Microsoft has announced that it will drop its lawsuit against the US government after the Department of Justice said that it will use fewer secrecy orders when making requests for user information.
Microsoft's battle has been running since April last year, and it gained support from the likes of Mozilla, the EFF, Google and Apple. The company was not happy that gagging orders prevented it from telling customers when investigators requested access to their data. The move by the DOJ is described by Microsoft president and chief legal officer Brad Smith as an "important step for both privacy and free expression," and a step to "protect the constitutional rights of all Americans."
The DOJ's actions should see not only a reduction in the number of gagging orders that are issued, but the introduction of time limits on their lifespan. Microsoft had argued that the government's use of indefinite gagging orders was a violation of the Fourth Amendment, as well as its own First Amendment right to free speech.
Announcing Microsoft's plans to drop its lawsuit, Smith says:
The Department of Justice (DOJ) today established a new policy to address these issues. This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud. It helps ensure that secrecy orders are used only when necessary and for defined periods of time. This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we're pleased the DOJ has taken these steps to protect the constitutional rights of all Americans.
He explains that the mere fact that customers are storing data in the cloud should not mean that they waive the rights and protections afforded to them under the Constitution:
We were not alone in this belief, as a diverse and broad array of companies, academics, business groups, civil liberties organizations and former law-enforcement officials signed amicus briefs in support of our position in the case.
We understand there are instances in which the government might need a secrecy order for legitimate reasons. This could include situations where disclosing the government's request for data could create a risk of harm to an individual. It could also include cases where disclosure would thwart the government’s investigation, or lead to the destruction of evidence.
But our lawsuit was based on a growing and disturbing trend. We highlighted the fact that the government appeared to be overusing secrecy orders in a routine fashion -- even where the specific facts didn't support them -- and were seeking indefinite secrecy orders in a large number of cases. When we filed our case we explained that in an 18-month period, 2,576 of the legal demands we received from the U.S. government included an obligation of secrecy, and 68 percent of these appeared to be indefinite demands for secrecy. In short, we were prevented from ever telling a large number of customers that the government had sought to access their data.
But while Smith welcomes the move by the government, he says there is still more to do and calls upon Congress to make further amendments to the Electronic Communications Privacy Act (ECPA):
Specifically, the U.S. Senate should advance the ECPA Modernization Act of 2017, introduced in July by Sens. Mike Lee, R-Utah, and Patrick Leahy, D-Vermont. This bill includes a provision that addresses secrecy orders. This action would build on the bipartisan work of the U.S. House of Representatives, which has twice passed ECPA reform legislation -- unanimously last session and by voice vote earlier this year -- under the leadership of Chairman Bob Goodlatte, R-Virginia, Rep. Kevin Yoder, R-Kansas, and Rep. Jared Polis, D-Colorado. It is time to update this outdated 1986 law that regulates government access to contemporary electronic communications.