Microsoft is suing the US government over the issue of user privacy. News of the lawsuit was provided in a blog late yesterday by Brad Smith, President and Chief Legal Officer, Microsoft. At the heart of the lawsuit is the constant barrage of secretive demands for access to users data from the US Government to Microsoft and other tech companies.
This is a thorny issue inside the US at the moment. Microsoft has enjoyed substantial support from other tech companies over the issue of user data stored in Ireland. In return it has vocally supported Apple in its recent court battle with the FBI. Like many other tech companies Microsoft is very concerned over the recent Feinstein-Burr bill that would seek to force tech companies to unencrypt any and all data upon demand from ANY US court.
What is this case about?
This particular case is about the use of secret warrants where the US Government demands access to data in such a way that Microsoft is unable to inform the user their data has been accessed. In his blog Smith says: “with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records.”
Smith is not saying that there is no case where secrecy is warranted and neither are any other tech companies. In his blog Smith says: “we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation.”
The concern for Smith and other companies holding data is the frequency of secret orders compared with normal court requests. According to Smith: “it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret.” He goes on to add: “we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.”
To give some idea of the scale of the issue from Microsoft’s perspective Smith disclosed that the number of secrecy order demanding data was 2,576 in the last 18 months. Of those demands Smith added 1,752 of those had no fixed end date. This means that not only is Microsoft being ordered to hand over user data but in the case of those 1,752 users it is acting as an ongoing data collection agent for the US Government.
All of this, Smith believes, is not only excessive but it violates fundamental rights that have been part of the US constitution. Smith claims that users First and Fourth Amendment rights are being violated on a continual and ongoing basis.
The price of going digital
One of the things enabling the US Government to issue these secret warrant is the evolution of technology. When data was stored on paper or digitised and held in company owned data centres any attempt, short of covert operations and hackers stealing the data, they would have been aware of the accessing of their data.
What is enabling the secret warrants and access of data is, according to Smith, cloud computing. As the companies no longer maintain their own data they are unaware that the cloud provider has been orderd to, and complied with, handing over their data. Smith believes that just because technology has changed, the right to privacy has not.
This is not a new argument. In the 1980’s the UK Government found itself struggling with the concept of hacking. The laws understood breaking and entering and theft of property but they related to physical premises and property. The concept of someone breaking into a computer system and stealing data was outside of the legal framework.
When Robert Schifreen and the late Steve Gold were charged with hacking the emails of Prince Philip in 1985, the best the UK legal system could do was attempt to charge them with forgery. That was later overturned on appeal and eventually lead to the Computer Misuse Act 1990. Since then some laws have caught up with the digital world but not all.
There is another dimension to this. Cloud computing does not mean that the data is stored on US territories. As with the Microsoft case where the US courts want access to data stored in a Dublin server, access to overseas data is a minefield of legal issues with extraterritoriality just one of them. This is where a country tries to impose its laws on another country. Such actions have also had consequences elsewhere such as in the EU and specifically in Germany and Russia where cloud providers are now building new data centres to keep data in-country.
The recent collapse of the Safe Harbor data agreement between the US and the EU was also brought about in no small part by the use of secret warrants to access data. The replacement for that, the Privacy Shield, still provides no EU approved protection for bulk collection of data and stands a very good chance of being rejected.
In his blog, Smith goes on to highlight Microsoft’s public statement in 2013 to challenge secret warrants. He claims that this has already caused some investigations to be redirected to the corporate offices of its customers rather than Microsoft have to give up data. While he gives no numbers on this it is notable that there have been some successes and demonstrates that some of the requests are perhaps spurious.
So what is the solution?
Smith believes that there are three steps that policymakers need to abide by when updating the rules for secret orders. These are:
- Transparency: People have a right to know as soon as reasonably possible when the government serves a provider with a legal demand to access their records or emails. Providers like Microsoft have a right to inform customers and be transparent with the public.
- Digital neutrality: Customers generally shouldn’t be entitled to less notice just because they have moved their emails to the cloud.
- Necessity: Secrecy orders should be adapted to what’s necessary for the investigation, and no more. If there’s a good reason to justify a secrecy order initially and that reason continues, prosecutors should be able to extend the order based on necessity. If not, we should be able to tell our customer what happened.
Smith closed his blog saying: “we don’t take lightly this type of action – filing a lawsuit against any government. We only do so when we believe that critical principles and important practical consequences are at stake. Today’s lawsuit is the fourth public case we’ve filed against the U.S. government related to our customers’ right to privacy and transparency.” So what of those other three cases. Microsoft is claiming victory in two while the third, the Dublin issue, is still part of an appeal process.
This is a very public and important intervention by a US company over the use of secret warrants and orders. Microsoft, perhaps because of its size, believes that it is best placed to bring this action which will not just protect its own customers but should also garner wide support from the tech industry, consumer groups, privacy campaigners and the very vocal US civil liberties organisations.
There is also a wider play here. Satya Nadella is moving Microsoft firmly into the cloud for both consumers and businesses. Without protection for customers Microsoft could find itself losing business and incurring significant costs. The idea of deploying lots of smaller data centres just to meet privacy demands around the work goes counter to the hyper-scale data centres that cloud demands.