Google has been ordered by a federal court in Pennsylvania to comply with search warrants and produce customer emails stored abroad, in a decision that is in sharp contrast to that of an appeals court in a similar case involving Microsoft.
Magistrate Judge Thomas J. Rueter of the U.S. District Court for the Eastern District of Pennsylvania ruled Friday that the two warrants under the Stored Communications Act (SCA) for emails required by the government in two criminal investigations constituted neither a seizure nor a search of the targets' data in a foreign country.
Transferring data electronically from a server in a foreign country to Google's data center in California does not amount to a seizure because “there is no meaningful interference with the account holder's possessory interest in the user data,” and Google’s algorithm in any case regularly transfers user data from one data center to another without the customer's knowledge, Judge Rueter wrote.
He added that when Google produces the electronic data in accordance with the search warrants, and the government views it, the invasion of the account holder's privacy - the searches - will take place in the U.S.
In the Microsoft case, which was cited by Google, the U.S. Court of Appeals for the Second Circuit in New York quashed a warrant that would have required the company to disclose contents of emails stored on a server in Ireland.
The court said in its opinion that the SCA under which the warrant was served “does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers."
The architecture of Google’s system that partitions user data into shards does not let the company establish with any certainty which foreign country’s sovereignty would be implicated when the company accesses the communications to produce it in response to a legal process, making it difficult for law enforcement to look for other means such as Mutual Legal Assistance Treaties (MLATs) between countries to get access to the data.
“Google admits that the location of the data could change from the time the Government applies for legal process to the time when the process is served upon Google,” the Judge wrote.
Microsoft had argued in court that nowhere did the U.S. Congress say that the Electronics Communications Privacy Act, of which the SCA is a part, "should reach private emails stored on provider's computers in foreign countries."
The company provided non-content information held on its U.S. servers in response to the search warrant, but tried to quash the warrant when it concluded that the account and the content of the mails were hosted in Dublin.
Microsoft instead favored an inter-governmental resolution to the U.S. demand for access to the emails in Dublin, through the use of MLATs the U.S. has with other countries including Ireland.
In the Microsoft case, unlike that of Google, all the relevant user data of a presumably Irish citizen was located exclusively in one data center in Ireland and remained stable there for a significant period, Judge Rueter wrote.
The assumption made by the majority in the decision of the Second Circuit was that messages stored in the cloud have a discernable physical location, which could not be made in the Google case.
The judge held that under the warrants against Google, “the invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.”
He described the cases against Google as involving a “permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”
Google said in a statement that the magistrate in the case had departed from precedent, and it planned to appeal the decision. "We will continue to push back on overbroad warrants," it added.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.