In re In re Search Warrant No. 16-1061-M to Google

• Citation: 275 F.Supp.3d 605
• Decision Date: 17 August 2017
• Docket Number: MJ NO. 16–1061,MJ NO. 16–960
• Parties: IN RE SEARCH WARRANT NO. 16–960–M–1 TO GOOGLE In re Search Warrant No. 16–1061–M to Google
• Court: U.S. District Court — Eastern District of Pennsylvania

275 F.Supp.3d 605

IN RE SEARCH WARRANT NO. 16–960–M–1 TO GOOGLE

In re Search Warrant No. 16–1061–M to Google

MJ NO. 16–960

MJ NO. 16–1061

United States District Court, E.D. Pennsylvania.

Signed August 17, 2017

Andrew S. Pak, U.S. Dept. of Justice, Washington, DC, Robert James Livermore, U.S. Attorney's Office, Michael L. Levy, Assistant U.S. Attorney, Philadelphia, PA, for Plaintiff.

William A. Destefano, Stevens & Lee, Philadelphia, PA, John R. Tyler, Perkins Coie, Seattle, WA, for Defendant.

MEMORANDUM

Juan R. Sánchez, J.

Google Inc. seeks review of United States Magistrate Judge Thomas J. Rueter's February 3, 2017, Order granting the government's motions to compel Google to fully comply with two warrants issued pursuant to § 2703 of the Stored Communications Act (SCA), 18 U.S.C. §§ 2701 – 2712. The warrants require Google to disclose to the Federal Bureau of Investigation electronic communications and other records and information associated with four Google accounts belonging to United States citizens in connection with two domestic wire fraud investigations. Google objects to the Order insofar as it requires Google to produce data the company has elected to store on servers located outside of the United States, asserting that enforcing the warrants as to such data would constitute an unlawful extraterritorial application of the SCA, as the Second Circuit Court of Appeals held in In re a Warrant to Search a Certain E–Mail Account Controlled & Maintained by Microsoft Corp. , 829 F.3d 197 (2d Cir. 2016) [hereinafter Microsoft ], reh'g en banc denied , 855 F.3d 53 (2d Cir. 2017) [hereinafter Microsoft Reh'g ]. Although Google and each of the account holders in question are based in the United States, Google contends it is the physical location of the data to be retrieved—which Google, not the account holder, controls, and which Google can change at any time for its own business purposes—that determines whether the statute is being applied extraterritorially. Because this Court agrees with the government that it is the location of the provider and where it will disclose the data that matter in the extraterritoriality analysis, and because Google can retrieve and produce the outstanding data only in the United States, the Court agrees with the Magistrate Judge's conclusion that fully enforcing the warrants as to the accounts in question constitutes a permissible domestic application of the SCA. The Order granting the government's motions to compel will therefore be affirmed.

BACKGROUND

Google is a United States-based technology company that offers a variety of different online and communications services, including email. See Stip. ¶ 1. Although Google's corporate headquarters are located in California, the company stores user data in a number of different locations both within and outside of the United States. Id. ¶¶ 1–2. Google operates a "state-of-the-art intelligent network" that automatically moves some types of data, including some of the data at issue in this case, from one network location to another "as frequently as needed to optimize for performance, reliability and other efficiencies." Id. ¶ 4. In addition, for some types of data—for example, a Word document attached to an email—the network breaks individual user files into component parts, or "shards," and stores the shards in different network locations in different countries at the same time.¹ Id. ¶ 3, Tr. 4. As a result, at any given point in time, data for a particular Google user may be stored not only outside of the country in which the user is located, but in multiple different countries, and the location of the user's data may change at any time based on the needs of the network. See Stip. ¶¶ 3–4. Thus, for example, the network may change the location of data between the time a warrant is sought and the time it is served on Google. See id. ¶ 4.

In August 2016, Judge Rueter issued the first of the two warrants in question in this case. The warrant directs Google to provide the FBI with copies of communications and certain other categories of information associated with three Google accounts "stored at premises controlled by Google," and then authorizes the government to seize certain material from the information received. The government sought the warrant as part of an ongoing wire fraud investigation, whose target is both a citizen and resident of the United States, and all three Google accounts to which the warrant pertains belong to citizens and residents of the United States. The victim of the fraud under investigation is likewise located in the United States. In issuing the warrant, Judge Rueter found the government had demonstrated there was probable cause to believe that evidence of the fraud exists in the Google accounts.

