The Microsoft-Ireland Case is Moot

We covered this before here and here.

But the high-profile case of United States v. Microsoft Corporation is now over. The question was whether the government could force Microsoft to turn over data that it stored on servers in other countries. The problem was that federal law didn’t allow the government to do that, or at least it wasn’t clear. So Microsoft challenged the government. It lost in the trial court, won on appeal, and landed before the U.S. Supreme Court last fall.

The Supreme Court heard the case in February, but in March, the new federal spending bill changed everything. It included a law called the CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data.

Under the new law, companies like Microsoft must produce data in their possession, custody, or control even if it’s located outside the United States. They may object if they reasonably believe that a target is not from the U.S. and that, by producing the data, they will break the laws of a “qualifying foreign government.” That means a government with which the U.S. has agreed to grant reciprocal access to such data for use in criminal cases. But there are no agreements yet. To get there, a foreign government must, among other things, not target U.S. persons, and it must be committed to due process, data privacy, free speech, and other civil rights and liberties.

Within a week of the new law, the U.S. moved to dismiss the case as moot.

A few days later, Microsoft agreed. For the full text of the CLOUD Act, see here, and scroll all the way down to page 866. For the company’s detailed statement on the new law, see here.

And so the trilogy is complete.

Can They Search My Phone at the Border?

Suppose you go to visit your aunt in Italy, and you take your phone and tablet with you.

When you come back through customs, can they just search your devices willy nilly?

Probably. Here’s a good overview of your rights at the border, along with some practical considerations. It’s worth reading ahead of time because the government is stepping up its enforcement at points of entry, and there have been some heavy-handed run-ins lately between agents and travelers, including U.S. citizens.

The general rule is that customs and border agents may conduct routine, reasonable searches of you and your belongings, including your electronic devices, for any reason or no reason at all. They don’t need a warrant, and they don’t need any basis to believe they’ll find evidence of a crime. It’s known as the Fourth Amendment’s border-search exception.

But how far can they go?

Can they conduct full, forensic searches or force you to give up your passwords?

According to this 2009 policy memo, the answer is yes. It says agents can seize your device, copy its contents, and search them. To do so, they can hold a device for up to five days with a supervisor’s approval. For longer periods, they must get further approval at higher levels. Ordinarily, they must conduct the search in the presence of a supervisor, too, but if that’s not feasible, they must inform a supervisor about their search as soon as possible. If they find probable cause to believe your phone contains evidence of a crime, you may not get it back for a while, if at all. If they don’t, you should get your phone back eventually, and they’re supposed to destroy any copied information.

The law is evolving, however, to require at least a reasonable suspicion for a full forensic search. That’s already the case in the federal circuit that covers California and eight other states, and the law should continue to trend in that direction. What is a reasonable suspicion? It’s a particularized and objective basis for suspecting someone of a crime.

Still, reasonable suspicion is not a tough legal standard to meet.

Plus, agents can always just ask you to unlock your phone or give up your passwords, and if you refuse, they have plenty of ways to coerce you. They can take your phone; detain you, too; search your bags more thoroughly; deny you entry if you’re visiting; or scrutinize your green-card status. Most folks just want to be on their way.

So happy trails, traveler. Leave the phone, perhaps, but take the cannoli.

Every Man’s Evidence, Everywhere

They say the public has a right to every man’s evidence, but in a world full of digital evidence, what if it’s stored on servers in other countries?

We wrote about this case two summers ago. Back then, the Microsoft Corporation had just defied a federal search warrant that demanded a subscriber’s emails and other data as part of a criminal investigation. Microsoft had already produced all of the data that it stored on servers in the United States, but it refused to access and turn over the emails because they were stored in the Republic of Ireland. Instead, the company moved to quash the warrant, which the magistrate denied, and it was appealing that denial to the district court when we last wrote about it. As it happened, the district judge agreed with the magistrate and held the company in contempt of court for not obeying the warrant.

Well, three weeks ago, Microsoft won big in the court of appeals. In a unanimous decision, the court ruled that the warrant couldn’t be enforced against the emails because the federal law in question—the Stored Communications Act—did not authorize warrants to reach beyond the territorial jurisdiction of the United States. Courts must presume that a law applies only within the United States unless Congress clearly says otherwise, and it hadn’t done so here. One judge wrote separately to explain why it was a closer case and to urge Congress to update the Stored Communications Act for the 21st century.

For now, the decision binds federal courts in New York, Vermont, and Connecticut.

Identity Theft. Even If You Didn’t Steal Anyone’s Identity.

Two weeks ago, a federal court of appeals in California decided that a law that punished “aggravated identity theft” could apply to a person who didn’t steal or misappropriate anyone’s identity. See 18 U.S.C. § 1028A. If the decision stands, it will create federal law in California and eight other states.

That matters because section 1028A mandates an extra two, consecutive years in prison if you commit its brand of identity theft during and in relation to any one of a broad list of qualifying crimes and frauds. You’re not eligible for probation if you’re convicted, and there’s no parole in the federal system, so you’re pretty much serving all that time no matter what.

