The "most transparent administration ever" appears to be making no friends in the tech industry. Following its debacle with Apple, the Obama administration now faces a suit from Microsoft that, in their words, stands up for "customers’ constitutional and fundamental rights – rights that help protect privacy and promote free expression." As Microsoft's Brad Smith notes, with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records, and the suit centers around the fact that since cloud storage accelerated, it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. Microsoft believe that this goes too far.
As Bloomberg reports, Microsoft Corp. sued the U.S. Justice Department in an attempt to stop the government from forcing it to turn its customers’ e-mails and other data over to law enforcement without their knowledge.
The lawsuit, which names the Justice Department and Attorney General Loretta Lynch, ratchets up the pressure by technology companies against the U.S. government and echoes a struggle by Apple Inc. to protect its customers’ privacy by refusing to undermine the encryption on its iPhones. Microsoft has been fighting the U.S. over customer privacy and its ability to disclose what it’s had to turn over to investigators for more than two years.
Microsoft called the 1986 Electronic Communications Privacy Act unconstitutional, citing its own First Amendment free speech rights and its customers’ Fourth Amendment right to know if the government has searched or seized their property. The law essentially places the company under an unlimited gag order, according to the complaint filed Thursday in U.S. district court in Seattle. While it’s concerned with protecting civil liberties, Microsoft said it also wants to preserve its ability to sell Internet-based services that customers trust.
“It’s very important for businesses to know when the government is accessing their file room, whether the file room is down the hall or in the cloud," said Microsoft President and Chief Legal Officer Brad Smith, noting that consumers and privacy groups have expressed concern about the issue. “People shouldn’t lose their rights simply because technology is moving to the cloud.”
Redmond, Washington-based Microsoft argues that the statute violates the company’s First Amendment free-speech rights by placing it under an unlimited gag order and customers’ Fourth Amendment right to know if the government has searched or seized their property.
The rapid growth of cloud computing, in which customer data is stored by providers like Microsoft, Apple Inc., Amazon.com Inc. and Google Inc. in the technology companies’ own data centers, has increased both the frequency of warrants seeking data and government abuse of its search powers, Microsoft said in the filing. The law in question predates the invention of the World Wide Web by three years, and was enacted more than two decades before widespread use of cloud computing, Microsoft said. But, according to the complaint below...
The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft. At the same time, the government seeks secrecy orders under 18 U.S.C. § 2705(b) to prevent Microsoft from telling its customers (or anyone else) of the government’s demands.
These secrecy orders generally assert that abiding by the centuries-old requirement of seeking evidence directly from its owner would jeopardize the government’s investigation. Most of the time, these secrecy orders prohibit notification for unreasonably long (or even unlimited) periods of time, which Section 2705(b) permits whenever a court has “reason to believe” any of several adverse consequences might otherwise ensue—including any time notice would “seriously jeopardiz[e] an investigation or unduly delay[] a trial.”
As Microsoft details on their blog, Keeping secrecy the exception, not the rule: An issue for both consumers and businesses...
This morning we filed a new lawsuit in federal court against the United States government to stand up for what we believe are our customers’ constitutional and fundamental rights – rights that help protect privacy and promote free expression. This is not a decision we made lightly, and hence we wanted to share information on this step and why we are taking it.
An issue of fundamental rights
We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records. Yet it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.
To be clear, we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation. But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.
The urgency for action is clear and growing. Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data. Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.
We believe these actions violate two of the fundamental rights that have been part of this country since its founding. These lengthy and even permanent secrecy orders violate the Fourth Amendment, which gives people and businesses the right to know if the government searches or seizes their property. They also violate the First Amendment, which guarantees our right to talk to customers about how government action is affecting their data. The constitutional right to free speech is subject only to restraints narrowly tailored to serve compelling governmental interests, a standard that is neither required by the statute being applied nor met by the government in practice here.
An issue with important practical consequences
The issue also has practical implications, and it’s important to consider them.
First, the issue has vital practical ramifications given the evolution of technology. Before the digital age, individuals and businesses stored their most sensitive correspondence and other documents in file cabinets and desk drawers. As computers became prevalent, users moved their materials to local computers and on-premises servers, which continued to remain within a user’s physical possession and control. In both eras, the government had to give notice when it sought a warrant to seize private information and communications, except in the rarest of circumstances.