Later the same month, United States Magistrate Judge M. Faith Angell issued the second warrant in question, requiring Google to produce to the FBI communications and other records and information associated with a single Google account belonging to the domestic target of a separate wire fraud investigation with a United States-based victim. Like the earlier warrant, this later warrant directs Google to provide the government with copies of certain categories of information associated with the account "located on [Google's] e mail servers" and authorizes the government to seize from Google's production certain files, documents, and communications. In issuing the warrant, Judge Angell found the government had shown there was probable cause to believe the target's Google account contains evidence of the fraud.

Both warrants were directed to Google at its headquarters in California, and Google's responses to the warrants were handled by the company's Legal Investigations Support team in California. See Stip. ¶ 6; Tr. 32. Support team members are the only Google personnel authorized to access the content of user communications in order to produce such materials in response to legal process, and all support team members are located in the United States. See Stip. ¶ 5. In response to each warrant, Google searched for and retrieved from its network all responsive information stored at locations in the United States, a process that involves sending a series of queries from Google's headquarters in California to the company's data centers, directing the servers in those data centers to identify, isolate, and retrieve responsive material for Google to produce to the government. See Tr. 6–7, 30–31. All of the Google personnel involved in this process are located in California. See id. at 32. While Google produced to the government all of the responsive information it confirmed was stored in the United States, it did not produce data not known to be located in the United States. See Stip. ¶¶ 7–8. Rather, Google withheld such data based on the Microsoft decision in which the Second Circuit held "the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer's electronic communications stored on servers located outside the United States." 829 F.3d at 222.²

The government thereafter moved to compel Google to fully comply with each warrant, and the matters were consolidated for argument and disposition. On February 3, 2017, Judge Rueter issued a Memorandum of Decision and Order concluding that requiring Google to fully comply with the warrants did not constitute an extraterritorial application of the SCA and granting the government's motions to compel. Google objects to this Order, taking issue with the Magistrate Judge's extraterritoriality analysis. Following briefing of the issue by the parties and amici,³ this Court held oral argument in this matter on April 18, 2017.

DISCUSSION⁴

The warrants in question were issued pursuant to the SCA, and it is the reach of the SCA's warrant provision that is at issue in this case; hence, the Court's analysis starts with the statute itself. Enacted as part of the Electronic Communications Privacy Act of 1986 (ECPA), the SCA grew out of congressional concern about the lack of privacy protection under existing federal law for electronic communications in the control of third party computer operators.⁵ As the Third Circuit previously observed, the SCA "was born from congressional recognition that neither existing federal statutes nor the Fourth Amendment protected against potential intrusions on individual privacy arising from illicit access to ‘stored communications in remote computing operations and large data banks that stored e-mails.’ " In re Google Inc. Cookie Placement Consumer Privacy Litig. , 806 F.3d 125, 145 (3d Cir. 2015) (quoting Garcia v. City of Laredo , 702 F.3d 788, 791 (5th Cir. 2012) ). The SCA addressed this problem by creating "a set of Fourth Amendment-like privacy protections by statute" for electronic communications held by two types of network service providers: providers of "electronic communication service" and providers of "remote computing service."⁶ See Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It , 72 Geo. Wash. L. Rev. 1208, 1212–14 (2004) ; see also Sams v. Yahoo! Inc. , 713 F.3d 1175, 1179 (9th Cir. 2013).

The SCA's main substantive provisions appear in the first three sections of the Act. Section 2701 prohibits unauthorized access to "a facility through which an electronic communication service is provided," making it unlawful to "intentionally access[ ] without authorization" or to "intentionally exceed an authorization to access" such a facility and thereby to "obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system," and providing criminal penalties for a violation.

18 U.S.C. § 2701(a).⁷ This prohibition against unauthorized access does not apply, however, "with respect to conduct authorized ... by the person or entity providing a wire...