, e.g., Microsoft

II, 855 F.3d at 61 (Jacobs, J., dissenting from denial of rehearing en banc). As the Second

Circuit correctly explained, data in fact has a physical location in a data center. Microsoft I,

829 F.3d at 220 n.28. That is common sense, and demonstrably true. And the Supreme Court

has recognized that intangible property can be seized even absent interference with any right of

access to that property. See Katz v. United States, 389 U.S. 347, 354 (1967) (listening to and

recording telephone booth conversations constituted both a search and a seizure); Berger v. New

York, 388 U.S. 41, 59 (1967) (electronic audio recording device seized communications,

conversations, or discussions when they were recorded). Moreover, four circuits have held that

copying electronic data effects a seizure of that data, and none has held otherwise. Microsoft I,

829 F.3d at 220; United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1169 (9th

Cir. 2010) (en banc); Warshak, 631 F.3d at 284; United States v. Bach, 310 F.3d 1063, 1065,

1067 (8th Cir. 2002). Indeed, the Government has acknowledged that, where law enforcement

agents themselves execute a warrant for private electronic data, a search occurs even before they

review that data.5 The result is no different when a service provider is compelled to connect to a

foreign server, copy data stored overseas, and then import it to the United States on the

5
U.S. Dept of Justice, Office of Legal Education, Executive Office for United States Attorneys,
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
113 (2009), https://perma.cc/CK8H-R2RY (Where the service provider lacks the ability or will
to comply with [SCA warrant] agents must search the providers computers themselves.).

12
Case 2:17-mj-01235-WED Filed 07/21/17 Page 18 of 23 Document 17-1
Governments behalf. The act is a search and seizure on foreign soil, irrespective of where the

retrieval is initiated or where the disclosure later occurs.

It is no answer to say, as the magistrate judge did (Op. 8), that the SCA warrant compels

action by a service provider taken from within the United States. Remote access to electronically

enter a data center in a foreign country does not change where the data is located, copied, and

imported into the United Statesthe acts necessary for execution of a search warrant that

intrude on foreign sovereignty. 2703(g). To analogize to a Fourth Amendment question, when

an agent points a thermal imaging sensor at a house from the passenger seat of [his] vehicle

across the street, the search is in the house, not in the car or the exterior wall. Kyllo v. United

States, 533 U.S. 27, 30, 35 & n.2 (2001).

The same intrusion on privacy occurs when the Government forces a service provider to

connect to its overseas servers, seize and copy private customer email content from those foreign

servers, and import it into the United States to be turned over to a law enforcement agency

whether or not the service provider can accomplish this task from a terminal based in the United

States. [C]alling such an application domestic because the command to retrieve the data is

issued from within the United States or the data is turned over within the United States runs

roughshod over the concerns that undergird the Supreme Courts strong presumption against

extraterritoriality. Microsoft II, 855 F.3d at 58 (Carney, J., concurring); see also Morrison,

561 U.S. at 266 (the mere presence of some domestic activity does not render a particular

application of the statute domestic).

The magistrate judge also suggested that the nature of the intrusion might depend on the

specifics of the email providers network architecture. See Op. 8, 10. The court described

Googles email storage system as a state-of-the-art intelligent network [that] automatically

13
Case 2:17-mj-01235-WED Filed 07/21/17 Page 19 of 23 Document 17-1
moves data from one location to another frequently, and held that as a result, the location

where data is stored at any given moment is so abstruse that even Google sometimes cannot

determine whether the data is located inside the United States. Op. 8 (quotation marks omitted).

Even assuming that were true, it would at most raise a question of how to assess the issue of

extraterritoriality under the facts of the case. The Supreme Court has invoked the presumption

against extraterritoriality in contexts where the subject of the law at issue was clearly in an

identifiable foreign country.

The court will have to assess Googles assertions about the architecture of its system and

whether data in that system can be said to have a particularized location outside the boundaries

of the United States. However, where data is in fact located in an identifiable foreign country,

then, as the Second Circuit held, the execution of a warrant in that foreign country to copy and

export the data is extraterritorial, and requires a clear statement from Congress. This Court

should not embrace any rationale to the contrary.

II. ONLY CONGRESS CAN DECIDE WHETHER AND HOW TO UPDATE THE
SCA.

The Microsoft II dissenters viewin essence adopted by the magistrate judge herethat

only the place of disclosure is relevant, was largely animated by their concerns for the practical

needs of law enforcement in todays era of global communications. See, e.g., Microsoft II, 855

F.3d at 63-65 (Cabranes, J., dissenting from denial of rehearing en banc). But the Supreme

Court established the presumption against extraterritoriality precisely to defer to Congresss sole

prerogative to decide when it becomes necessary or proper for its statutes to be extended

overseas. Courts, unlike Congress, are inherently limited by the information provided by

litigants in a particular case, Microsoft I, 829 F.3d at 232 (Lynch, J., concurring), and are

therefore ill-equipped to address countervailing concerns of foreign sovereignty and international

14
Case 2:17-mj-01235-WED Filed 07/21/17 Page 20 of 23 Document 17-1
comity. The presumption against extraterritoriality therefore cautions courts to assume that

legislators take account of the legitimate sovereign interests of other nations when they write

American laws. It thereby helps the potentially conflicting laws of different nations work

together in harmonya harmony particularly needed in todays highly interdependent

commercial world. F. Hoffmann-La Roche Ltd. v. Empagran S.A., 542 U.S. 155, 164-65

(2004). How those foreign relations concerns should be balanced against the needs of law

enforcement to obtain data stored in other countries is a policy question that only Congress can

address.

Amici fully agree with Judge Lynch, concurring in Microsoft I, that the statute should be

revised [by Congress], with a view to maintaining and strengthening [its] privacy protections,

rationalizing and modernizing the provisions permitting law enforcement access to stored

electronic communications and other data where compelling interests warrant it, and clarifying

the international reach of those provisions after carefully balancing the needs of law enforcement

against the interests of other sovereign nations. 829 F.3d at 233. Congress has any number

of possible revisions it might want to consider, including pending bipartisan legislation that

would improve upon the existing MLAT process in order to better facilitate bilateral foreign

cooperation. But as enacted, the SCAs provisions apply only to electronic communications

stored here, just as other countries laws regulate electronic communications stored there. The

Court must apply these provisions as enacted, not attempt to discern whether Congress would

have wanted the statute to apply abroad had it foreseen that global electronic communications

would present these challenges. Morrison, 561 U.S. at 255 (emphasis added).

By permitting U.S. law enforcement agencies to force service providers to retrieve and

turn over data stored in foreign countries, without those foreign countries consent, the

15
Case 2:17-mj-01235-WED Filed 07/21/17 Page 21 of 23 Document 17-1
magistrate judges decision raises the very concerns identified in Morrison. So bold a projection

of U.S. law enforcement power into foreign countries would show disdain for those countries

sovereignty and threaten to disrupt the harmony existing between the United States and other

nations. It also disregards the carefully calibrated, comity-protective framework established

through mutual legal assistance treaties and other bilateral agreements. And it might put service

providers in the untenable position of being forced to violate foreign privacy law in order to

comply with warrants issued by U.S. courts.

Authorizing such wide-ranging international warrants would also invite foreign nations to

reciprocate, demanding unilateral access to communications stored in the United States without

regard for U.S. law. The United States would have little ground to object if Russia or China or

Saudi Arabia instructed a service provider operating within its territory to turn over private

electronic communications stored within the United States, without the permission of the United

States and without any warrant issued by a domestic court. After all, under the magistrate

judges reasoning, that would be a purely domestic act by that foreign nation. These potentially

disruptive outcomes underscore why only Congress has the authority and competence to balance

law enforcement needs against the United States relations with foreign nations, the privacy of its

citizens, and the competitiveness of its technology industry.

Congress has not, to date, authorized local, state, and federal law enforcement to

unilaterally compel a service provider to import private emails stored overseas.6 By design[ing

6
The Government suggests (Br. at 16-20) that Congress authorized such unilateral action when
the Senate ratified the Council of Europes Convention on Cybercrime, Nov. 23, 2001, S. Treaty
Doc. 108-11, 2296 U.N.T.S. 167. That argument is unavailing for two reasons. First, the fact
that the Senate ratified the Convention in 2006 on the understanding that unspecified domestic
laws fulfilled U.S. obligations under the Convention says nothing about the meaning or reach of
the SCA. Second, as Google explains (Br. 11-14), the Convention is not properly read to apply

16
Case 2:17-mj-01235-WED Filed 07/21/17 Page 22 of 23 Document 17-1
the statute] afresh, Congress could address todays data realities while remaining cognizant

of the mobility of data and the varying privacy regimes of concerned sovereigns, as well as the

potentially conflicting obligations placed on global service providers. Microsoft II, 855 F.3d at

60 (Carney, J., concurring). Until Congress does so, however, compelling service providers to

search and seize communications stored on servers located in foreign countries remains an

impermissible extraterritorial application of U.S. law.

CONCLUSION

For the foregoing reasons, the magistrate judges order should be vacated.

Dated: July 21, 2017 Respectfully submitted,

By: /s/ Hannah Garden-Monheit


Hannah Garden-Monheit
(N.Y. Bar No. 5379219)*
ORRICK, HERRINGTON & SUTCLIFFE LLP
1152 15th Street NW
Washington, DC 20005
hgarden-monheit@orrick.com
Telephone: (202) 339-8400
Fax: (202) 339-8500

Counsel of Record for Amici Curiae


Microsoft Corporation, Apple Inc., and
Cisco Systems, Inc.

*Not yet admitted in the District of


Columbia, but supervised by Orrick
partners who are admitted in the District of
Columbia

to transborder searches and seizures of private email content where a service provider is
compelled to execute a warrant on the Governments behalf.

17
Case 2:17-mj-01235-WED Filed 07/21/17 Page 23 of 23 Document 17-1