Cloud computing has spurred a profound change in the storage of private information. Today, individuals increasingly keep their emails and documents on remote servers in data centers – in short, in the cloud. But the transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must – with few exceptions – give notice when it searches and seizes private information or communications.
The same is true for businesses large and small. In the past, when a business’ email server was housed in its own building, the government by definition had to give notice in order to enter the building or otherwise require the business to produce an employee’s emails. Now businesses actively are migrating their information technology infrastructure to servers hosted by cloud service providers. In this new context, the government’s secrecy orders forbid cloud service providers from letting businesses know that the government has obtained their data. Not surprisingly, business customers regularly convey to us their strong desire to know when the government is obtaining their data. And not surprisingly, they want the opportunity for their own lawyers to review the situation and help decide whether to turn over information or contest the issue in court.
In 2013 we committed publicly to challenging individual secrecy orders for legitimate business customers, given our belief that the government can often obtain the information it needs from the headquarters of a business without notifying a specific individual there who is under investigation. In some cases we’ve convinced the government to redirect its request to our business customers. In other cases we’ve litigated the issue, and, in one recent situation, the government argued that we should be held in contempt for refusing to turn over email until a court ruled on the secrecy issue. Fortunately, we prevailed on the contempt issue in that case. But as we’ve monitored requests over time, we’ve concluded that this issue is recurring and needs to be considered in the context of the broader constitutional rights that are at stake.
It’s also important to consider the issue in the practical context of government investigations. Even if there is a solid basis for secrecy at the beginning of an investigation, circumstances can change. The government may drop the investigation or may take some step that alerts an individual to its existence. Yet even then these lengthy or permanent secrecy orders prevent cloud service providers from discussing with the customer the fact that his or her emails were accessed.
An issue that calls for a principled solution
Whenever we raise concerns such as these, we try to couple our focus on the problem with some suggestions for possible solutions. We definitely appreciate that we do not have all the answers and that others may offer better ideas than we have thought about so far. But we believe it’s important to help think constructively about possible steps forward.
While today’s lawsuit is important, we believe there’s an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders. Congress also has a role to play in finding and passing solutions that both protect people’s rights and meet law enforcement’s needs. If the DOJ doesn’t act, then we hope that Congress will amend the Electronic Communications Privacy Act to implement reasonable rules. In fact, secrecy provisions in ECPA today are out of step with other U.S. laws that contain clearer limitations on secrecy provisions and allow law enforcement flexibility for extensions.
If policymakers update the rules governing secrecy orders, we hope they will be guided by three principles that we think are important for our customers and for law enforcement. First, transparency: People have a right to know as soon as reasonably possible when the government serves a provider with a legal demand to access their records or emails. Providers like Microsoft have a right to inform customers and be transparent with the public. Second, digital neutrality: Customers generally shouldn’t be entitled to less notice just because they have moved their emails to the cloud. And finally, necessity: Secrecy orders should be adapted to what’s necessary for the investigation, and no more. If there’s a good reason to justify a secrecy order initially and that reason continues, prosecutors should be able to extend the order based on necessity. If not, we should be able to tell our customer what happened.
As I noted at the beginning, we don’t take lightly this type of action – filing a lawsuit against any government. We only do so when we believe that critical principles and important practical consequences are at stake. Today’s lawsuit is the fourth public case we’ve filed against the U.S. government related to our customers’ right to privacy and transparency. The first lawsuit resulted in a good and appropriate settlement allowing us to disclose the number of legal requests we receive. The second resulted in the government withdrawing a National Security Letter after we challenged a non-disclosure order attached to the letter. The third, a challenge to a U.S. search warrant for customer email in Ireland belonging to a non-US citizen, is pending in the U.S. Court of Appeals for the Second Circuit.
Today’s suit, filed in the U.S. District Court for the Western District of Washington, can be found here.
Ultimately, we view this case as similar to the other three that we have filed. It involves the fundamental right of people and businesses to know when the government is accessing their content and our right to share this information with them.
* * *
Full Microsoft Complaint below...
http://www.scribd.com/embeds/308629738/content