Search Warrants for Electronic Records

Speaking of media neutrality … a US judge has ruled that a search warrant served on Microsoft in the US required the company to divulge records stored on servers outside the US. An account of the decision is here.

The company argued that the court could authorize a search only of premises within the territory of the court’s jurisdiction. The court held that a search warrant that applied to electronic records was in the nature of a subpoena as well as a search warrant. Since MS had control of the documents, it had to turn them over.

Does this make sense to you? There has long been a debate about whether a warrant to search a computer extended to anything accessible by that computer (a company’s network, for example, not just the files in a particular hard drive). As someone put it, is the computer like a box or like a window? There have also been debates about the privacy implicaitions for employees of searching employers’ computers (R v Cole in the SCC, for example.)

You may recall the ruling of the Federal Court of Canada that e-Bay had to turn over to the Canada Revenue Agency records of its ‘power sellers’ resident in Canada, even though the records were on a server in the US. The company’s power to access the data in Canada made it compellable by the tax authorities. Is the e-Bay case different from this new Microsoft decision in the US? Does it matter that the former was about the inspection powers of the tax authorities and the latter about search warrants?

Can or should the common law figure out how far a search or inspection power extends in the digital world, or should legislatures deal with this because of the sometimes dramatic implications?

Comments

  1. David Collier-Brown

    From a privacy and public-policy standpoint, I’d welcome arguments that the question is one of *control*.

    If I pay for a record storage service in a foreign jurisdiction and I get a Canadian subpoena concerning records under my control, I’d expect to have to produce the records. I in fact have such, and the person who I created them for specifically consents to this.

    If I had an arms-length relationship with a foreign firm, and they had records about me or my customers, I wouldn’t expect to be able to produce them.

    If I were a company and had a foreign subsidiary, then I might have to produce them, if I had the right to demand them from my subsidiary.

    If I had no right to the records, I would expect to be refused, even by a subsidiary. The subsidiary could then obey it’s local laws, and produce or not produce the records if a Canadian court applied for them. Similarly, if asked by a local court, they could produce or not produce them according to local law. This too my customer specifically accepted, for a service in the U.S.

    Whether this is a good criteria or not might be tested by looking at a good cross-section of other historical cross-border debates, notably with the Swiss over banking records, and contrasting the current and recent cases with long-standing practice.