Microsoft wins: Court rules feds can’t use SCA to nab overseas data

In a case closely watched by much of the tech industry, an appellate court has ruled in favor of Microsoft, finding that the company does not have to turn over the contents of an Outlook.com user’s inbox to American investigators because that user’s data is held abroad, in Ireland.

In a 43-page decision handed down on Thursday, the 2nd Circuit Court of Appeals overturned the lower court’s ruling, finding that the Stored Communications Act, which allows domestically held data to be handed over to the government, does not apply outside the United States.

In December 2013, authorities obtained an SCA warrant, which was signed by a judge, as part of a drug investigation and served it upon Microsoft. When the company refused to comply, a lower court held the company in contempt. Microsoft challenged that, too, and the 2nd Circuit has vacated the contempt of court order, writing:

We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a US court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.

It is not publicly known what the government hopes would be revealed by acquiring the e-mail, which was sought as part of a drug investigation. The authorities have also not revealed whether the e-mail account owner is American or if that person has been charged with a crime.

In Microsoft’s brief to the 2nd Circuit, the government asked the court to ponder a scenario where the "shoe is on the other foot."

"Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany," the company’s lawyers wrote. "They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter's box with a master key, rummage through it, and fax the private letters to the Stadtpolizei."

The US government, could, however, use the Mutual Legal Assistance Treaty process as a way to contact Irish authorities to serve a local warrant upon Microsoft’s Irish subsidiary, which controls the data center, to obtain the data. That procedure, which may have already been undertaken, is likely slower than a SCA warrant. However, if the government did go ahead with an MLAT request, it was likely to have been fulfilled during the lengthy process of the judicial appeal.

It is not clear whether the Department of Justice will accept the ruling or file an appeal. DOJ spokesperson Peter Carr did not immediately respond to Ars’ request as to whether the government would seek an en banc rehearing of the case or appeal the decision to the Supreme Court.

UPDATE 12:47pm ET: In an e-mail to Ars, Carr wrote: "We are disappointed with the court’s decision and are considering our options. Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime."