The Un-Territoriality of Data
abstract. Territoriality looms large in our jurisprudence, particularly as it relates to the government’s authority to search and seize. Fourth Amendment rights turn on whether the search or seizure takes place territorially or extraterritorially; the government’s surveillance authorities depend on whether the target is located within the United States or without; and courts’ warrant jurisdiction extends, with limited exceptions, only to the borders’ edge. Yet the rise of electronic data challenges territoriality at its core. Territoriality, after all, depends on the ability to define the relevant “here” and “there,” and it presumes that the “here” and “there” have normative significance. The ease and speed with which data travels across borders, the seemingly arbitrary paths it takes, and the physical disconnect between where data is stored and where it is accessed critically test these foundational premises. Why should either privacy rights or government access to sought-after evidence depend on where a document is stored at any given moment? Conversely, why should State A be permitted to unilaterally access data located in State B, simply because technology allows it to do so, without regard to State B’s rules governing law enforcement access to data held within its borders?
This Article addresses these challenges. It explores the unique features of data and highlights the ways in which data undermines longstanding assumptions about the link between data location and the rights and obligations that should apply. Specifically, it argues that a territorial-based Fourth Amendment fails to adequately protect “the people” it is intended to cover. Conversely, the Article warns against the kind of unilateral, extraterritorial law enforcement that electronic data encourages—in which nations compel the production of data located anywhere around the globe, without regard to the sovereign interests of other nations.
author. Assistant Professor, American University Washington College of Law. For helpful conversations, comments, and support, special thanks go to William Banks, Bobby Chesney, Ashley Deeks, Laura Donohue, Amanda Frost, Ahmed Ghappour, Ryan Goodman, David Gray, Claudio Grossman, Chimène Keitner, Orin Kerr, Amanda Leiter, Jennifer Mueller, Paul Ohm, David Pozen, Daniel Richman, Carol Steiker, Peter Swire, David Vladeck, Stephen Vladeck, and Benjamin Wittes. Also, thanks to participants at New York University’s Hauser Colloquium on October 29, 2014; participants at the University of Texas faculty workshop on November 20, 2014; participants at the Privacy Law Scholars Conference in Berkeley, CA on June 5-6, 2015 (where this Article was the recipient of the PLSC Young Scholars Award); participants at Columbia Law School’s national security law workshop on July 9-10, 2015; two excellent research assistants, Tiffany Sommadossi and Justin Watkins; and the terrific and incredibly diligent editors at the Yale Law Journal.
In December 2013, United States federal law enforcement agents served a seemingly innocuous search warrant on Microsoft, demanding information associated with a Microsoft user’s web-based e-mail account. But there was a problem—the e-mails sought by the government were located in a data-storage center in Dublin, Ireland. Consequently, Microsoft refused to turn over the e-mails, claiming that the government’s warrant authority did not extend extraterritorially; the warrant was therefore invalid. The government, along with the magistrate judge and district court, disagreed—concluding that the relevant reference point for purposes of warrant jurisdiction was the location of the provider (in this case Microsoft), not the location of the data.1 Because the Ireland-based data could be accessed and retrieved by Microsoft employees within the United States, the warrant was territorial—not extraterritorial—and therefore valid.2
The question of where the relevant state action takes place when the government compels the production of e-mails from an Internet Service Provider (ISP) is one of first impression and is now being litigated before the Second Circuit. It has garnered the attention of communication companies throughout the United States, the Irish government, the European Parliament, media outlets, the U.S. Chamber of Commerce, and a wide array of commentators.3 In a strongly worded letter, the former European Union Justice Commissioner warned that execution of the warrant may constitute a breach of international law4—a sentiment echoed in the amicus briefs supporting Microsoft.5But this statement simply assumes the answer to the key questions that the case poses: where does the key state action occur? At the place where data is accessed or the place where it is stored?
The dispute lays bare the extent to which modern technology challenges basic assumptions about what is “here” and “there.” It challenges the centrality of territoriality within the relevant statutory and constitutional provisions governing the search and seizure of digitized information. After all, territorial-based dividing lines are premised on two key assumptions: that objects have an identifiable and stable location, either within the territory or without; and that location matters—that it is, and should be, determinative of the statutory and constitutional rules that apply. Data challenges both of these premises. First, the ease, speed, and unpredictability with which data flows across borders make its location an unstable and often arbitrary determinant of the rules that apply. Second, the physical disconnect between the location of data and the location of its user—with the user often having no idea where his or her data is stored at any given moment—undercuts the normative significance of data’s location.
This is not to say that tangible objects are immovable or that they are always co-located with their owner. Both people and objects travel from place to place. And people can be, and often are, separated from their tangible property by an international boundary. But the movement of people and their physical property is a physically observable event, subject to readily apparent technological and physical limitations that affect how quickly bodies and tangible things can travel through space. By contrast, the movement of data from place to place often happens in a seemingly arbitrary way, generally without the conscious choice—or even knowledge—of the data “user” (by which I mean the person with a reasonable expectation of privacy in the data, such asthe user associated with a particular e-mail account).6 An e-mail sent from Germany, for example, may transit multiple nations, including the United States, before appearing on the recipient’s device in neighboring France. Contact books created and managed in New York may be stored in data centers in the Netherlands. A document saved to the cloud and accessed from Washington, D.C., may be temporarily stored in a data storage center in Ireland, and possibly even copied and held in multiple places at once. These unique features of data raise important questions about which “here” and “there” matter; they call into question the normative significance of longstanding distinctions between what is territorial and what is extraterritorial. Put bluntly, data is destabilizing territoriality doctrine.
Data also challenges territoriality’s twentieth-century companion criteria—citizenship and national ties—as determinative of the constitutional and statutory rules that apply. It is now widely accepted that both citizens and noncitizens with substantial voluntary connections to the United States enjoy basic constitutional protections (including the protections of the Fourth Amendment) even when they are located outside the United States’ borders.7 Conversely, the Fourth Amendment does not protect noncitizens outside the United States, absent sufficient voluntary connections to the nation.8 Thus, territoriality doctrine, at least for constitutional purposes, involves a two-part inquiry into territoriality and target identity—with target identity turning on the depth of the target’s connections to the United States.
But just as data highlights the arbitrariness of making the location of mobile zeroes and ones determinative of the rights and obligations that apply, data also exposes the problems with making identity determinative of such rights and obligations. Digital footprints are neither observable nor readily identifiable as “belonging” to a particular person. While an Internet Protocol (IP) address might reveal a user’s location, the use of anonymizing services and other tools designed to protect the user’s privacy (or evade detection) can make even the task of identifying a data user’s location exceedingly difficult, let alone the user’s citizenship or depth of connection to the United States.9 While similar identification problems occur in the world of tangible property, the ubiquitous and intermingled nature of data compounds the problem of identification in both degree and kind. This problem is particularly acute in the context of mass surveillance, where the sheer quantity of data collected necessitates the use of presumptions as a basis for establishing identity. The vast quantity of data collected means that even a low error rate will yield large quantities of data associated with misidentified users.
This Article takes up the challenge that data—in particular its mobility, interconnectedness, and divisibility—poses to territoriality doctrine and its focus on user identity. To be clear from the outset, I do not purport to provide all of the answers, a task that requires far more than a single article. Rather, the aim of this Article is threefold: first, to expose the fiction of territoriality in a world of highly mobile, intermingled, and divisible data; second, to highlight flaws in the territoriality doctrine; and third, to suggest alternative approaches to thinking about the scope of the Fourth Amendment, the rules governing the acquisition of foreign intelligence information, and the territorial limits on law enforcement jurisdiction.
In so doing, this Article fills an important gap in the literature. While there was, beginning in the 1990s, a surge of scholarship on the borderless Internet’s effect on sovereignty, the literature focused largely on private law (such as e-commerce and trademarks) and associated regulatory issues.10 In contrast, scholarly literature has devoted comparatively little attention to the constitutional and sovereignty implications of the government reaching or sending its agents across borders to search and seize. Orin Kerr offers perhaps the most sustained attention to the issue, but he does so while focusing primarily on border searches and with the goal of maintaining the Fourth Amendment’s territorial-based distinctions.11 I, by contrast, argue that data challenges territoriality doctrine at its core, requiring us to reconsider—and in some cases reject—the territorial-based distinctions as they apply to the search and seizure of digital data.
The Article proceeds in three parts. Part I begins by analyzing the longstanding presumption against extraterritoriality, examining its dominant (and often confused) constitutional, statutory, and jurisdictional applications. It explores the underpinnings of the now-dominant view that only certain “people”—namely U.S. citizens, noncitizens with substantial voluntary connections to the United States, and those physically present in the United States—are entitled to Fourth Amendment rights and heightened statutory protections with respect to foreign intelligence surveillance.
This Part also highlights the very different purposes that territoriality serves within the context of the Fourth Amendment doctrine (and, by extension, surveillance law) and within the context of warrant jurisdiction. The Fourth Amendment imposes restrictions on the government’s authority to search and seize; by contrast, warrants provide the government the affirmative authorization to do so. Thus, whereas territoriality for Fourth Amendment purposes is based on an understanding of who is entitled to privacy rights vis-à-vis the U.S. government, territorial-based limits on warrant jurisdiction are based on respect for other nations’ sovereignty coupled with pragmatic concerns about the difficulty of unilaterally enforcing a warrant within another nation’s borders.
Part II highlights the ways in which data challenges key underlying presumptions about territoriality across each of these areas of the law. This Part identifies central differences between data and its tangible counterparts, focusing in particular on data’s mobility, divisibility, and interconnectedness. It also examines the location independence of data and its user, referring to the user’s lack of knowledge or explicit choice as to the location of his or her data at any given moment.
Finally, Part III argues that these differences between data and its tangible counterparts matter, but in the exact opposite way from what the government has suggested. These differences both compel a rethinking of a territorial Fourth Amendment and highlight the dangers of unilateral, extraterritorial law enforcement that data enables. More specifically, I argue that the intermingling and mobility of data mean that territorial and identity-based distinctions at the heart of the Fourth Amendment and the statutory scheme governing foreign intelligence surveillance no longer serve the interests they are designed to protect, at least as applied to the acquisition (or seizure) of data. Large quantities of protected persons’ data are being incidentally collected under the much more permissive rules governing the collection of nonprotected persons’ information. In their current form, these rules no longer provide the kind of protections for U.S. citizens and those located within the United States that they were designed to ensure. This discrepancy calls for a rethinking of the Fourth Amendment’s reach.
The mobility and divisibility of data similarly expose the problems with a territorially limited warrant authority that turns on where data happens to be located at any given point in time. However, the kind of unilateral, extraterritorial exercise of law enforcement that the government advocates in the Microsoft case imposes its own set of costs. Among other problems, it encourages the balkanization of the Internet into multiple, closed-off systems protected from the extraterritorial reach of foreign-based ISPs, which imposes significant costs on the efficiency and effectiveness of the Internet.12 Such an approach also makes it hard to object when another country—say, China or Russia—seeks to compel the foreign-based subsidiary of a U.S.-based ISP to turn over e-mails and other data stored in the United States, including data of U.S. citizens.13 Thus, while this Article recognizes, and in fact embraces, the need for new norms and procedures in response to cross-border data flows, it argues that this is not something that should be unilaterally imposed. Rather, the executive branch should work with its foreign partners to develop improved, mutually agreeable mechanisms that would enable law enforcement, pursuant to appropriate procedural and substantive requirements, to access data irrespective of where it is stored.
Increasing global interconnectedness has prompted renewed attention to the validity and effect of territorial presumptions in law. In a variety of contexts, both U.S. federal courts and the executive branch have sought to define and limit the geographic reach of statutes, constitutional provisions, and international treaty obligations.14 With some notable exceptions—including the Supreme Court’s ruling in Boumediene v. Bush15that the Suspension Clause extends to Guantanamo Bay detainees—the recent trend has been one of entrenchment, with territorial-based presumptions waxing, not waning. Just five years ago, the Supreme Court in Morrison v. National Australia Bank Ltd. upended longstanding assumptions about the reach of U.S. securities law in order to fortify the presumption against the extraterritorial application of statutory law.16 In a unanimous opinion three years later, the Court applied the presumption to limit the extraterritorial reach of the Alien Tort Statute.17 Meanwhile, the executive branch has recently undertaken its own searching inquiry into the geographic reach of key international law obligations, rejecting arguments that the International Covenant on Civil and Political Rights has extraterritorial application.18 And while the Obama Administration has sought to extend certain protections to nonresident aliens in the contexts of foreign intelligence surveillance and targeted uses of lethal force, it has done so as a matter of policy, not law.19 The law continues to depend on a complicated set of territorial presumptions and applications—all of which depend, at their core, on the ability to define the relevant “here” and “there” and a determination that the “here” and “there” matter.20
This Part sets the stage for the argument that follows. It describes key constitutional, statutory, and international law presumptions of territoriality embedded in the Fourth Amendment, the statutory surveillance scheme, and warrant jurisdiction. As this Part highlights, the rules are based on two key premises. First, U.S. citizens and others with substantial connections to the United States are, as a matter of both constitutional law and policy, entitled to greater privacy protections than noncitizens who lack substantial connections to the United States. And second, respect for other states’ sovereignty, concerns about international comity, and practical impediments to extraterritorial law enforcement actions limit the extraterritorial reach of warrants.
Notably, case law and commentary have also generally assumed—usually without analysis—that the locus for assessing territoriality is that of the person or property being searched or seized. Cases involving compelled process pursuant to the government’s subpoena power—along with the lower courts’ opinions in the Microsoft case—provide some of the few examples to the contrary.21
Until the 1950s, it was widely assumed that the Bill of Rights did not apply outside the nation’s territorial borders, even when the United States was criminally prosecuting its own citizens in a foreign territory.22 Under the then-prevalent understanding of the Constitution’s reach, constitutional rights had full effect within the nation’s borders, but generally not elsewhere.23 In fact, even as the United States acquired new lands, only those territories that were “incorporated” within the United States (i.e., those destined for statehood) were protected by the entirety of the Bill of Rights. “Unincorporated” territories were protected by “fundamental” rights only.24
By 1957, the Constitution’s territorial limits with respect to U.S. citizens began to crumble. After initially ruling—consistent with longstanding doctrine—that citizen-dependents of servicemembers overseas were not entitled to Fifth and Sixth Amendment rights to a jury trial, the Supreme Court granted a rehearing and reversed itself the following Term.25 Writing for a plurality in Reid v. Covert, Justice Black stated, “[W]e reject the idea that when the United States acts against citizens abroad it can do so free of the Bill of Rights. The United States is entirely a creature of the Constitution. . . . It can only act in accordance with all the limitations imposed by the Constitution.”26 Justices Harlan and Frankfurter concurred, albeit on narrower grounds, restricting their analysis to the facts of the case; specifically, they centered their analysis on the fact that the case involved a capital murder.27
At the time, a number of scholars proclaimed (or at least advocated for) a new era of constitutional universalism in which the government would be bound by the Bill of Rights, regardless of where or upon whom it was acting.28 But in its 1990 ruling in United States v. Verdugo-Urquidez, the Supreme Court rejected this argument.29
The Verdugo-Urquidez case addressed the constitutionality of a warrantless search of captured drug lord Rene Verdugo-Urquidez’s residence in Mexico by U.S. agents. Verdugo-Urquidez was in U.S. custody in California at the time of the search. Both the district court and the Ninth Circuit ruled that the search violated the Fourth Amendment. But a fractured Supreme Court reversed. Chief Justice Rehnquist—on behalf of himself and Justices White, O’Connor, and Scalia—concluded that Verdugo-Urquidez, as a non-resident alien, was not entitled to Fourth Amendment protections. According to Justice Rehnquist, the Fourth Amendment’s reference to “the people”30 was a term of art referring to the “class of persons who are part of a national community or who have otherwise developed sufficient connection with this country to be considered part of that community.”31 Verdugo-Urquidez needed to have developed a “sufficient connection” to the United States in order to receive the Fourth Amendment’s protection; two days in a U.S. jail could not suffice.32 In so holding, the Court made the search location and the target’s identity the key determinants of the Fourth Amendment’s reach.
Justice Kennedy provided the critical fifth vote. But while purporting to join Chief Justice Rehnquist’s opinion, Justice Kennedy repudiated the majority’s central theory. Specifically, he rejected the assertion that the Fourth Amendment’s reference to “the people” was a term of art referring exclusively to U.S. citizens and those with sufficient connections to the United States. Justice Kennedy instead argued that the reference to “the people” was of unclear import and could just as readily “be interpreted to underscore the importance of the right, rather than to restrict the category of persons who may assert it.”33 However, he too rejected a universalist approach to constitutional rights—emphasizing “the undoubted proposition that the Constitution does not create, nor do general principles of law create, any juridical relation between our country and some undefined, limitless class of noncitizens who are beyond our territory.”34 Justice Kennedy instead advocated a pragmatic approach to the extraterritorial application of constitutional rights. According to Justice Kennedy, it would be “impracticable and anomalous” to enforce the Fourth Amendment’s warrant requirement in the context of a foreign search of a nonresident alien.35 Thus, the warrantless searches of Verdugo-Urquidez’s Mexican residence did not violate the Fourth Amendment.36
Despite the splintered analysis, Verdugo-Urquidez now stands for the proposition that the Fourth Amendment does not constrain the United States when its agents search or seize a noncitizen outside the United States, unless the noncitizen has developed a “significant voluntary connection” with the United States.37 Conversely, while the Supreme Court has not squarely addressed the question of citizens’ Fourth Amendment rights abroad, lower courts have concluded that U.S. actions against citizens located extraterritorially are subject to the Fourth Amendment but that only the reasonableness test—and not the warrant requirement—applies.38 Stated another way, government extraterritorial actions vis-à-vis U.S. citizens or other persons with sufficient connections to the United States have to be “reasonable,” a standard that is generally determined by weighing the government and private interests at stake. But the government need not obtain a warrant based on a magistrate’s finding of probable cause, as is the default requirement when the government searches or seizes on U.S. soil.39
Verdugo-Urquidez thus established a two-step decision tree. First, where does the search or seizure take place? If in the United States, the Fourth Amendment applies.40 If outside the United States, then turn to the question of identity: is the target of the search or seizure a U.S. citizen or an alien with substantial voluntary connections to the United States? If yes, then the Fourth Amendment applies, and the test is one of reasonableness. If, on the other hand, the target is a noncitizen lacking substantial connections to the United States, the Fourth Amendment does not apply, and the government need not abide by even the minimal requirement of reasonableness.
Moreover, while the 2008 ruling in Boumediene v. Bush41—in which the Supreme Court held that the Suspension Clause protected aliens at Guantanamo Bay—precipitated new proclamations of an emergent constitutional universalism,42 this universalism has not yet materialized. To the contrary, lower courts have largely restricted Boumediene’s holding to the Suspension Clause and possibly other so-called “structural” provisions of the Constitution, such as the Ex Post Facto Clause.43 Courts continue to rely on Verdugo-Urquidez as a basis for concluding that noncitizens without substantial connections to the United States lack Fourth Amendment and other so-called “individual” rights.44 In fact, it even remains unsettled whether Guantanamo detainees are entitled to basic rights—as distinct from the Suspension Clause—protections.45
But this is not the only way to think about the Fourth Amendment. As described above, Justice Kennedy, for example, suggests that the term “the people” is meant to emphasize the importance of the right, rather than limit its application to a certain class.46 David Gray, also relying on the term “the people,” persuasively suggests that the term defines a collective right.47 Relying on both textual and historical analysis, Gray argues that the term “the people” was chosen to emphasize the collective political interest in being free from unreasonable searches or seizures: “Whenever a member of ‘the people’ challenges a governmental search or seizure, she therefore stands not only for herself, but for ‘the people’ as a whole.”48 To be sure, the import of Gray’s insight depends in part on how “the people” is defined.49 But even assuming a narrow definition of “the people” as limited to U.S. citizens and those with significant voluntary connections to the United States, Gray’s approach moves us away from an individualistic focus on the particular target of the government action—i.e., the idea that Jack has not suffered a Fourth Amendment violation when evidence against him is obtained in the process of illegally searching his friend Jill—to a broader focus on the implication of a particular search on ‘the people’ as a whole. I return to this issue in Part III.
For now, it is worth emphasizing one other notable aspect of Verdugo-Urquidez. Specifically, Verdugo-Urquidez highlights the longstanding assumption that the locus of the territoriality inquiry turns on the location of the thing being searched or seized. The search of Verdugo-Urquidez’s residence took place in Mexico while he was being held in the United States.50 Throughout the case, it was simply assumed, without discussion, that the search was extraterritorial, not territorial.51 What mattered was the location of the property being searched, not the location of the property’s owner or the agent performing the search.
The current statutory and regulatory regime governing foreign intelligence surveillance adopts the Fourth Amendment’s focus on location and nationality as determinative of the rules that apply.52 But this was not always the case.
Initially passed in 1978, FISA regulates the collection of electronic communications for foreign intelligence purposes.53 The 1978 version of FISA covered, among other things, the collection of wire and radio communications of persons based in the United States, as well as territorial-based acquisitions of international wire communications when the targeted communication was to or from a person within the United States.54 With a few narrow exceptions, all such collection required a warrant issued by the Foreign Intelligence Surveillance Court (FISC), based on a finding that the target was a “foreign power” or an “agent of a foreign power.”55
Notably, the warrant requirement applied to citizens and noncitizens alike, albeit with heightened standards governing the targeting of a “United States person” (i.e., a U.S. citizen or legal permanent resident).56 At the time of passage, some members of Congress argued that the warrant requirement should cover U.S. persons only—not resident aliens who were not legal permanent residents or nonresident aliens whose communications were covered by FISA when the collection took place in the United States.57 But Congress ultimately decided to apply the warrant requirement to all such collection. The House Intelligence Committee emphasized that a broad warrant requirement was imposed “not . . . primarily to protect such persons but rather to protect U.S. citizens who may be involved with them and to ensure that the safeguards inherent in a judicial warrant cannot be avoided by a determination as to a person’s citizenship.”58
This quote exemplifies the 1978 Congress’s prescient understanding of two important facts. First, the acquisition of non-U.S. persons’ communications could yield the incidental collection of U.S. persons’ information. The aptness of this insight has only increased over time. When Congress passed FISA in 1978, most communications were wholly domestic. In other words, communications transpired primarily between two or more U.S.-based users and involved data that did not leave the territorial boundaries of the United States. This is no longer true. Now the Internet is “truly global,” with communications often involving at least one foreign-based sender or recipient and regularly transiting in and out of the nation’s boundaries.59 When the government acquires communications of non-U.S. persons, whether located territorially or extraterritorially, it also risks scooping up a significant amount of U.S. persons’ data.
Second, a universally applicable warrant requirement protected against erroneous citizenship determinations that would otherwise result in the warrantless surveillance of U.S. citizens. In other words, Congress demanded a warrant for the acquisition of non-U.S. persons’ information not because it was interested in protecting non-U.S. persons’ privacy, but as a means of protecting U.S. persons.
