Microsoft may not have to respond to government demands for US persons' data held overseas, but it looks like everyone else (specifically, Google) will have to keep trawling their foreign data stores for US law enforcement.
The Second Circuit Appeals Court ruled US government warrants don't apply to overseas data. Courts outside of the Second Circuit are finding this ruling doesn't apply to Google's foreign data storage. The most obvious reason for this is other circuits aren't bound by this decision. The less obvious reason has to do with how Google stores its data.
As Google describes it, communications and data are in constant motion, moving in and out of the country as needed for maximum efficiency. When a warrant arrives, Google gathers everything it finds in its domestic servers but hands back a null response to data currently held overseas. Sometimes what Google hands law enforcement is nothing more than unusable digital fragments. Obviously, the government isn't happy with this new status quo.
And it is a new status quo, as is pointed out in this ruling [PDF] by a DC magistrate judge [via FourthAmendment.com]. The ruling here aligns itself with one handed down in Pennsylvania earlier this year. In that decision -- like in this one -- the judge noted Google used to capture everything requested, no matter where it was located. It's only very recently Google has refused to chase down data (and data fragments) located in servers around the world.
The process was described this way in the Pennsylvania decision:
Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google's network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.
As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.
Nothing has changed here. And nothing has changed in terms of legal analysis, despite this memorandum order being issued in a DC court. The court finds Google does not effect a seizure of requested data because it simply makes a copy of it. It also points out (and Google concedes) that it does not act as a government agent when it does this, despite the only reason for Google's copying of the data is to respond to a government warrant. The court notes the Stored Communications Act does carry privacy implications, but only as far as the private entity's actions -- not the government's demands. The court's analysis states the SCA provisions only prohibits unlawful access (such as hacking) while regulating companies' responses to government demands.
The court goes on to say Google's view of its legal responsibilities is completely untenable. Because of the transitory nature of Google's data handling, it would never be able to fully comply with demands for records, no matter which country issued the order.
Finally, it must be said that the above Morrison analysis of the operative sections of the SCA has the added benefit of avoiding the bizarre results that application of the Microsoft decision to modern data networks like Google's would produce. If that decision's focus on the physical location of the data's storage were to be applied to service providers using such networks, the records and information the government would receive in response to an SCA warrant may differ significantly depending on the date on which the warrant is served. Indeed, the same warrant served on ten different days may well produce ten different results depending on where on the network the shards of responsive data are located at the moment each warrant is served. Such random results -- generated by a computer algorithm -- would serve the interests of neither privacy nor international comity.
Compounding the problem, even assuming the service provider could and would identify for law enforcement the location of the foreign-based servers on which the missing data was stored (as Google refused to do here), that knowledge would effectively be useless to the government here. By the time the government could initiate the international legal process necessary to obtain the missing data from wherever it was stored, it is entirely possible that the network would have relocated the data yet again to a server in a different country. Moreover, it is Google's position that it need not respond overseas to any such international legal requests because it is only at its headquarters in California that its data can be accessed and compiled into a recognizable electronic file. Thus, in Google's view, the only means available to obtain records and information related to a Google account is by serving an SCA warrant on its LIS team in California.
The magistrate says that's not going to work -- not under the stipulations of the SCA. In fact, it's just not going to work at all because of Google's data-handling. It may be primed for efficiency, but does little to help it comply with warrants.
To reach the conclusion advanced by Google here, the Court would need to find that a properly-issued SCA warrant requiring the disclosure to law enforcement in the United States from Google's headquarters in the United States of digital files accessible only from the United States constitutes an extraterritorial application of the SCA simply because pieces of data that make up those files were stored on a server located outside the United States at the moment in time the warrant was executed. Because such a conclusion runs contrary to the straightforward extraterritorial analysis of the SCA under Morrison detailed above, the Court finds that Google has not shown cause for its failure to produce all the records and information called for in the instant warrant within its possession, custody, or control.
In the end, the court orders Google to ignore the realities of its data flow. It may make things easier for law enforcement, but it has very little to do with keeping the government within its jurisdictional confines.
Google's LIS representatives in California can access, compile, and disclose to the government those records and information with the push of a button and "without ever leaving their desks in the United States." Microsoft, 829 F.3d at 229 (Lynch, J., concurring). Because that "entire process takes place domestically," id., Google will be ordered to comply with the warrant in full, and to disclose to the government all responsive electronic records and infonnation identified in Attachment B to the warrant within its possession, custody or control, wherever those records and information may be electronically stored.
In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside. Since it can do it from a California office, the court reasons nothing foreign is touched -- at least not by the government. Once it's all packaged up locally, the local boys can access it without fear of a suppression challenge.