Privacy in the spotlight: Microsoft sues Department of Justice for not allowing transparency about data access requests
In light of Edward Snowden's surveillance revelations, regular transparency reports from technology companies about the requests they have received from governments about data requests have become very common. But despite the name, transparency reports are not very transparent -- there are great restrictions on what companies like Microsoft are able to report. The company believes this is unconstitutional.
The restrictions are so strict that it is not even possible to precisely report the number of requests for user data that have been received. Instead, this data must be conveyed in bands such as 0-499, 500-999, and so on. Now Microsoft has had enough. There are privacy concerns, of course, but most disturbing is that in half of cases of requests for customer data, Microsoft has been gagged from letting those affected know about the governmental interest. As a result, Microsoft has decided to sue the Department of Justice in a bid to be more transparent.
In its lawsuit, Microsoft harks back to a different era, saying that in the days before the internet "the government had to give notice when it sought private information and communications" that was stored in hard copy or locally. But with Microsoft's -- and other companies' -- predilection for the cloud, it has become far easier for the government to demand instant access to private data that might otherwise have stayed out of sight.
Bringing its case against the Department of Justice, Microsoft says:
Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (ECPA) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a 'reason to believe' that disclosure might hinder an investigation. Nothing in the statute requires that the 'reason to believe' be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place. 18 U.S.C. § 2705(b). Consequently, as Microsoft's customers increasingly store their most private and sensitive information in the cloud, the government increasingly seeks (and obtains) secrecy orders under Section 2705(b).
More than this, Microsoft accuses the government of taking advantage of the move to the cloud to its own advantage, whilst exploiting tech companies:
The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft.
In the space of 18 months, Microsoft says that it received no fewer than 5,624 requests from the US government for access to customer data. Nearly half of these were subject to secrecy orders which prevented Microsoft from informing anyone about the request. In many instances, these secrecy orders had no time limit, meaning that this restriction would never be lifted.
Microsoft says that the First Amendment means that customers should be told when such requests are made and argues that "antiquated laws" are being applied to data in the cloud.
This is an extremely interesting case, and not just because it involves a huge name like Microsoft coming up against the Department of Justice. With Microsoft's contemporaries -- Apple, Google, at al -- all subject to the same restrictions, the outcome of this case could have far-reaching consequences.