Digital Forensics and the Shrinking Importance of United States v. Microsoft Corp.

By Michael Gentithes, Visiting Assistant Professor, Chicago-Kent College of Law.

Supreme Court cases can lose relevance when technological changes render obsolete the questions addressed. Rare, though, is the case that loses its relevance before the opinion is even drafted. That fate may await currently pending case of United States v. Microsoft Corp.

The case, in which the Court heard oral arguments in late February, concerns a government warrant for emails in an account investigators believed was involved in drug trafficking. Microsoft argued that, although it would provide investigators with account information that was stored in the United States, it was not obligated to provide the contents of the emails, which were stored in a massive data center in Dublin, Ireland.

Microsoft’s response hints at a larger tension between the warrant requirement and modern digital forensics investigations. Microsoft divided its storage of account information about a given email address and all of the emails in that account’s inbox, storing the former in United States servers while storing the latter in Ireland. But many other global internet companies distribute a single user’s data even more widely, and in even smaller pieces. Some divide data into “shards,” so that different components of the same data are scattered amongst multiple physical locations. Email provides a ready example. Companies may store the emails that appear in a user’s inbox, or even different components of a single email (such as the text in the body and an attached video), in different physical locations that cross several national borders. In part, companies “shard” their servers to enhance performance; this reduces bottlenecks when multiple users and applications seek to retrieve information from the same data center’s servers at the same time.

The legal implications of storage practice such as sharding will quickly render cases like Microsoft anachronistic. Data that forensic investigators seek in a warrant may be in shards stored at various servers across the globe. For courts that must determine the legal regime that applies, the data is everywhere and nowhere at once. Courts are ill-equipped to decide with any precision or reliability whether a sizeable-enough component of the requested data resides within one specific nation so that its legal regime ought to control.

Whatever the Justices decide, their decision in Microsoft seems destined for the trash heap of Supreme Court history. The very idea of a unitary physical location for email accounts, or even individual emails, may soon be a thing of the past, turning Microsoft into the judicial equivalent of the eight track or Walkman.

This is an issue that calls for legislative solutions. Congress is now considering the bipartisan “CLOUD Act,” which would allow United States investigators to obtain warrants for data in an internet company’s possession, custody, or control—regardless of the physical location where the company stored that data. United States companies would have to comply with United States warrants, no matter where and how that company stores its data. Such an approach, which focuses on the territorial location of the service provider rather than the territorial location of its (likely fragmented) data, is far superior to any solution the Court may craft in Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *