Stored Communications Act

Microsoft and the Department of Justice will square off today before a federal appeals panel in Manhattan in a case that has implications for digital privacy and the flow of data across borders.

The appeal marks a return to court of a dispute that began nearly two years ago when DOJ obtained a search warrant to seize emails belonging to a suspect in a narcotics trafficking investigation.

Microsoft objected to the warrant, asserting it sought emails from a data center owned by the company in Dublin, where, the company argues, the U.S. has no jurisdiction to seize records. Two lower courts backed DOJ, ruling the warrant was valid because Microsoft controls the data from the U.S. regardless where the emails happen to be stored.

The appeal comes amid lingering tensions between the U.S. and European Union over digital privacy in the wake of revelations about the extent of spying by the National Security Agency and raises a question of how much control over information a nation has within its borders.

Microsoft argues that neither the Fourth Amendment nor the Stored Communications Act, a federal law that limits the ability of the government to force email providers to turn over customer communications absent a court order, apply outside the U.S.

“If the government prevails here, the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft’s offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country,” the company wrote in court papers.

But the warrant simply demands production of records by Microsoft, a company subject to U.S. jurisdiction, counters the government. “Under long settled precedent, the power of compelled disclosure reaches records stored abroad so long as there is personal jurisdiction over the custodian and the custodian has control over the records,” DOJ argues.

According to the government, a warrant issued pursuant to the Stored Communications Act operates like a subpoena, in that it obligates the provider to turn over the records and does not require a law enforcement officer to search the premises.

Tech companies and civil liberties groups that have weighed in on behalf of Microsoft reject the analogy. “The Fourth Amendment requires the government obtain emails with a search warrant,” wrote the Electronic Frontier Foundation, the ACLU, the Brennan Center, and The Constitution Project in a friend-of-the-court brief. “Although the government did obtain a warrant here, extending the warrant’s reach to emails stored abroad should not rest on an inaccurate analogy to subpoenas.”

A ruling in the government’s favor could spur other countries to serve warrants on tech companies for the private messages of Americans that are stored in U.S. data centers owned by companies based abroad, experts say.

A win for the government also could encourage more tech companies to encrypt messages in ways that make them impossible to read unless the recipient decodes them. Apple recently refused to turn over iMessages sought by the government, saying it couldn’t get access to the messages because they are encrypted. The dustup highlights an ongoing debate over the use of encryption and the government’s ability to unlock data when the needs of law enforcement and national security demand.

A woman whose former boyfriend allegedly hacked into her email and Facebook accounts then sent and posted messages disparaging her sex life had two years from the discovery of each incident to sue for damages, an appeals court in New York City has ruled.

Chantay Sewell sued Phil Bernardin, with whom she had a romantic relationship for nine years starting in 2002, in January 2014, charging Bernardin with gaining access to her AOL email and Facebook accounts without her permission in violation of federal law.

Sewell alleged she discovered the intrusion into her AOL account after being unable to log in to her email on Aug. 1, 2011. The following February, Sewell discovered she could no longer log in to her Facebook account because her password had been changed.

A federal trial court in Brooklyn dismissed Sewell’s lawsuit against Bernardin after concluding she failed to file it within the two-year limitations periods set forth in both the Computer Fraud and Abuse Act and the Stored Communications Act, the laws that Sewell charged Bernardin with violating.

But the U.S. Court of Appeals for the 2nd Circuit disagreed with respect to Sewell’s Facebook-related claim. Writing for a three-judge panel in a ruling released Aug. 4, Judge Robert Sack noted that Sewell’s discovery of the trespass on her AOL account did not mean she should have discovered the alleged tampering with her Facebook account then, too.

“At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account—AOL e-mail—had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts—Facebook—might similarly have become compromised,” Sack wrote.

That means Sewell’s lawsuit with respect to the breach of her Facebook account was timely, noted the court, which reversed the trial court’s dismissal of Sewell’s Facebook-related claim.

The laws under which Sewell sued differ slightly in their formulation of when the limitations period begins, Sack explained. The limitations period under the Computer Fraud and Abuse Act, which authorizes someone whose computer as been accessed without authorization to file a civil lawsuit against the intruder, began to run when Sewell learned that her account had been impaired.

The limitations period under the Stored Communications Act, which authorizes a person whose email, postings or other stored messages have been accessed without authorization to sue, starts when the victim discovers, or has a reasonable opportunity to discover, the intrusion.

The limitations periods under both laws may be insufficient in some situations, the court noted. “Even after a prospective plaintiff discovers that an account has been hacked, the investigation necessary to uncover the hacker’s identity may be substantial,” wrote Sack. “In many cases, we suspect that it might take more than two years.”