Microsoft invokes Supreme Court opinion in Ireland email case

The court has ruled that U.S. laws cannot apply overseas unless Congress clearly says so

Microsoft believes its refusal to turn over email held in Ireland to the U.S. government got a boost from an opinion of the Supreme Court on Monday, which upheld that U.S. laws cannot apply extraterritorially unless Congress has explicitly provided for it.

In a decision Monday in a separate case on the extraterritorial application of a provision of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Supreme Court set out the ground rules for its analysis, pointing out that “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The court was applying a canon of statutory construction known as the presumption against extraterritoriality.

It stated that the “the question is not whether we think ‘Congress would have wanted’ a statute to apply to foreign conduct ‘if it had thought of the situation before the court,’ but whether Congress has affirmatively and unmistakably instructed that the statute will do so."

The statements by the Supreme Court, which were cited on Tuesday in a notice of supplemental authority in the U.S. Court of Appeals for the Second Circuit by Microsoft’s lawyer, E. Joshua Rosenkranz, appear to be in accordance with Microsoft’s own argument that nowhere did the U.S. Congress say that the Electronics Communications Privacy Act "should reach private emails stored on provider's computers in foreign countries."

The proceedings in this high-profile lawsuit have been rather slow, although a decision by the court is eagerly awaited because of its far-reaching implications.

Microsoft provided non-content information held on its U.S. servers in response to the search warrant, but tried to quash the warrant when it concluded that the account and the content of the mails were hosted in Dublin. The company favors instead an inter-governmental resolution to the U.S. demand for access to the emails, through the use of "mutual legal assistance treaties" that the U.S. has with other countries including Ireland.

In an earlier decision, U.S. Magistrate Judge James C. Francis IV of the U.S. District Court for the Southern District of New York had ruled that the warrant under the Stored Communications Act, a part of the ECPA, was "a hybrid: part search warrant and part subpoena." It is executed like a subpoena in that it is served on the Internet service provider, which is required to provide the information from its servers wherever located, but does not involve government officials entering the premises, Judge Francis ruled.

The government has argued that the MLAT procedure through inter-government collaboration is time-consuming, even though Ireland has offered to consider a request for the data under the treaty. Microsoft wants that Congress should be asked for a decision on whether warrants under the ECPA can be executed abroad.

The Supreme Court in its opinion on Monday also adopted a view that appears to tally with the stand taken by Microsoft and its backers on the international implications of a decision against the company.

The court noted that there are several reasons for the presumption that a statute does not have an extraterritorial implication if it gives no clear indication of one, including that “it serves to avoid the international discord that can result when U.S. law is applied to conduct in foreign countries.” Although the risk of conflict between an American statute and a foreign law is not a prerequisite for applying the presumption against extraterritoriality, where such a risk is evident, the need to enforce the presumption is at its apex, the court observed elsewhere in its opinion.

Tech companies are worried that if the appeals court decides against Microsoft, it would scare European cloud and other customers who would be wary of the long arm of U.S. law, particularly after revelations by former National Security Agency contractor Edward Snowden about large-scale domestic and foreign surveillance by the U.S.

The case before the Supreme Court arose from allegations that tobacco and food company RJR Nabisco and related entities participated in a global money-laundering scheme in association with various organized crime groups. The European Community and 26 of its member states first sued RJR in the Eastern District of New York in 2000, alleging that RJR had violated RICO.

Nothing in the text of RICO establishes that Congress meant to allow a provision for private lawsuits to recover for injuries outside the U.S., the Supreme Court ruled. “A private RICO plaintiff therefore must allege and prove a domestic injury to its business or property,” it added.

Join the CSO newsletter!

Error: Please check your email address.

More about MicrosoftNabiscoNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place