In 2008, however, Congress passed the FISA Amendments Act of 2008 (FAA) and made two key changes to FISA. First, the FAA extended FISA’s warrant coverage to the surveillance of U.S. persons located outside the United States, thereby bringing the extraterritorial surveillance of U.S. persons under FISA’s statutory scheme.60 Second, Congress eliminated the warrant and probable cause requirements for the domestic acquisition of electronic communications sent by extraterritorially located, non-U.S. person targets. In doing so, the 2008 Congress disregarded the insight of the 1978 Congress about the risk of intermingled data and erroneous targeting decisions.
In broad brushstrokes, territorial-based presumptions now operate along two axes. The first axis—the targeting of persons located inside the United States, as well as U.S. citizens and legal permanent residents wherever they are located (so-called “U.S. persons”)—is subject to more rigorous standards and procedural protections than the targeting of noncitizens located outside the United States. The second axis—the collection of data located within the United States—is generally subject to heightened restrictions compared to collection that takes place outside the United States.61 The scheme thus tracks the territorial-based line drawing of the Fourth Amendment, albeit with an added focus on target location, in addition to property location and target identity.
More specifically, the FISC must approve the targeted electronic surveillance of all persons in the United States as well as all U.S. persons outside the United States, based on a finding of probable cause that the requisite targeting standard has been met. This requires finding that the target is a “foreign power,” an “agent of a foreign power,” or, for U.S. persons located outside the United States, an “employee or officer of a foreign power” (an addition meant to cover those working for foreign governments or foreign government-owned companies).62
Conversely, electronic surveillance targeting non-U.S. persons located outsidethe United States—what is known as “702” surveillance based on the statutory provision in the FAA63—is now permitted without a warrant, a finding of probable cause, or even a requirement that the target be a foreign power, agent, or employee of a foreign power.64 Rather, it is the Attorney General and the Director of National Intelligence—not the FISC—who jointly authorize the targeting of noncitizens “reasonably believed to be located outside the United States to acquire foreign intelligence information,” subject to certain statutory limitations.65
The FISC’s role is limited to three tasks with respect to 702 surveillance. First, the FISC reviews the joint “certification” issued by the Attorney General and Director of National Intelligence to ensure it contains all the requisite elements.66 Second, the FISC reviews whether the targeting procedures are “reasonably designed” to target those “reasonably believed” to be outside the United States and to prevent the acquisition of communications in which the sender and all recipients are U.S.-based.67 And third, the FISC reviews minimization procedures—designed to limit the acquisition, retention, and dissemination of information involving U.S. persons—to assess whether they meet statutory requirements.68 The FISC has no role in reviewing each specific targeting decision.
In practice, a National Security Agency (NSA) analyst initiates targeting upon a determination that a particular person may possess or receive the kind of foreign intelligence information covered within one of the approved certifications. (The FBI or CIA can nominate targets, but it is the NSA that makes the ultimate targeting decision.) The analyst then engages in a “foreignness determination”—namely, a totality of the circumstances determination that the target is a non-U.S. person “reasonably believed” to be located outside the United States.69 Because a target’s identity is not always known, the NSA applies certain presumptions. For example, when a target’s location is either unknown or known to be outside the United States, the target is treated as a non-U.S. person absent a “reasonable belief” that such person is a U.S. person.70 These presumptions, however, are hardly foolproof, as there are many reasons why a U.S. person might be temporarily or permanently located outside of the United States. While the Department of Justice (DOJ) reports that the error rate is quite low—just 0.4% in a review of 2011 data71—such statistics obviously only include identified errors and do not tell us anything about unknown errors. Moreover, given the sheer quantity of data that is currently being collected, even a low rate of error can yield high numbers of erroneous “foreignness” assessments.
Once a target is identified, the NSA then approves “selectors” associated with the target—i.e.,an e-mail account such as “firstname.lastname@example.org” used by the target. In NSA speak, this is known as the “tasked selector”72 and effectively serves as the search term for collection and/or review of the acquired data. It is possible to have multiple selectors associated with each target.73
There are reportedly two main collection programs pursuant to section 702: PRISM collection and upstream collection. With PRISM collection, the government sends approved selectors, such as e-mail addresses associated with the targeted persons, to an electronic communications service provider, such as an ISP. The ISP must then turn over all communications sent to or from the selector to the NSA.74 As of mid-2011, approximately ninety percent of all communications collected pursuant to section 702 were obtained through PRISM—yielding an estimated two hundred twenty-five million Internet communications each year.75
Upstream collection, by contrast, involves the acquisition of data from the Internet’s “backbone”—the fiber-optic cables over which Internet communications travel.76 Whereas collection through the PRISM program is done with the assistance of the ISP or phone service providers with whom the target interacts, “upstream” collection is done with the assistance of the Internet and telecommunications companies that control the fiber-optic cables over which a target’s communications travel. As with PRISM, the government sends a list of approved selectors to the relevant companies. Because of the way the technology operates, acquisition generally involves the gathering of so-called Internet “transactions.” Such transactions are sometimes comprised of individual discrete communications and sometimes include multiple communications bundled together.77 Transactions are first screened to eliminate what are known as “wholly domestic communications,” defined to include transactions in which the sender and allrecipients are located within the United States.78 Then, the transactions are screened to determine whether they contain the tasked selector.79
There are three points worth noting about upstream collection. First, as just described, the screening requires the NSA to eliminate only those communications in which the sender and recipients are “known” to be located in the United States. However, in many cases the location of the sender and recipient are unknown. Moreover, even if the filtering tools employed by the NSA operate with one hundred percent accuracy, the prohibition on the acquisition of domestic communications is still quite narrow. It is limited to those communications in which the sender and all recipients are located in the United States at the time of the communication. It would not include an e-mail update sent to thirty friends and family members, so long as one of the thirty recipients was outside the United States at the time he or she received the communication.
Second, such collection does not just yield information that is “to” or “from” a tasked selector. Rather, the entire transaction (not just the to/from line) is screened to determine whether it contains the approved selector. This yields communications that are “about” a selector—i.e., communications in which the target is referenced, but is neither the sender nor the recipient of the communications.80 Thus, even though section 702 collection is directed at non-U.S. persons located outside the United States, the NSA can collect a U.S.-person-to-U.S.-person communication as long as the communication is “about” (or mentions) the tasked selector.
Third, as of 2011, approximately ten percent of the twenty-six million five hundred thousand Internet transactions acquired annually via upstream collection involved the acquisition of what are known as “multiple communication transactions.” These are multiple discrete communications packaged together for the purpose of transiting the fiber-optic lines.81 As long as one of the discrete communications included in the transaction contains information “to,” “from,” or “about” the tasked selector, the NSA acquires the entire multi-communication transaction, including other discrete communications that may not contain the selector.82 According to one analysis, the acquisition of multiple communication transactions resulted in the collection of tens of thousands of communications each year that were not “to,” “from,” or “about” the tasked selector.83 Acquisition of multi-communication transactions also resulted in the collection of tens of thousands of wholly domestic communications.84 As Judge Bates, then-Chief Judge of the FISC, wrote in 2011, the “NSA’s acquisition of [multiple communication transactions] substantially broadens the circumstances in which Fourth Amendment-protected interests are intruded upon by NSA’s Section 702 collection.”85
The executive branch also engages in a range of extraterritorial surveillance activities not regulated by FISA, but instead governed by Executive Order 12,333. Reports suggest that electronic surveillance pursuant to Executive Order 12,333 accounts for an even greater share of electronic surveillance activities than any equivalent surveillance conducted under FISA or FAA.86
Executive Order 12,333 prohibits the warrantless targeting of U.S. persons’ communications in situations where a warrant would have been required had law enforcement agents in the United States been conducting the search.87 Yet reports indicate that large quantities of U.S. persons’ information are being obtained pursuant to surveillance governed by Executive Order 12,333.88 Of note, such collection reportedly includes “vacuum cleaner” or “bulk” collection, pursuant to which the Executive sweeps in all communications that transit a particular cable without using a selector or other search term to limit the scope of the acquired data.89 Reports suggest that bulk collection has included, among other things, Internet metadata,90 webcam chats,91 cellphone location data,92 and e-mail address books.93 Such bulk collection is not deemed to target anyone, thus avoiding the prohibition on targeting U.S. persons. Other collection programs fall outside the prohibition on targeting U.S. persons based on a largely unreviewable executive branch determination that such collection would not require a warrant if done for law enforcement purposes in the United States.94
In short, while FISA putatively requires a warrant for the collection of U.S. persons’ information, in practice such information can be collected without a warrant in one of six situations: (1) if the NSA errs in its foreignness determination and targets a U.S. person believing that person to be a non-U.S. person;(2) when a U.S. person is in direct communication with a non-U.S. person target; (3) when, as permitted in the context of so-called “upstream” collection, the government targets communications “about” a non-U.S. person target, and a U.S. person is party to those communications; (4) when, also permitted as a part of upstream collection, the government collects a multi-communication transaction that includes discrete communications to or from U.S. persons; (5) when the government, pursuant to Executive Order 12,333, engages in “vacuum cleaner” collection and therefore is not technically “targeting” any one person in particular; or (6) when collection occurs as a result of extraterritorial surveillance activities that the executive branch concludes would not trigger a warrant requirement if carried out in the United States by law enforcement, thus freeing the government from restrictions on the targeting of U.S. persons. Categories two through five are all examples of “incidental collection” and likely account for the vast majority of acquired U.S. person information.
To sum up, the entire statutory scheme governing foreign intelligence surveillance is premised on an assumption that persons located in the United States are entitled to greater privacy protections than those outside U.S. borders, and that U.S. persons are entitled to greater privacy protections than non-U.S. persons. Yet, given the scope of incidental collection, the current system provides only marginal protections for the U.S. persons it is designed to protect.
In response to these concerns, the intelligence community points to minimization rules that limit the retention, dissemination, and access to collected U.S. persons’ data.95 Minimization rules, if sufficiently robust, can provide important privacy protections. But it is worth noting that Congress to date has given only scant attention to minimization rules and other use restrictions. While Congress has mandated the implementation of minimization procedures, it has delegated all of the key details to the executive branch.96 Meanwhile, it has made acquisition of data its central focus, legislating extensively on both the substantive standards and the procedural requirements governing data collection. Congress thus appears to be operating under the assumption that the collection itself constitutes a privacy intrusion—and thus a potential harm—that needs to be regulated.97 To the extent that Congress, the public, and the courts remain concerned about limiting the government’s acquisition of U.S. persons’ data, the current set of territorial and identity-based distinctions fail to serve these goals. I return to this issue in Part III.
The warrant authority’s territorial-based limits implicate a very different set of considerations than those underlying the Fourth Amendment and rules on foreign intelligence. Whereas the limitations on the Fourth Amendment’s reach reflect the government’s assessment of who is entitled to privacy protections vis-à-vis the U.S. government, the limits on the warrant requirement stem largely from respect for state sovereignty and an array of pragmatic and related policy concerns. The overarching rule is that the judiciary’s warrant authority is territorially limited.98 After all, under well-accepted principles of international law, State A can exercise law enforcement actions in State B only if State B consents.99 As a result, judges are presumed to lack authority to unilaterally authorize extraterritorial searches and seizures.100
The following describes these territorial limits as applied to “ordinary” warrants issued pursuant to the Federal Rules of Criminal Procedure (Rule 41),101 warrants issued under the Wiretap Act, which authorizes real-time collection of electronic communications,102 and warrants issued under the Stored Communications Act (SCA), which authorizes collection of stored communications.103 While the territorial presumption is clear, its application to the collection of data is not. Is the appropriate reference point the location of the data, the provider, or the government agent accessing the data? As described below, the answer is unclear, and the government has suggested different answers depending on the context and its preferred outcome.