The statute defines identity theft as knowingly using, possessing, or transferring a means of identification of another person without lawful authority. A “means of identification” can be any name or number that’s used alone or along with other information to identify a specific person. Id. § 1028(d)(7). Think name, signature, date of birth, driver’s license number, social security number, or in this case, a passport.

The issue before the court was the meaning of the phrase, “without lawful authority.”

So, what if you used someone’s passport but with permission? Is that still identity theft?

That’s what happened to this guy. He was arrested in San Diego after crossing the border from Mexico. He was the sole driver of a car that was found to contain two kilograms of cocaine and three kilograms of methamphetamine. When he was first stopped at the border, he presented a U.S. passport and passed it off as his, but after some questioning, he admitted that the passport belonged to his twin brother.

At trial, he was convicted of aggravated identity theft in addition to the drug-trafficking charges, and he appealed, arguing that he couldn’t be guilty of identity theft because he had his brother’s permission.

But the court held otherwise, agreeing with several other courts of appeals that, despite its title, section 1028A did not require theft as an element of the crime. See, e.g., United States v. Otuya, 720 F.3d 183, 189-90 (4th Cir. 2013) (upholding the conviction of a defendant who used a co-conspirator’s bank account with that person’s consent); United States v. Retana, 641 F.3d 272, 273-75 (8th Cir. 2011) (upholding the conviction of a son who used his father’s social security number with permission).

The law isn’t settled, however. Recently, the federal court of appeals that covers Illinois, Indiana, and Wisconsin held that the statute required proof that you used someone’s identity without consent; otherwise, it’s identity fraud, which is covered by other statutes, not identity theft. United States v. Spears, 729 F.3d 753, 755-58 (7th Cir. 2013) (en banc).

Indeed, the congressional record for section 1028A indicates that its purpose was to raise penalties on people who “steal identities to commit terrorist acts, immigration violations, firearms offenses, and other serious crimes.” See H.R. Rep. No. 108-528, 150 Cong. Record at 3 (June 8, 2004).

What’s clear is that section 1028A doesn’t apply if the phony passport (or other means of identification) doesn’t belong to a real person. See Flores-Figueroa v. United States, 556 U.S. 646, 647 & 657 (2009). The word “person,” however, includes the living and deceased, so the government doesn’t need to prove that you knew the person was alive when you did the deed. United States v. Maciel-Alcala, 612 F.3d 1092, 1094 & 1100-02 (9th Cir. 2010).

When Technology Laps the Law

The title of this post comes from the Washington Post’s June 10 piece on the same question: Can the United States assert worldwide jurisdiction over emails and other data that are housed in servers that are physically located abroad?

Here’s the backdrop: The government is conducting a drug-trafficking investigation, so it applies for a warrant to get a suspect’s email provider, Microsoft, to disclose the contents of a specific email account. The court grants it.

But when the government serves the warrant, Microsoft does something unusual. It resists.

It moves to quash the warrant because it seeks information that’s stored on Microsoft’s servers in Dublin, Ireland, beyond the government’s territorial jurisdiction. Microsoft says that if the government wants the information, it should have to rely on the mutual-legal-assistance treaty (or MLAT) it already has with Ireland.

Not so, says the government, because a 1986 law called the Stored Communications Act allows it to compel the production of electronic records, wherever they’re stored, in three different ways: by subpoena, by warrant, or by another court order referred to as a 2703(d) order. See generally 18 U.S.C. § 2703. The government says that since Microsoft, which is subject to U.S. jurisdiction, must generally respond to valid subpoenas by producing its business records wherever it stores them, the same logic should apply to a warrant issued under the statute. Besides, neither the warrant in question nor the statute requires a physical search, so it’s not like federal agents were going to break into the Dublin facility.

But this isn’t a subpoena, replies Microsoft; it’s a warrant, and it’s an extraterritorial one at that. The government’s jurisdiction should end where Irish sovereignty and data-protection laws begin.

Not really, replies the government; it’s more of a hybrid warrant-subpoena, actually. So there.

Who wins? We will see. The magistrate judge that originally granted the warrant denied Microsoft’s motion to quash it, and the company has appealed that ruling to the district judge. The government filed its opposition brief on July 9, Microsoft’s reply brief is due July 24, and oral argument is set for July 31.

Your Cell Phone Meets Warrantless Border Searches in the Digital Age

The amount of personal papers and effects that we travel around with used to be cabined by the size of our cars or luggage.

No more.

Today, our phones, tablets, and laptops are veritable supercomputers capable of storing more information than an entire warehouse of documents. What’s more, they often hold confidential, proprietary, or otherwise sensitive information, including the most intimate details of our lives.

So what about searches at the border or airport? Those are exempt from the general rule that authorities must obtain a warrant supported by probable cause before they search or seize. The rationale is, well, to protect the border, but in the digital age, the exception can threaten the rule.

Ratings and Reviews

10.0Mani Dabiri
Mani DabiriReviewsout of 7 reviews
The National Trial Lawyers
The National Trial Lawyers
Mani Dabiri American Bar Foundation Emblem