Judicial Caution Towards Data Territoriality

By:

As public and private functions moved onto the internet, academics and practitioners wondered how the law would determine data’s location for the purpose of jurisdiction. Some academics have proposed analogy to the high seas, outer space, Antarctica, and ungoverned spaces. Others, such as Jack Goldsmith, predicted and advocated for an application of extant understandings of sovereign territoriality to cyberspace. This view has prevailed for some time, but as cyberspace transactions and conflicts become increasingly complex, courts face difficult questions regarding data territoriality. Their rulings could have unintended consequences for state actors.

In 2018, the Supreme Court of the United States heard oral argument in United States v. Microsoft.[1] The question before the Court was whether a warrant issued pursuant to the U.S. Stored Communications Act could compel Microsoft to produce emails stored solely on servers located in Ireland.[2] This data was available to Microsoft users within the United States, but was stored, for no articulated reason, in Dublin. The broader issue was whether data stored on a server within the territorial borders of a foreign sovereign exists solely within that nation’s territorial authority for the purposes of U.S. criminal law enforcement. The trial court held for the U.S Government, but that decision was overturned in the U.S. Second Circuit Court of Appeals. However, before the Supreme Court could rule, Congress amended the statute in question to give it extraterritorial effect, rendering petitioner’s question moot.[3]

In 2014, the FBI located and took over a dark web website, Playpen, which facilitated the distribution of child pornography by users of communication-anonymizing software, such as The Onion Router (TOR). Law enforcement developed and deployed a network investigative technique (NIT) that would provide them with limited identifying information about users who accessed the site and downloaded its illegal content.[4]

Meanwhile, Congress discussed—and ultimately adopted—amendments to the Federal Rule of Criminal Procedure’s Rule 41, specifically, to the provision governing the venue of search warrants. These changes reflected the committee’s prediction that novel jurisdictional issues would arise out of both emergent enforcement and criminal technologies. In order to enable good-faith law enforcement efforts, they permit judges to grant warrants to search systems whose location is unknown or uncertain due to anonymizing software.

The parameters of the NIT warrants—granted prior to Rule 41(b)(6)(a)—have been the subject of a great deal of litigation in the subsequent criminal cases. The primary claim of the defense in most cases is that the NIT did not conform with the Fourth Amendment to the U.S. Constitution or with the jurisdictional limitations of warrants, according to Rule 41 of the Federal Rules of Criminal Procedure. However, courts have almost universally affirmed the power of the FBI to conduct this procedure, not by ruling that some activity conducted by defendants in these cases brought them within the jurisdiction of the warrants, but by holding that agents relied in good-faith on the NIT warrants.

Here, as in Microsoft, courts have avoided addressing dissonance between common sense cyber-enforcement and pre-cyber legal requirements by ruling on narrower grounds. But these cases, read together, give the impression that cyber enforcement is on a collision course with courts.

There is a danger to the slow drip of caselaw in this new and open field. It is tempting to believe that court-made law can respond competently to a field as dynamic as cyberspace—that courts will make narrow decisions based on the facts and questions before them and that these decisions will eventually weave some discernible pattern of law that will govern cyberspace. However, cybersecurity and data privacy could buck this common law model of optimal lawmaking.

It is not difficult to imagine a line of narrow holdings leading to an unworkable, disastrous result in this field. In her forthcoming article, Digital Switzerlands, Kristen Eichensehr cites Microsoft as an example of an attempt to resist governmental regulation. In her article, she explains that when corporations like Microsoft are permitted to keep countries at arm’s-length by resisting regulation, they are attempting to self-actualize as “digital Switzerlands.” The analogy, drawn by the companies themselves, captures both their attempt at sovereignty and at neutrality towards the nations that would otherwise regulate them. If law enforcement were required to resort to mutual legal assistance treaties to compel U.S. corporations to comply with warrants—a typical result without data localization requirements or extraterritorial warrants—corporations could simply hide data in nations without assistance treaties.

In the Playpen case, if simple data-anonymization techniques had been permitted to nullify jurisdictional authority to investigate these crimes, it would have chilled further development of NITs, which represent a major advance in both domestic and transnational anti-exploitation interdiction. In fact, according to the FBI, the Playpen NIT led to the prosecution of twenty-five U.S. producers of child pornography and fifty-one U.S.-based hands-on abusers, and arrests of 350 U.S. users and 548 international users. The FBI further claims that they identified or rescued fifty-five U.S. children and 296 internationally.

In both cases, courts had the opportunity to render reasonable decisions that would have had powerful collateral effect. But, in both cases, courts used caution while Congress amended positive law to permit reasonable expansion of authority that cognized changes in technology. It is expected that there will be more cases that challenge traditional procedure in this way to follow; hopefully, courts will exercise caution by rendering decisions with due regard to an optimal cyber world-state.

[1] United States v. Microsoft, 138 S. Ct. 1186 (2018).

[2] Id.

[3] Id.

[4] United States v. Michaud, No. 3:15-cr-053510-RJB, 2016 U.S. Dist. LEXIS 11033, at *8 (W.D. Wash. Jan. 29, 2016).