Rule 41 of the Federal Rules of Criminal Procedure prescribes the authority of magistrate judges to issue a warrant for a search or seizure.104 This authority is generally limited to property or persons within the district in which the magistrate works. Even in those limited situations (such as terrorism cases) in which judges are permitted to issue warrants authorizing out-of-district searches or seizures, such warrants are still widely understood to be subject to territorial-based limitations.105 In fact, the only instances in which magistrate judges are explicitly authorized to issue a warrant with extraterritorial reach are limited to situations in which: (1) the property or person to be searched or seized is located in a U.S. territory, possession, or commonwealth; (2) the object of the search is on the premises of a U.S. consular or diplomatic mission; or (3) the object of a search is on a residence or land owned or leased by the United States and used by U.S. diplomats or consular officers.106 All three exceptions extend to locations where the United States already exerts significant (if not exclusive) regulatory authority, thereby avoiding potential conflicts with foreign jurisdictions and maintaining respect for other nations’ sovereign authority to enforce the law. Notably, the Supreme Court in 1990 considered and rejected a proposed amendment to the rule that would have permitted judges to issue extraterritorial search warrants in certain instances.107
A recently proposed amendment to Rule 41 has again raised questions about the territorial limits of the judiciary’s warrant authority.108 The amendment—proposed by the DOJ—would authorize judges to issue remote access search warrants for electronically stored data in situations where the location of the device or stored data being investigated is unknown.109 Notably, DOJ had previously argued that magistrate judges already had jurisdiction to issue such warrants under the existing version of Rule 41, on the grounds that the agents accessing the data would be within the magistrate’s district. But at least one magistrate judge rejected the government’s request.110 In his words, the government’s position would effectively “permit FBI agents to roam the world in search of a container of contraband, so long as the container is not opened until the agents haul it off to the issuing district.”111The magistrate thus defined the relevant locus of the search and seizure as that of the computer or data being gathered, rather than the location of the agents accessing the device. Since the location of the computer was unknown, the magistrate lacked jurisdiction to issue the warrant.112
DOJ responded to the magistrate judge’s ruling with its proposed rule revision—arguing that the authority is needed to address situations in which anonymization tools disguise the location of a computer or other device being used for criminal activity.113 But while the proposed rule responds to the problem of anonymization, it raises the prospect of judges authorizing what could turn out to be extraterritorial searches. After all, if the location of the target device and/or data is unknown, agents and reviewing judges will not know whether the sought-after data is located territorially or extraterritorially. In fact, data on Tor (one of the largest anonymity networks)114 indicates that more than eighty percent of its users connect to the network from outside the United States.115 This statistic suggests a likelihood that DOJ would be conducting extraterritorial searches in precisely the situations that are motivating the proposed amendment—situations in which the device location has been concealed through the use of anonymization tools. Moreover, even when a targeted device is located territorially, the data accessed from the device may be stored extraterritorially.
In a letter to the Rules Committee, Mythili Raman, the Criminal Division’s Acting Assistant Attorney General, responded to the possibility of such extraterritorial searching: “[S]hould the media searched prove to be outside the United States, the warrant would have no extraterritorial effect, but the existence of the warrant would support the reasonableness of the search.”116 In other words, DOJ concedes that warrants issued under its proposed rule change would not have extraterritorial reach; after all, U.S. judges have no statutory authority to issue warrants with extraterritorial effect. But this raises a series of significant yet unanswered questions about what agents will be instructed to do if and when they discover that they are engaged in an extraterritorial search. For example, will agents be obliged to cease the investigation while they seek the consent of the nation where the computer or data is located? Or can they continue their activities as they await the foreign nation’s response? In fact, at least one magistrate judge has warned that he might not be able to issue a warrant even with the rule change, given the risk that he might be issuing an extraterritorial warrant.117
The government’s position with respect to this proposed rule revision is notable for at least two additional reasons. First, DOJ appears to accept, contrary to its position at least on earlier search warrant applications,118 that the relevant search or seizure occurs where the data is located, and not where the government accesses it. After all, as Raman’s letter explicitly asserts, “In light of the presumption against international extraterritorial application . . . this amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries.”119 Here, the government is assessing territoriality based on the location of the data, not of the agents accessing the data, who presumably remain in the United States.
Second, the proposed amendment covers not just devices held in unknown locations, but also stored data held in unknown locations. Such a warrant could, for example, be used to remotely access a computer and then that computer could be used to access data stored in the cloud. This could include data stored in whole, or in part, in Dublin, Ireland, or any of the many other data storage centers located extraterritorially.120 Yet, according to the government’s submission, if the government knows the data is being held in Ireland (as it does in the Microsoft case), the magistrate could not issue the warrant. The government’s position with respect to the proposed amendment is thus in tension with its stance in the Microsoft case. In the Microsoft case, the government is arguing that the location of the data is irrelevant when it compels a third party to produce the requested data.121 But here, DOJ concedes that the location of the data matters if it is the government doing the searching or seizing.
The Wiretap Act, first codified in 1968, covers real-time interception of wire, oral, or electronic communications.122 Every court to consider the issue has concluded that the Wiretap Act only governs interceptions that occur within the territory of the United States—a conclusion that is supported by the presumption against the extraterritorial application of statutes, the legislative history of the Act, and the territorial limits on magistrate judges’ warrant jurisdiction found in Rule 41.123 However, all of these cases deal with instances in which both the agents accessing the data and the data being accessed were outside the United States.124 The courts have not yet, as far as I know, addressed a situation in which an interception order is issued for a device that is located or travels outside the United States, but is being tapped by agents located within the United States.
An analogous issue has arisen, however, with respect to wiretap orders for interceptions that take place within the United States. In contrast to Rule 41 cases, which seem to assume that the location of property is what controls, several Wiretap Act cases have suggested that territoriality should be assessed based on eitherthe location of the agent accessing the data or the location of the data. In interpreting the jurisdictional provision of the Act—which permits judges to authorize the “interception of wire, oral, or electronic communications within the territorial jurisdiction of the court in which the judge is sitting”125—numerous district and circuit courts have looked to both the locus of the device being tracked and the locus of the agents as a basis for establishing jurisdiction.126 In other words, so long as either the agents listening in on the conversations or the device or wires being tapped are within the judge’s district, then the jurisdiction requirement (territoriality) is satisfied.
But the issue is not settled. At least one circuit court has disagreed, concluding that the physical listening device must be installed within the authorizing court’s district, even if a device installed elsewhere will be monitored by agents operating within the district.127 Thus, at least in the District of Columbia Circuit, the location of the property being tracked—not the location of the agents—controls.128 Moreover, all the cases involve situations in which both the agents and the device being monitored are located within the United States, leaving unresolved the rule that applies if the agent is located territorially but the device being monitored is located outside the United States.
A separate statutory scheme—the SCA—governs the collection of stored data, such as e-mails housed on a server or documents stored in the cloud. Passed in 1986 as part of the ECPA, the SCA criminalizes unauthorized access to, and disclosure of, stored communications. It lays out the procedures and standards by which law enforcement agents can lawfully compel disclosure from an ISP. It is also the statute at issue in the Microsoft case.129 It specifies different forms of compulsory processes—subpoena, court order, and warrant—that vary in terms of what they require and when they apply.130
By the terms of the statute, a subpoena can be used to obtain a range of noncontent information from service providers, including their customers’ names, addresses, payment information, and records of session times and duration.131 When proceeding by subpoena, the government must either notify the customer, thus providing an opportunity to object, or obtain a delayed notification order.132 Delayed notification is permitted based on a court-approved “adverse result” finding, defined to include, among other things, destruction or tampering with evidence, flight from prosecution, endangerment of individuals, or undue trial delay.133
A court order is required to obtain more detailed records about a customer’s activities, such as historical logs detailing the e-mail addresses with which the customer has communicated, records of what IP addresses the user visited over time, and buddy lists.134 A magistrate judge issues a court order based on a finding of “specific and articulable facts” that the information sought is “relevant” to an ongoing criminal investigation.135
Finally, in order to compel an electronic service provider to disclose the content of communications (i.e., e-mails) stored for 180 days or less, the government must obtain a warrant based upon a finding of probable cause.136 Several courts have concluded that, as a matter of constitutional law, the warrant requirement also applies to the acquisition of all e-mails, including those stored for more than 180 days, as well as e-mails held by remote storage providers, which are not covered by the statutory warrant requirement.137
The legislative history, coupled with the presumption against extraterritoriality, overwhelmingly supports the conclusion that the SCA does not apply extraterritorially. The 1986 House Judiciary Committee Report on the SCA states that the provisions “regarding access to stored wire and electronic communications are intended to apply only to access in the territorial United States.”138 When Congress amended the statute in 2001 to authorize magistrates to issue multidistrict warrants, the amendment was entitled “Nationwide Service of Search Warrants for Electronic Evidence.”139 Unsurprisingly, the one case (other than the Microsoft case) to present the question of the SCA’s geographic reach concluded that it was territorially limited. In Zheng v. Yahoo! Inc., a district court judge rejected the plaintiff’s argument that the SCA applied to the conduct of Yahoo! China.140 The case, however, was relatively straightforward: the data was located in China; the Yahoo! China employees who accessed the data were in China; and the disclosures took place in China.141 The key question, therefore, was whether Yahoo!’s United States headquarters exercised sufficient control over Yahoo! China to bring its actions within the jurisdiction of the United States. The district court concluded that it did not.
As with the Wiretap Act, it is clear that a territorial presumption applies to the SCA. But the question of how this presumption applies when an international border separates the data and the person or entity accessing the data remains unsettled. What is the relevant location for determining territoriality—that of the ISP accessing the data or that of the data itself? In the Microsoft case, the government is arguing that it is the location of the ISP that controls. In making this claim, the government makes two analytical moves. First, the government emphasizes the language of compulsory process. The SCA authorizes the use of a warrant to “require . . . disclosure”—employing language of required disclosure that generally applies to subpoena power. According to the government, the subpoena power thus provides the appropriate frame of reference.142 Second, the government draws on rules governing subpoenas, which require the recipient of the subpoena to turn over information within its control, irrespective of its location. What matters then, according to the government, is the location of the ISP (the recipient of the warrant)—not the location of the data.143
But, as Microsoft and several amici have noted, there are two flaws with this argument. First, Congress used the term “warrant” in the SCA, not “subpoena”; there is thus good reason to think that the rules governing warrants—not subpoenas—control.144 Second, even if the analogy to subpoenas is the correct one, subpoenas generally have been relied upon to compel disclosure of a company’s own records; they have not traditionally been relied upon to compel disclosure of a customer’s private data that has been stored with the company.145 The government could not, for example, use a subpoena to compel a post office to turn over mail it is transporting. Nor could the government use a subpoena to compel a landlord to collect and turn over the papers stored in a tenant’s home. This is for good reason. One ought to maintain a reasonable expectation of privacy in property that is being entrusted with a third party for the limited purposes of transmittal or storage.146
I return to these issues in Section III.C. For now, it is simply worth noting that, while the SCA is rightly understood to be territorially limited, the question of what is territorial and what is extraterritorial is in sharp dispute. And neither the text nor the legislative history provides the necessary guidance. The issue was not on the minds of the SCA’s drafters, who wrote at a time when the Internet was still in its infancy and few communications crossed international borders.147 And none of the subsequent amendments to the SCA addressed the statute’s extraterritorial reach or the key question presented in the Microsoft case—whether directing a U.S.-based service provider to disclose data located outside the United States is a territorial or extraterritorial action.
To recap, territoriality is a critical factor in assessing both the reach of the Fourth Amendment and the scope of the government’s authority to search and seize. In fact, it is often determinative of the rules that apply. However, territoriality serves different underlying purposes in the different constitutional and statutory contexts in which it operates. Territoriality in the context of the Fourth Amendment serves as a proxy for the notion that only “the people”—a category that excludes most non-U.S. persons located abroad—are entitled to the Fourth Amendment’s protections. The Fourth Amendment thus binds the government when it searches or seizes property within the United States, but poses no constraint when the government is searching or seizing the property of an alien who lacks substantial connections to the nation and is located outside the United States.
The nation’s foreign intelligence surveillance scheme adopts this basic approach as well. Targeting of U.S. persons and persons located within the United States is subject to heightened procedural and substantive protections as compared with non-U.S. persons located outside the U.S. boundaries. Similarly, collection of data physically located in the United States is subject to heightened regulation and oversight as compared to collection of data located outside the United States. As with the Fourth Amendment, the underlying assumption is that U.S. citizens and legal permanent residents deserve enhanced privacy protections.
Territoriality in the context of warrant jurisdiction is equally important, but serves a very different purpose. It stems from respect for other states’ sovereignty, as well as an appreciation for the political and diplomatic consequences of failing to do so. The unilateral exercise of law enforcement in another state’s territory is a breach of that state’s sovereignty, potentially justifying countermeasures under international law.148 While there may be times when law enforcement or national security interests override international law considerations, this is generally a decision best made by the political branches after a full analysis of the costs and benefits—not hundreds of federal and state court judges scattered across the country.149 Territorial limits on warrant jurisdiction reflect this basic understanding.
But, as the following Part highlights, data is beginning to challenge this established understanding.
Territorial-based distinctions—whatever their purpose—depend, at their core, on the ability to distinguish between the relevant “here” and “there” and a determination that the “here” and “there” matter. Data, and the manner in which it is accessed and controlled, is undercutting both of these foundational assumptions. This Part explores how data differs from its tangible counterparts and why these differences matter. It focuses in particular on data’s mobility, divisibility, location independence, intermingling, and third-party control.
Physical objects moving from place to place are constrained by the ordinary laws of physics and by generally observable and conscious choices about how to move from Point A to Point B. For example, a person traveling from Washington, D.C., to Philadelphia will generally take the most direct route by traversing across Maryland and Delaware. If the traveler detours to France, it is likely the result of a planned decision. The same is true for data’s closest tangible counterpart: mail. It is highly unlikely that the United States Postal Service would send a letter through Paris on the way from Washington, D.C. to Philadelphia absent some significant snafu. Similarly, when one stores tangible property in a safe-deposit box or locked storage unit, it has a known, observable, and fixed location. Absent a theft or seizure of property, it will stay there until the owner decides to move it elsewhere.
Data’s mobility—in particular its speed and unpredictability—challenges our understanding of both what it means to transit from place to place and what it means to “store” our property. When two Americans located in the United States send an e-mail, the underlying zeroes and ones generally transit domestic cables. But they also, with some nonnegligible frequency, exit our borders before returning to show up on the recipient’s computer screen.150 When one Google chats with a friend in Philadelphia or uses FaceTime with a spouse on a business trip in California, the data may travel through France without the parties knowing that this is the case. Similarly, when data is stored in the cloud, it does not reside in a single fixed, observable location akin to a safe-deposit box. It may be moved around for technical processing or server maintenance reasons. It could also be copied or divided up into component parts and stored in multiple places—some territorially and some extraterritorially.151 At any given moment, the user may have no idea—and no ability to know—where his or her data is being stored or moved, or the path by which it is transiting.
These distinctions between tangible property and data matter for at least two reasons. First, they highlight the potential arbitrariness of data location as determinative of the rules that apply. Whereas the location of one’s own person and tangible property is subject to generally understood rules and limitations on the way physical property moves through space, data can move from Point A to Point B in circuitous and arbitrary ways, all at breakneck speed. This is precisely the government’s point in the Microsoft case when it warns against the “arbitrary outcomes” that would result if government access to data depended on where a provider chose to hold data at any given point in time.152And while the government fails to make the point, the same argument can be made with respect to privacy protections that turn on data location.
Second, the path that data travels is often determined without the knowledge, choice, or even input of the data user.153 This matters for purposes of both notice and consent. It is widely understood that when one travels to, or retains property in, a foreign jurisdiction, one is subject to that sovereign nation’s laws. Individuals and entities are required to conform their behavior accordingly or accept the consequences. But if an individual sends an e-mail to a friend in Philadelphia that happens to transit through another nation, that individual is not consciously choosing to bind himself to any particular foreign government’s laws. Nor is the user consciously choosing to relinquish protections guaranteed by the Fourth Amendment or statutory protections governing the search and seizure of property in the United States simply because the data happens to transit outside the United States. Similarly, when one stores data in the cloud, one often has little control or even knowledge about the places where it is being held; these are decisions that are instead generally entrusted to computer algorithms. The user thus lacks knowledge and choice as to the rules that apply.154
Data stored in the cloud is often copied and held in more than one location. This protects against server malfunctions and ensures that a user can continue to access his or her data from a back-up location. Some storage locations might be territorial and some might be extraterritorial.155 This is akin to making multiple copies of one’s documents and storing those copies in multiple jurisdictions. This practice, therefore, is not unique to data. But the ease and speed by which data can be copied and moved has led to an exponential increase in multisite—and possibly multination—storage.
Data partitioning—under which a single database is divided into multiple parts so as to increase the manageability and efficiency of use—adds another layer of complexity.156 The various components of a partitioned database may be held in multiple locations. In certain instances, so-called “relational databases” are only comprehensible if pulled up using the appropriate application. A health care provider, for example, may be able to pull up a patient’s medical records in his or her office. But the component pieces—the patient’s name, biographical information, and drug history—might be distributed and stored in different locations; without the appropriate software, the relevant information could not be assembled in a usable form.157
Data divisibility and data partitioning thus highlight the potential arbitrariness and complications of making data location determinative of the rules that apply. Can the government evade Fourth Amendment protections that apply to a non-U.S. person’s data stored within the United States by instead searching or seizing a back-up copy stored extraterritorially? Can (or more importantly, should) the United States demand that U.S.-based ISPs retain copies of their customers’ data within the territorial jurisdiction of the United States so as to avoid the kinds of issues being raised by the Microsoft case? In a relational database, is the relevant location the place from which the data is accessed and reassembled in a usable form, or the locations where each of the component parts is stored? Under the analogous rule for tangible property, the location of each component part would control. But this would require a territoriality determination—and possibly the application of different rules—for the acquisition of the various fragments of a sought-after account or database. As these questions suggest, data location is both highly manipulable and, in some cases, difficult to define. The manipulability and indeterminacy of data thus undercut the normative significance and stability of data location, raising important questions as to the primacy of data location in determining the rules that apply.
One of the biggest changes wrought by modern technology is the possible disconnect between the location of the government actor performing the search or seizure and the location of the property being searched or seized. With the rise of modern technology, an agent conducting a search or seizure no longer need be physically located in the same place as the target of the search or seizure.158 This Section begins by analyzing how courts and the executive branch have addressed this location independence between government agents and their targets in the context of guns and drones. It then explores how data’s unique features affect the analysis.
In two recent cases, U.S. border control agents located on U.S. soil shot and killed noncitizens on the Mexican side of the border.159 In both cases, the parents of the deceased children brought (among other claims) Fourth Amendment excessive force claims. In Hernandez v. United States, the Fifth Circuit (sitting en banc) dismissed the Fourth Amendment claim on the basis that the decedent was a noncitizen located outside the United States.160 In contrast, in Rodriguez v. Swartz, the Arizona district court allowed the Fourth Amendment claim to proceed given, among other things, the decedent’s proximity to and familial connections with the United States.161 Notably, even though the two courts split on the outcome, they adopted the same territoriality analysis. Both courts concluded that the relevant seizure took place in Mexico, where the decedents were killed, rather then the United States, where the agents who fired the shots were located. In both cases, territoriality rested on the location of the target, not the location of the agent. Because the targets in both cases were located abroad, both cases were presumed to involve extraterritorial seizures.162
The use of drones provides another example of the potential disconnect between government agents and their targets. Drone operators sitting in Langley, Virginia, or at any one of a number of military bases, can remotely pilot a drone and drop a bomb halfway around the world in, say, Yemen, Somalia, or Iraq. Yet virtually every legal and policy analysis of drone strikes assumes, consistent with the border shooting cases, that territoriality is determined by the location of the target. Thus, targeted killings constitute extraterritorial actions (i.e., seizures), regardless of the location of the drone operator.163
By straightforward analogy to guns and drones, the initial search and seizure of data would be understood to take place where the data was stored and manipulated, rather than where it was accessed or reviewed. And that is how courts and the government have generally considered the issue of search and seizure of data on personal computers: they have focused on the location of the computer where the data is stored, rather than the location of the government actor. In United States v. Gorshkov,164 for example, agents located in Seattle remotely accessed and copied data from a computer in Russia. The district court deemed this an extraterritorial search because the computer was located overseas at the time it was accessed—making the location of the data, rather than the agents, the key determinant of territoriality.165 (Russia deemed this an extraterritorial search as well, asserting that it was a violation of its domestic law and filing criminal charges against one of the FBI agents involved.166) As discussed in Section I.C.1, DOJ’s commentary on the proposed Rule 41 amendment to permit the issuance of remote search warrants similarly accepts that the territoriality analysis depends on where the data is located—not on the location of the government agent remotely accessing or manipulating the data.167
But, as the government’s position in the Microsoft case suggests, this seemingly straightforward transposal of the rules applicable to drones and guns to the world of data is contestable. There is, after all, a key difference between shooting a gun or activating a remotely controlled drone and manipulating data in the ways described in the Gorshkov or Microsoft cases. When a government agent shoots a gun across the border or launches a drone in Somalia, there is an apparent, tangible invasion of airspace and an apparent, tangible effect in another nation’s territory (such as an explosion, the destruction of property, or the possible killing of individuals). But when the government or its agents in State A remotely access a server in State B and copy data located there, there is often neither an observable effect in State B nor a change in the data user’s ability to access and use the data.168
In fact, some have concluded that, because remote access of a server does not alter or interfere with the user’s ability to access his or her data, the copying of data does not amount to a constitutionally relevant seizure. Kerr, for example, initially asserted that copying data is not a seizure for Fourth Amendment purposes because it leaves the data owner’s possessory interests intact.169 The magistrate judge in the Microsoft case agreed, and cited Kerr for the proposition that the relevant constitutional moment first occurs when the data is reviewed in the United States—not when it is merely copied.170
Kerr, however, later changed his perspective, concluding that the Fourth Amendment’s prohibition on unreasonable seizures is designed to regulate, among other things, the government’s ability to secure and control information.171 When copying data adds to the pool of information available to the government, it constitutes a Fourth Amendment seizure.172 Although this claim is arguably in tension with Supreme Court precedent,173 several other scholars and courts have similarly concluded that the copying of electronic data constitutes a seizure.174
My point here is not to try to resolve this dispute. Rather, the mere fact that this is an active debate is an example of the ways in which data is different. Unlike an explosion from a gun or a missile, the extraterritorial copying of zeroes and ones can be done surreptitiously and without any observable change to conditions in State B. This opens up space for the government’s argument that the location of access, not the location of data, is what counts.
Location independence refers to the idea that data need not be stored in the same location as, or anywhere near, its user. This allows users to access their data from wherever they are located and is central to the efficiency of the cloud. Among other benefits, location independence allows providers to move data in order to minimize the use of storage centers at peak times, avoid down servers or power outages, and perform server maintenance without disrupting user access.175 Under current practices, providers control the location of data. Providers generally make such location decisions without notifying the user or obtaining his or her consent each time the data is moved from one place to another. In fact, the user is often blissfully ignorant of where his or her data is stored at any given moment.
As discussed above, this raises normative questions about making data location determinative of the rules that apply. We generally assume that the location of one’s tangible property is a product of choice, and that it indicates a connection to the place in which the property is located. But with data, this basic assumption linking the interests of the person to the location of his or her property falls apart. When the user has no knowledge of where his or her data is at any given moment, it is hard to claim that data location means much to the user. This disconnect reinforces the point made earlier: that data location at any given point in time is neither a good indicator of the data user’s ties to a particular location nor a fair determinant (from the perspective of the user) of the rules that ought to apply.
The location independence of data and its user also creates practical problems for law enforcement officials seeking to abide by the law. First, as the Supreme Court recognized in Riley v. California,176 even when law enforcement agents locate a target’s smartphone, computer, or other electronic device, they often will not know where the data stored on the device is physically being held.177This creates hurdles for law enforcement, for even when it has a device and all the necessary passwords, it will not necessarily be able to ascertain—thanks to the cloud—whether it is accessing data that is stored territorially or extraterritorially.178 (This problem, of course, does not arise when the government is, as in the Microsoft case, compelling the production of data directly from a third-party provider that holds the data and can ascertain its location.)
Second, location independence of data and the data user means that even when law enforcement officers can determine the location of data, they may not know anything about the location of the data user, let alone the degree of his or her connections to the United States. Imagine, hypothetically, a law enforcement agent trying to track down the location and identity of the author of an e-mail describing plans to remotely detonate explosives at an upcoming parade. The agent needs to connect the data to the device that sent the e-mail; determine the location of the device; and then ascertain the location of the device’s user, which, absent real-time tracking, may not be the same as that of the device itself. Finally, the agent may need to determine the identity of the user—that is, whether or not the user is a citizen or noncitizen with substantial voluntary connections to the United States. While this identification might be feasible (albeit difficult) when dealing with discrete targets for law enforcement purposes, the sheer quantity of data collected under current surveillance programs makes it impossible to perform such individualized analysis.179 Instead, the intelligence communities rely on—as they must—certain presumptions, such as the presumption that a target of unknown location is a non-U.S. person.180 Even the best presumptions will inevitably be over- or under-inclusive in some nonnegligible number of cases. Meanwhile, the use of anonymization tools compounds these identification difficulties for law enforcement and intelligence agents alike.
Such identification difficulties are not unique to data. After all, if FedEx inspects a suspicious looking package, discovers cocaine, and turns that information over to the government, law enforcement agents will need to track down the sender of the package. Perhaps there is a clearly written return address that takes them directly to the sender, but more likely, there is either no return address, a false address, and/or an address that is accurate but at which the sender is no longer located. Thus, identification problems arise even with tangible evidence. But the quantity of electronic data, the rise of anonymization tools, and the circuitous way in which data transits from place to place magnify and exacerbate the difficulties associated with user identification. These difficulties raise questions about the viability of schemes that make user location and identity key components of the rules that apply.
Data is also different from tangible analogs in the way it can, and often does, intermingle the property of multiple users. As discussed in Section I.B, communications transiting the fiber-optic networks are often bundled together as multi-communication transactions. The NSA currently lacks the technological capacity to separate out these communications into their discrete components.181 Thus, if any one of the multiple communications is “to,” “from,” or “about” a non-U.S. person who is the target of surveillance, the government will acquire the entire transaction. Discrete communications that are part of the transaction, but not “to,” “from,” or “about” the target—including transactions to or from U.S. persons—are thus acquired, even though they could not be independently collected had they been transiting the fiber-optic lines on their own. This highlights the difficulty of effectively implementing any user- or identity-based distinctions, at least at the stage at which data is collected.
The intermingling of data also raises questions about how to ascertain the relevant data user for purposes of making a territoriality determination and thereby ascertaining which rules apply. Consider, for example, a Google document that is not yet accessible to the general public but potentially accessible to multiple private users. Alternatively, consider a multiperson chat that involves multiple users all employing encryption and thus exhibiting an intention to keep the chat private. Even if one could ascertain the location and identity of each user who accesses the Google document, or the location and identity of all participants in the multiperson chat, whose location and identity should count for purposes of determining the applicable rules? Should, for example, the Fourth Amendment protect the search and seizure of the Google document if any one of the users is located in the United States or is a U.S. citizen or noncitizen with sufficient voluntary connections to the United States? Or should the Google document be protected only if the target of the search or all of the users fall into this category of protected persons under the Fourth Amendment?182
Congress considered this issue in relation to section 702 collection and placed a prohibition on the acquisition of “wholly domestic communications”—those communications in which the sender and all recipients are located in the United States.183 This means that if one sends an e-mail to multiple family members, one of whom happens to be temporarily overseas, the message is treated differently than if it had not included that single overseas recipient. Such a rule increases the aperture of potential collection for purposes of gathering foreign intelligence information. But why should this be? Why should the restriction apply only when all the recipients are in the United States, as opposed to whenever one of the intended recipients is based in the United States? These and other related difficulties in ascertaining whose location and identity is determinative of applicable rules further highlight the complexity of implementing the territorial- and identity-based distinctions required by law.
Owners of tangible property tend to retain such property themselves, with only a small portion turned over to third parties to manage or execute. By contrast, we delegate large quantities of our digital property to the control of others. Vast quantities of electronic data are now held, or otherwise controlled, by third parties, including ISPs, cloud service providers, and companies that maintain and operate the fiber-optic cables that make up the Internet’s backbone. Moreover, it is the third party, not the user, that generally makes the critical decisions about the path by which data travels or where it is stored. It is also the third party, not the user, that is often called on by government officials to collect and produce the sought-after data.
According to the third-party doctrine, data exposed to third parties is not protected by a reasonable expectation of privacy.184 The doctrine originates from two 1970s Supreme Court opinions—Smith v. Maryland185 and United States v. Miller.186 The quantity of data at stake in Smith and Miller was necessarily limited by the relatively unsophisticated technology at the time the cases were decided.187 Nowadays, however, it is no longer feasible to participate in a digital world without exposing an incredible wealth of private information—including one’s associations and private thoughts—to a third party. As a result, the third-party doctrine has increasingly come under attack.188 My aim here is not to resolve the difficult questions raised by the third-party doctrine, but simply to note that the third-party issues create yet another point of divergence between data and most other forms of tangible property.
Such third-party control matters for two key reasons. First, it makes the location of the third party (and not the location of the property) potentially determinative of the rules that apply. In the Microsoft case, for example, the government is arguing that because Microsoft is domiciled in the United States, the government can compel the production of data under its control—irrespective of the data’s location.189 Third-party control also offers a possible way to reconcile the government’s position with respect to the proposed Rule 41 amendment—conceding that courts lack authority to authorize law enforcement searches of extraterritorially located data—and its position in the Microsoft case.190 Even if law enforcement agents could not themselves access data located extraterritorially, the rules are different—or so the government says—if a third party performs the search or seizure.191
Second, third-party control highlights the user’s lack of direct control over his or her data and its location at any given moment. It is, of course, possible to enter into contracts with third parties—or pass data localization laws—ensuring that data will be stored in a particular location.192 But currently, most data users do not retain such control over their data. In fact, the efficiency of both the cloud and a global Internet depend, to a significant degree, on third parties being able to move data around in the most expeditious manner, without being constrained by user preferences and control.
As the preceding Part highlights, data’s unique characteristics raise fundamental challenges to territoriality doctrine. They do so for three key reasons. First, the arbitrariness, instability, and location independence of data and its users challenge the assumption that data location should determine the rules that apply. Why should privacy rights or law enforcement’s access to sought-after evidence turn on where data happens to be located at any given moment, particularly given the near-instantaneous and seemingly random way in which data moves from place to place?
Second, the intermingling of data means that it is often difficult, if not impossible, to make the kind of fine-tuned, identity- and location-based distinctions that Fourth Amendment and surveillance law demand. Even absent the problem of multi-communication transactions, U.S. persons’ and non-U.S. persons’ data is inevitably intermingled by virtue of the fact that we live in an interconnected and globally networked world. Broad surveillance programs and bulk collection significantly exacerbate this problem of “incidental” collection.
Third, the location independence between the data and the government agent accessing the data creates the possibility of actors in State A searching or seizing data in State B without any readily apparent violation of State B’s territorial integrity. From the perspective of State B, however, this is arguably a violation of sovereignty since State A is determining when, and according to what procedures and substantive standards, data located in State B can be seized. Such unilateral seizure of data ignores longstanding efforts of nations—including the United States—to establish sovereign control and regulation over data within one’s own territory. It also creates a possible conflict of laws and adds fuel to certain types of data localization movements.
This Part addresses the legal implications of these insights with respect to the three doctrinal fields discussed in Part I: the reach of the Fourth Amendment, the scope of permissible foreign intelligence surveillance, and the territorial limits on the judiciary’s warrant authority. Whereas the government continues to assume a territorial Fourth Amendment, I argue that data’s mobility and interconnectedness undercut the foundation of Fourth Amendment territoriality. Conversely, whereas the government argues, at least in the context of the Microsoft case, that longstanding territorial-based limitations on law enforcement jurisdiction should yield in the face of un-territorial data, I point to countervailing policy considerations and principles of international law that, at a minimum, complicate the government’s position.
As the foregoing discussion suggests, the answers to data’s un-territoriality are not, and need not be, identical across the board. But whatever one decides is the right solution, one thing is clear: data challenges the dominance of territorial-based distinctions in the law, and these challenges must be acknowledged and addressed.
I am not the first scholar to note the ways in which data challenges a territorial Fourth Amendment. In a recent article in the Stanford Law Review, Kerr addresses “[t]he conflict between the territorial Fourth Amendment and the facts of the global Internet.”193 But while recognizing the way in which “Internet technologies . . . disrupt the prior relationship between person and place,”194 Kerr assumes that the territorial-based distinctions announced in Verdugo-Urquidez are correct.195 He thus applies his Fourth Amendment theory of equilibrium adjustment—pursuant to which the Fourth Amendment adapts to technological developments by maintaining the status quo balance of government authority and privacy protections—to suggest a series of adjustments that will maintain the territorial- and identity-based distinctions of the Fourth Amendment.196
I instead suggest an alternative perspective, namely that data calls into question the primacy of location and citizenship to the application of Fourth Amendment rights. Even if one understands the term “the people” in the way Chief Justice Rehnquist suggested in Verdugo-Urquidez—applying the Fourth Amendment’s protections only to citizens and those with substantial connections to the United States197—the mobility and intermingling of data mean that territorial- and identity-based distinctions leave “the people” insufficiently protected by a territorial Fourth Amendment, at least at the stage at which data is acquired.198 This claim is even stronger if the term “the people” is, as Justice Kennedy suggested,199 understood to emphasize the importance of the right, rather than limit who can assert a claim. As David Gray suggests, the key question is not whether the particular target of the government action is entitled to Fourth Amendment protections, but whether the government action infringes on the Fourth Amendment interests of the people in toto—something that the search or seizure of intermingled data does, regardless of the location of the acquisition, the location of the target, or the target’s identity.200
The following discussion responds to Kerr’s suggested equilibrium adjustments and considers two alternative responses: first, a presumptive Fourth Amendment; and second, a universalist Fourth Amendment.
In applying a series of equilibrium adjustments to the Fourth Amendment, Kerr asks critical questions about how to apply a territorial Fourth Amendment in a globally interconnected world. He examines whether a person’s online contacts constitute sufficient connections to the United States to trigger the application of the Fourth Amendment.201 And he asks how the law should apply to the monitoring of communications between those with Fourth Amendment rights and those without.202 Yet, his analysis presumes the continued desirability of a territorial Fourth Amendment. As a result, Kerr fails to fully acknowledge the degree to which data shakes the very foundation of Fourth Amendment territoriality.
Among other proposed adjustments, Kerr suggests that Fourth Amendment protections kick in so long as either the sender or the recipient of a communication is a U.S. person or located in the United States—those individuals entitled to protection under current Fourth Amendment doctrine.203 This is in contrast to the government’s current approach, which looks exclusively to the identity and location of the target of the search in determining the rules governing collection.204 The problem is, as Kerr himself acknowledges, it will not always be feasible to ascertain the location and identity of all senders and recipients of a particular communication. Kerr thus proposes a good faith standard: so long as the government makes a good faith determination of the sender and recipient’s status, the search or seizure will be deemed constitutionally reasonable under the Fourth Amendment.205 But depending on how “good faith” is interpreted, this could become the exception that swallows the rule: is preponderance of the evidence enough? Does good faith permit a presumption (akin to that currently employed by the NSA) that unknown parties to a communication are noncitizens lacking Fourth Amendment rights?206
Of additional concern, Kerr’s proposed adjustment—consistent with longstanding Fourth Amendment doctrine—applies only to data in transit. It is, after all, well established that a sender’s reasonable expectation of privacy in mail expires once the mail arrives at its destination.207 At that point, the Fourth Amendment inquiry shifts exclusively to the recipient, who becomes the sole party with a continuing reasonable expectation of privacy in the communication. The law has not yet settled what it means for e-mail—as opposed to snail mail—to reach its destination. If simply arriving at the recipient’s server is what constitutes “delivery,” then Kerr’s proposed adjustment will provide little-to-no protection to a key subset of “the people” whom the Fourth Amendment is meant to protect—U.S. persons sending e-mails to non-U.S. persons who lack Fourth Amendment rights.208 Such communications could be seized the minute they arrived at the recipient’s server, without any requirement that the government obtain a warrant or even engage in a seizure that is reasonable.209 But even if “delivery” is understood as receipt by the intended recipient (and not just arrival on the recipient’s server), the sender would still lack any Fourth Amendment interest in the information once it has been opened or downloaded onto the recipient’s device.210
Thus, even with the kind of helpful adjustments suggested by Kerr, the intermingling of U.S. and non-U.S. persons’ information creates a high likelihood of both error and incidental collection. Put another way, even under Chief Justice Rehnquist’s conception of the Fourth Amendment, “the people” are insufficiently protected.
A much more robust response—and the one I prefer—presumes that the Fourth Amendment applies regardless of whether the collection takes place inside or outside the United States, and regardless of whether the target is a U.S. person or not. The presumption can be rebutted if, and only if, the government establishes that none of the parties to the communication is a U.S. person. The presumption also applies regardless of whether the communication is in transit or not. In practice, this means that bulk collection, wherever it takes place, will fall within the Fourth Amendment’s ambit; cross-border communications will be covered by the Fourth Amendment, irrespective of the identity of the particular target; and most foreign intelligence surveillance will also trigger a Fourth Amendment inquiry, as it will not be feasible in most cases to show that none of the parties to communication is a U.S. person. By contrast, the surveillance of North Korean diplomats in North Korea or the targeted collection on Al-Nusra Front leaders in Syria is unlikely to trigger the Fourth Amendment—although there may be policy reasons to expand protection to these circumstances.
To be clear, this is not the same as saying that a warrant is required every time the government searches or seizes electronic communications for foreign intelligence purposes, or that all surveillance necessarily implicates the Fourth Amendment. There is, I believe, a legitimate foreign intelligence exception to the warrant requirement in some circumstances. Rather, my argument is that Fourth Amendment protections, however defined, ought to apply to U.S. person targets and non-U.S. person targets alike, absent clear and convincing evidence that collection does not encompass communications to or from a U.S. person or include other data (such as stored documents) that have been generated in whole or in part by a U.S. person.
To be more concrete: if a warrant based on probable cause is required to collect the content of electronic communications, it should presumptively be required across the board, for both citizen and noncitizen targets—irrespective of the location of the data or the target. Absent a determination that the communication exclusively takes place between non-U.S. persons, the warrant requirement should apply. Conversely, if a warrant is not required to collect certain types of information (such as certain types of foreign intelligence information or dialed phone numbers) this exception should also apply across the board—to citizens and noncitizens alike—regardless of where the data or the target is located.
Such a proposal will undoubtedly engender objections. It would be, after all, a dramatic change in the way the government thinks about its obligations toward non-U.S. persons outside the United States. However, the United States is already moving in that direction, albeit as a matter of policy, not law. The recently issued PPD-28 directs the intelligence community to establish post-acquisition limits on the dissemination and retention of collected data.211 It requires that these safeguards apply “equally to the personal information of all persons, regardless of nationality,” to “the maximum extent feasible consistent with the national security.”212 The policy directive applies across the board, even in those situations where all parties to a communication are non-U.S. persons. A presumptive Fourth Amendment would thus extend the already existing policy of post-acquisition restrictions on use, dissemination, and retention to the level of collection itself. And it would do so as a matter of law.
Some will object that applying the Fourth Amendment’s protections to the collection of noncitizens’ data overseas will impede the government’s ability to gather critical foreign intelligence information essential to the nation’s security. But as already described, the Fourth Amendment need not—and in fact does not—act as a chokehold with respect to the gathering of foreign intelligence information. The Fourth Amendment’s reasonableness requirement—described as the “touchstone” of Fourth Amendment analysis213—is a flexible standard that takes into account the governmental interest at stake. Even in the context of domestic law enforcement, where Fourth Amendment interests are at their zenith, the doctrine generally provides law enforcement agents significant latitude to search and seize.214 A presumptive Fourth Amendment still permits the government to search and seize the data of noncitizens for a wide array of law enforcement and intelligence purposes; it simply prohibits unreasonable searches or seizures of data any time a U.S persons’ communications are potentially implicated. This is a necessary means of indirectly protecting “the people” who fall within the Fourth Amendment’s ambit.
Others will suggest that minimization rules restricting the use, retention, and dissemination of acquired U.S. persons’ information sufficiently address the Fourth Amendment concerns I have identified. But while minimization rules are undoubtedly important, they protect separate interests. Whereas acquisition rules define the government’s ability to gather information, minimization rules govern what the government can do with the information after its acquisition. Acquisition itself has the capacity to both alter the balance of power between the governed and the government and to chill speech and association, among other consequentialist harms. The acquisition of data should thus be understood as independently implicating the Fourth Amendment rights of U.S. persons, regardless of the existence—or not—of other separate restrictions on use, retention, or dissemination. In fact, Congress has implicitly recognized the ways in which acquisition itself implicates the rights and interests of “the people” in its detailed rules governing the acquisition of electronic and stored communications.215
To reiterate, this position does not assume all electronic surveillance or seizure of data triggers the Fourth Amendment. Nor does it assume that a warrant is required any time the Fourth Amendment is triggered. There is, after all, an important and ongoing debate about when the Fourth Amendment protects electronic communications and other types of data.216 The claim is simply that whatever answers we arrive at should presumptively apply to U.S. persons and non-U.S. persons alike, regardless of whether the target of the acquisition or the data being acquired is based in the United States—absent a determination that all parties to the communication are non-U.S. persons. In many cases, noncitizens will be entitled to the protections of the Fourth Amendment, not because they are subsumed within “the people,” but in order to protect citizens and other persons with sufficient connections to the United States that current constitutional doctrine teaches are entitled to the Amendment’s protections.
Another possible response—what I am labeling the universalist approach—involves a total rejection of the Fourth Amendment’s territorial- and identity-based limitations. Proponents of this universalist approach have two dominant rationales. The first is to provide a bright-line prophylactic response to the risk of incidental collection without the possibility of exceptions. The second is the larger aim of repudiating Chief Justice Rehnquist’s conception of “the people” as limited to those with sufficient voluntary connections to the United States.217
There are two possible versions of the universalist approach. Under the stronger version, what I call “pure universalism,” all targets of U.S. actions are treated equally. Under the second, the Fourth Amendment applies regardless of the location or identity of the target, but location or identity still play a role in determining how the Fourth Amendment applies (e.g., when a warrant is required).218 As is obvious, only the first version (pure universalism) fully responds to the unique features of data identified in this Article. The second approach applies the Fourth Amendment to noncitizens located outside the United States, but then reintroduces territorial and identity-based inquiries into a later stage of analysis. After all, problems of target identification and intermingling apply regardless of the stage at which the inquiry takes place.
This universalist approach differs from the presumptive approach in that it would apply the Fourth Amendment even to the collection of “wholly” noncitizen, nonresident communications. It would thus apply even when the government could show that the acquisition covers North Koreans talking to North Koreans and that no U.S.-person’s communications would be incidentally acquired.
While the universalist approach has the arguable benefit of simplicity, it also runs headlong into current doctrinal understandings that limit the application of the Fourth Amendment to those with substantial voluntary connections to the United States. Regardless of what one thinks of Chief Justice Rehnquist’s fairly cursory explanation of the textual, historical, and normative justifications for his limited conception of “the people,” his reasoning has since become entrenched in the doctrine, with lower courts and legislators repeatedly relying upon his analysis.219 The judicial branch, executive branch, and Congress are not likely to embrace readily the idea that the Fourth Amendment applies to communications that are known to exclusively involve noncitizens located outside the United States.
By comparison, a presumptive Fourth Amendment achieves much of what a universalist Fourth Amendment strives toward, but does so without requiring a total overhaul of current doctrine. The presumptive approach recognized that in a world of highly mobile and intermingled data, Verdugo-Urquidez is failing on its own terms. As a result, a set of strong presumptions is needed to protect “the people” who are, according to the Court’s reasoning in Vergudo-Urquidez, entitled to the Fourth Amendment’s protections. Thus, unless the government is engaged in the targeted collection of communications between extraterritorially located noncitizens (such as the targeted collection of communications between North Koreans), the Fourth Amendment will presumptively apply.
Recommendations with respect to the statutory requirements governing foreign intelligence surveillance track those made with respect to the Fourth Amendment. The insight of the 1978 Congress is prescient in this regard: the best way to ensure sufficient protections for Americans is to provide sufficient protections for all, at least at the acquisition stage.220 This insight has only grown more salient over time, as the Internet has become a truly global network. Congress should thus rewrite FISA to set universally applicable requirements for acquisition that no longer depend on the location of the data or the identity of the target.
Again, my purpose here is not to lay out the specific rules that ought to be adopted—that is beyond the scope of this Article. Perhaps warrants should be required; perhaps not. Or perhaps there is a middle ground, in which warrants are required for certain types of acquisition. But whatever the rules, they ought to be applied universally, absent clear and convincing evidence that none of the parties to the communication is a U.S. citizen or legal permanent resident.
At the same time, Congress should turn its attention to the critically important—and largely neglected—question of use.221 Who can access the data? Based on what substantive and procedural rules? In what circumstances can data be disseminated? How long can the data be retained? As of now, the statutory scheme focuses almost entirely on the rules governing acquisition, giving scant attention to rules governing the access and use of collected data. For example, while Congress mandates the development of so-called minimization rules to govern the access to, retention, and dissemination of U.S. persons’ information, it delegates the development of these specific procedures to the Attorney General, subject to approval by the FISC.222 The overarching requirements are written at such a level of generality that they effectively delegate all the key details to the executive branch.223 This is a mistake. So long as foreign intelligence collection continues to be as sweeping as it has been of late, minimization rules and use restrictions are critical. Thus, while this Article (like Congress) is focused primarily on acquisition and not use, the two must go hand-in-hand.
Meanwhile, as already stated, Congress ought to embrace the reality of data’s intermingling and rewrite its acquisition rules to turn on factors (such as type of information being collected) that do not depend on the identity or location of the target. As it does so, it should consider the definition of foreign intelligence. The broader the definition, the harder it will be to justify a warrant exception for foreign intelligence surveillance, particularly given its application to U.S. persons and non-U.S. persons alike. Conversely, the narrower and more limited the definition of foreign intelligence, the easier it will be to find support for warrantless surveillance for foreign intelligence purposes.
