Why did a judge order Google to hand over emails from outside the US?

Surprising many privacy advocates, US magistrate Judge Thomas Rueter has ruled that Google must turn over email contents demanded by the FBI through a court-approved warrant, even where those contents are stored outside the United States.

Why a surprise? Because a regional US appeals court –  that’s one step below the Supreme Court – had recently heartened them by taking the opposite view in a case involving Microsoft.

In the Microsoft case, involving narcotics trafficking, the US government sought content from emails stored on Microsoft’s servers in Dublin, Ireland. While the official court papers don’t indicate whether the customer was a US citizen, he or she evidently isn’t. A lower court required Microsoft to comply with the government order, and even found it in contempt when it did not do so. A small panel of the appeals court reversed that decision, and by a 4-4 vote, the entire appeals court refused to reconsider.

The facts of the Google case were a bit different. Here, the warrant relates to a US citizen being investigated for fraud committed in the US. Moreover, Google stores email in a complex global cloud of servers, and constantly moves message fragments around to optimize network performance. That means some email may be stored in the US, some partly in the US, some entirely overseas – and the mixture can change dynamically from instant to instant.

In responding to the government’s warrant, Google provided all the emails it knew were located in the US at that moment. But, relying on the recent Microsoft decision, it provided no emails it believed were stored elsewhere. According to Judge Rueter’s decision, that won’t fly: Google needs to provide all of them.

Rueter argued that Google is subject to the “well-established principle that a court’s power to require a person to disclose information applies to all information in that person’s custody or control, regardless of where the information is located” – and this data is solely controlled by Google employees in California. He then performed a complex analysis to determine whether enforcing the subpoena would be “an unlawful extraterritorial application of the 1986 Stored Communication Act,” concluding that it is not.

In his (controversial) view, the data isn’t being “seized” in a foreign country, because “seizure” implies that the user has lost some meaningful aspect of the possession of his property. But Google routinely moves data from and to the US, and users never even notice – simply moving data creates no “meaningful interference with the account owner’s control over his information”. His reasoning continues: the actual search of the email’s contents only happens within the US, so a government warrant for a domestic search is sufficient.

It’s important to understand just how fluid American law is when it comes to these email warrants, and how tenuous the protections that the Microsoft case has seemed to offer.

Unsurprisingly, Google has already announced that it will appeal Rueter’s decision. And it’s only been two weeks since the appeals court denied the government’s request for a rehearing in the Microsoft case by a tied 4-4 vote. The government might still appeal to the US Supreme Court, and given the closeness of the appeals court decision, the Supreme Court might well agree to consider its appeal.

Since the July 2016 Microsoft decision was made by a regional court, it isn’t technically binding nationwide. But many leading service providers have been treating it as if it is, extending greater privacy protections to customers unless forced to do otherwise by another court (as Rueter is attempting to do).

However, one key justice who supported Microsoft in the first case said things would “look rather different… if the American government is demanding from an American company emails of an American citizen resident in the US, which are accessible at the push of a button in [the US] and which are stored on a [foreign] server… solely for reasons of convenience and that could be changed… at the whim of the American company”. That sounds quite a lot like the Google case.

The government has argued that if the Microsoft decision stands, there would be no way for any law enforcement official anywhere to legally access an email that might be stored on a foreign server. It would be “beyond the reach” of a US warrant “even when the account owner resides in the United States and the crime under investigation is entirely domestic”.

And it would be beyond the reach of foreign law enforcement, because non-US law enforcement agencies have no power over the Google employees in California who are the only individuals capable of accessing that content. Rueter notes that, in oral arguments before his court, Google’s attorneys said the only way the government could get this data was to “work to reform” the 1986 law these warrants are based on.

Many observers do think that law is obsolete in the era of cloud computing, and do expect Congress to revise it. Meanwhile, of course, the US administration has changed; and while Donald Trump’s incoming attorney-general Jeff Sessions hasn’t yet said whether he’ll appeal, he has said that Congress should change the law so the Microsoft decision doesn’t stand.

Needless to say, the American privacy and technology communities are closely watching what happens next in both the Google and Microsoft cases. But so are foreigners – many of whom are already concerned about the privacy of cloud services whose data is controlled by US companies.