Is Microsoft's Court Win a Milestone in Protecting User Privacy?

CONCLUSION (III)

Despite ultimately agreeing with the result in this case, I dwell on the reasons for thinking it close because the policy concerns raised by the government are significant, and require the attention of Congress. I do not urge that Congress write the government’s interpretation into the Act. That is a policy judgment on which my own views have no particular persuasive force. My point is simply that the main reason that both the majority and I decide this case against the government is that there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case. The SCA became law at a time when there was no reason to do so. But there is reason now, and it is up to Congress to decide whether the benefits of permitting subpoena-like orders of the kind issued here outweigh the costs of doing so.

Moreover, while I do not pretend to the expertise necessary to advocate a particular answer to that question, it does seem to me likely that a sensible answer will be more nuanced than the position advanced by either party to this case. As indicated above, I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely “domestic” statute. That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals. Nor is it likely that the ideal balance would allow the government free rein to demand communications, wherever located, from any service provider, of whatever nationality, relating to any customer, whatever his or her citizenship or residence, whenever it can establish probable cause to believe that those communications contain evidence of a violation of American criminal law, of whatever degree of seriousness. Courts interpreting statutes that manifestly do not address these issues cannot easily create nuanced rules: the statute either applies extraterritorially or it does not; the particular demand made by the government either should or should not be characterized as extraterritorial. Our decision today is thus ultimately the application of a default rule of statutory interpretation to a statute that does not provide an explicit answer to the question before us. It does not purport to decide what the answer should be, let alone to impose constitutional limitations on the range of solutions Congress could consider.

Congress need not make an all-or-nothing choice. It is free to decide, for example, to set different rules for access to communications stored abroad depending on the nationality of the subscriber or of the corporate service provider. It could provide for access to such information only on a more demanding showing than probable cause, or only (as with wiretapping) where other means of investigation are inadequate, or only in connection with investigations into extremely serious crimes rather than in every law enforcement context. Or it could adopt other, more creative solutions that go beyond the possibilities evident to federal judges limited by their own experience and by the information provided by litigants in a particular case.

In addition, Congress need not limit itself to addressing the particular question raised by this case. The SCA was adopted in 1986, at a time when the kinds of services provided by “remote computing services” were not remotely as extensive and complex as those provided today, and when the economic and security concerns presented by such services were not remotely as important as they are now. More than a dozen years ago, a leading commentator was expressing the need to reform the Act. See Kerr, A User’s Guide, supra, at 1233–42. It would seem to make sense to revisit, among other aspects of the statute, whether various distinctions, such as those between communications stored within the last 180 days and those that have been held longer, between electronic communication services and remote computing services, or between disclosures sought with or without notice to the customer, should be given the degree of significance that the Act accords them in determining the level of privacy protection it provides, or whether other factors should play some role in that determination.[8]

Congress has, in the past, proven adept at adopting rules for adapting the basic requirements of the Fourth Amendment to new technologies. The wiretapping provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510–22, for example, proved to be a remarkably stable and effective structure for dealing with the privacy and law enforcement issues raised by electronic surveillance in the telephone era. More recently, Congress was able to address the concerns presented by the mass acquisition of metadata by the National Security Agency by creating a more nuanced statute than that which the NSA had claimed as authority for its actions. See ACLU v. Clapper, 804 F.3d 617, 620 (2d Cir. 2015), discussing the USA FREEDOM Act of 2015, Pub. L. No. 114-23, 129 Stat. 268 (2015). I fully expect that the Justice Department will respond to this decision by seeking legislation to overrule it. If it does so, Congress would do well to take the occasion to address thoughtfully and dispassionately the suitability of many of the statute’s provisions to serving contemporary needs. Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.

* * *

For these reasons, I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy.

[8] As the Court notes, Majority Op. at 28 n.23, the House of Representatives recently passed a bill amending the SCA’s required disclosure provisions. Email Privacy Act, H.R. 699, 114th Cong. § 3 (2016). That bill would require the government to obtain a warrant before it can compel the disclosure of the contents of any electronic communication “stored, held, or maintained” by either an electronic communication service or (under certain circumstances) a remote computing service, no matter the length of the period of storage. Id. It does not, however, address those provisions’ extraterritorial reach or significantly modernize the statute’s structure. See Kerr, The Next Generation, supra, at 386–89 (criticizing a proposal similar to the Email Privacy Act for “work[ing] within [the SCA’s] outdated framework”). As of this writing, the Senate has not taken any action on the bill.