Territoriality with respect to warrant jurisdiction serves a very different purpose than it does in the Fourth Amendment context. Whereas territoriality under the Fourth Amendment demarcates who is—and is not—entitled to basic privacy protections vis-à-vis the U.S. government, territoriality for purposes of warrant jurisdiction defines the geographic scope of court-approved law enforcement authority to act. Territorial-based limitations for purposes of warrant jurisdiction stem from the longstanding principle that nations are prohibited from unilaterally exercising their law enforcement jurisdiction in another nation’s territory, as well as an awareness of the diplomatic consequences and practical difficulties of doing so.
Notably, both sides in the Microsoft case argue that they respect the territorial-based limits of the government’s warrant authority. They just differ as to the question of whether certain actions occur territorially or extraterritorially, at least for purposes of the SCA. Microsoft argues by analogy to the territorial-based limits applicable to warrants issued under Federal Rule of Criminal Procedure 41 and rules governing the search and seizure of tangible property.224 According to Microsoft, it would be an extraterritorial seizure if the government accessed the data directly; thus, it remains an extraterritorial seizure if instead of seizing the data directly, the government compels Microsoft to do so.225 The government, by contrast, points to the text and structure of the SCA to suggest that the term “warrant” in the SCA is actually a “hybrid warrant”—part warrant and part subpoena. Analogizing to the rules governing subpoenas, the government argues that it is the location of the entity (Microsoft) with controls over the data that matters.226 Both sides cite policy reasons as to why their interpretation is the correct one.227
The Microsoft case thus pits the location of data against the location of access, requiring an answer as to which controls, at least for purposes of warrant jurisdiction under the SCA. From a pure policy perspective, both sides have strong claims. Yet neither approach is fully satisfactory.228 Microsoft’s position—pursuant to which law enforcement access to evidence depends on the location of data—yields bizarre results. Under Microsoft’s approach, law enforcement access to evidence depends on an ISP’s decisions about the most cost-effective and efficient storage location at any given moment. Nefarious players could manipulate data location to their advantage, seeking out companies that store data in nations unwilling, or perhaps technologically unable, to cooperate with official government-to-government requests for electronic evidence. ISPs may also have business incentives—based on customer demand—to move data to locations where cooperation with U.S. law enforcement is minimal, thus creating significant barriers for law enforcement agents investigating crimes. Moreover, the Microsoft position, while at times framed as an alternative to data localization, would likely fuel a certain kind of data localization; foreign governments would increasingly demand that ISPs store their nationals’ data within their jurisdiction so as to avoid the reach of foreign law enforcement.229
But the government’s answer—that the location of access controls—carries its own set of significant costs. It generates a system of borderless law enforcement, but without agreed-upon standards and procedures. The standards and procedures of the requesting state (the United States in this case) are effectively imposed upon the state in which the data is stored (Ireland), without considering the applicable privacy protections and rules governing law enforcement’s access to data in the state where the data is stored. This has several negative policy implications.
First, it conflicts with the international law prohibition against the unilateral exercise of extraterritorial law enforcement jurisdiction and ignores the longstanding sovereign interest in setting privacy protections for property within the nation’s territory.230 Second, and relatedly, there is a legitimate concern about the reciprocal effects on the United States’ ability to safeguard stored data held within the nation’s borders, including the data of its own citizens.231 The United States’ position may seem the correct one when it is U.S. law enforcement accessing the data, and the data is being accessed for legitimate law enforcement needs pursuant to a finding of probable cause. But what happens when another nation (let’s say China or Russia) seeks to compel a service provider operating within its territorial borders to turn over data stored within the United States regarding a dissident human rights activist?232 This is not hypothetical. The United Kingdom, for example, has adopted legislation that authorizes government officials to compel ISPs to directly turn over data stored in the United States, without regard to the SCA’s requirement of a warrant and probable cause.233
Third, such a scenario—with both the requesting state and the state where data is stored claiming jurisdiction over the data—creates an almost inevitable conflict of laws. ISPs can find themselves caught between two conflicting legal obligations, perhaps even with criminal consequences.234 While this is not new—and there is an entire body of law designed to deal with such conflicts235—it puts ISPs in an increasingly difficult position. Fourth, the U.S. position risks its own form of data localization, pursuant to which nations require that their nationals store data with locally-based ISPs so as to ensure that the data is subject to that nation’s jurisdiction. (This is in contrast to the localization movements that demand the local storageof data; this type of movement focuses on the ISP location.) The economic fallout for U.S. businesses could be significant,236 and the Internet’s efficiency would suffer as well.237 Finally, and ironically, if such movements are ultimately successful in creating closed-off or locally-controlled networks, law enforcement access to sought-after data will be compromised. The very thing that the government is seeking to do in the Microsoft case—compel a U.S.-based ISP to turn over data located extraterritorially—will be nearly impossible because that data will be held by foreign providers. Put differently, the government’s insistence on unilateral access to the data may undermine its ability to ever compel production of such data.
Taken together, these concerns highlight the need for new cross-border mechanisms that facilitate law enforcement access to data, yet also respect the sovereign interest in setting privacy protections and controlling law enforcement operations within one’s jurisdiction.238 There are several ways to achieve this balance. Here, I address some of the key considerations.
The most discussed—and also minimally responsive—proposal is simply to expand the Mutual Legal Assistance Treaties (MLAT) system, pursuant to which law enforcement officials can make formal requests for cross-border law enforcement assistance.239 It is, after all, Microsoft’s position that the U.S. government is obliged to go through the MLAT with Ireland to request the sought-after data, and that its failure to do so may itself violate international law.240 This is also Ireland’s position.241 But the MLAT system has historically been slow and clumsy, which is precisely why the government is seeking to get the data directly from the ISPs. The United States, for example, takes an average of ten months to respond to law enforcement requests made pursuant to the MLAT process; other nations take longer.242 Moreover, MLAT coverage is not universal; for instance, the United States has MLATs with only about half the countries in the world.243 These processes can, and clearly should, be improved. One potential model, the European Convention on Cybercrime (commonly known as the “Budapest Convention”), provides a mechanism for nations to expedite and facilitate preservation orders and cross-border sharing of information related to cybercrime;244 this can be expanded to cover other criminal matters as well. Increased resources, including money and personnel, are also needed. Legislation currently pending in Congress mandates the creation of an online tracking system;245 other nations should consider adopting online tracking systems as well.
However, MLAT reform in and of itself is not a remedy to the issues raised by the Microsoft case. After all, the MLAT system provides a mechanism for one government to formally request data subject to another sovereign’s jurisdiction. It thus kicks in where jurisdiction ends. One still needs to answer the key underlying question: when and in what circumstances a sovereign can claim lawful jurisdiction over data, even if that data is physically located outside its territory. If (as is often assumed and as argued by Microsoft)246 the location of data controls for purposes of the MLAT, then MLAT reform is only a partial solution at best. Such a response fails to account for the mobility, manipulability, and divisibility of data addressed in detail in Part II of this Article.
Alternative jurisdictional triggers need to be considered, such as the place where the company controlling the data operates or maintains its headquarters; user nationality; or user location. Jurisdiction could also be based on the nature of the crime and the requesting government’s interest in prosecution, rather than, or in addition to, other possible factors. My goal here is not to rank or comprehensively evaluate the various options—each of which carries its own challenges—but simply to identify some of the possible choices.
As a matter of process, it seems these jurisdictional questions are best dealt with through a series of bilateral or multilateral agreements among a handful of like-minded nations. While some are calling for an international treaty as a way to resolve such questions,247 it will be hard—if not impossible—to achieve broad international consensus on these issues in the short term. Any agreement that did emerge would almost certainly result in a watering down of protections, at least as compared to the warrant standard for content data stored in the United States.248 Bilateral and small multilateral agreements would allow the United States and other key partners to begin to set the applicable jurisdictional, procedural, and substantive requirements, without having to try to achieve total consensus as to the outcome. If successful, these agreements would establish a precedent that would be mimicked by others, eventually coalescing into broadly applicable international norms and standards.
As to the substance of the agreements, a few key considerations are in order. First, it seems that one of the key problems stems from a disconnect between the jurisdictional tests for data protection and data compulsion. The United States, for example, acknowledges territorial-based limitations on its regulatory authority under the SCA,249 yet the government asserts (in the Microsoft case) that it can compel production of data, wherever located, so long as it has jurisdiction over the provider. It is precisely this double standard that is causing the potential conflicts of law and sovereignty issues raised by the Microsoft case.250 As much as is feasible given the potential divergence between regulatory and compulsory process goals, nations should adopt jurisdictional tests that apply across the board—to both regulation and compulsion alike.251
Second, a key set of questions arises as to the substantive and procedural mechanisms by which one nation can demand production of data located in another nation’s jurisdiction (however that is ultimately defined). Under U.S. law, for example, foreign governments must meet U.S. requirements of a warrant based on probable cause to access the content of communications stored within the United States’ borders.252 This raises a host of critical questions: when, if ever, should requesting states be permitted to obtain data held within the United States’ jurisdiction based on something less than probable cause, or absent sign-off by a U.S. magistrate? What minimal substantive requirements should exist? What minimal procedural requirements? Should those requirements turn on either the nature of the data or the purpose for which it is being collected? One possible response is the “bilateral parity” solution proposed by Stephen Schulhofer. Under this arrangement, each state would be required to provide other states’ citizens the same protections it provides its own.253 This solution addresses the difficulties of harmonizing multiple, diverse systems, yet also ensures that participating states agree to subject themselves to whatever substantive and procedural standards are applied.
Third, any such agreements need to address recipient process questions—an issue distinct from the procedural standards applicable to the requesting government. To whom should the requests be made? Under U.S. law, foreign governments seeking the content of the communications must work through the U.S. government. But they can obtain noncontent data directly from the companies themselves. Should foreign governments ever be permitted to access data directly from U.S-based providers? Should limits be placed on when foreign governments can directly request noncontent information?254 There are obvious efficiency gains in permitting direct company compulsion. But there are also costs in terms of accountability and oversight.
Finally, an institutional point: whatever one decides is the best approach, the policy and diplomatic reverberations will be global. These are decisions that should be made by the political branch, not unelected federal judges. Put bluntly, however the Second Circuit comes out in Microsoft, Congress and the Executive need to engage.255 A win for Microsoft would impose a set of territorial-based rules onto un-territorial data. This outcome fails to reflect the unique features of data and would likely fuel data localization movements, which in turn undercut the overall efficiency of the Internet. Conversely, a win for the government would establish a dangerous precedent under which nations can unilaterally—without agreed-upon substantive or procedural standards—compel the production of data located anywhere in the world simply by asserting jurisdiction over the company controlling the data.
Data is shaking territoriality at its core. Whereas territoriality depends on the ability to define the relevant “here” and “there,” data is everywhere and anywhere and calls into question which “here” and “there” matter. This Article exposes the ways in which data undercuts longstanding assumptions about the territorial reach of the Fourth Amendment, the viability of territorial-based distinctions in surveillance law, and the territorial limits to judges’ warrant authority. But just as the challenges posed by data are multilayered and complex, so too are the solutions.
To date, the government has gotten it precisely backwards. Territorial-based distinctions embedded in the Fourth Amendment and the statutory-based surveillance scheme governing electronic surveillance fail to serve the very interests they are designed to protect. Such distinctions should be eliminated, at least with respect to the seizure of data. At the same time, the Executive should not run roughshod over territorial-based limitations with respect to law enforcement jurisdiction, but should instead engage key foreign partners and seek consensus for a new approach.