Apple’s case against the federal government over the San Bernardino shooter’s iPhone has dominated headlines for several months, but it’s not the only company pushing back against the federal government’s surveillance machine. Microsoft filed suit against the Department of Justice today and asked the court to declare a critical section of the Electronic Communications Privacy Act unconstitutional.
The relevant section of law, Section 2705(b), allows the government to order “a provider of electronic communications service or remote computing service” not to disclose the fact that said person’s communications have been accessed for an indefinite period of time. This isn’t meant to give the government carte blanche to spy on its citizens, and the law spells out the scenarios under which Section 2705(b) applies. These include:
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction of or tampering with evidence;
(4) intimidation of potential witnesses; or
(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
Microsoft has filed suit against the government for two reasons. First, because it feels the government increasingly uses these orders to choke any discussion of its own practices rather than confining them to the justifications listed above. Second, because the government is issuing thousands of demands for information per year without ever providing an end-date. In the words of Brad Smith, Microsoft’s president and chief legal officer:
Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data. Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.
We believe these actions violate two of the fundamental rights that have been part of this country since its founding. These lengthy and even permanent secrecy orders violate the Fourth Amendment, which gives people and businesses the right to know if the government searches or seizes their property. They also violate the First Amendment, which guarantees our right to talk to customers about how government action is affecting their data. The constitutional right to free speech is subject only to restraints narrowly tailored to serve compelling governmental interests, a standard that is neither required by the statute being applied nor met by the government in practice here.
Microsoft is raising these issues now partly because Congress has signaled some willingness to address some critical privacy issues related to digital records. Currently, under US law, the government doesn’t need a warrant to read emails more than six months old, period. All that’s required is a simple subpoena. The House Judiciary Committee just voted unanimously to approve the Email Privacy Act, which would require law enforcement to produce a warrant in order to access this information.
The Email Privacy Act as currently written doesn’t address the concerns Microsoft is raising in its lawsuit, but it may signal renewed willingness on Capitol Hill to confront some of the privacy issues raised by both the NSA’s mass surveillance of Americans and the simple fact that people now share their lives with cloud providers in ways that were never before possible.
Microsoft isn’t arguing that the government should be forbidden to access information in exceptional cases, but that Section 2705(b) gives too much power to the government. It sets no limits on surveillance, does not require the government to justify its actions, and does not allow for a review of the surveillance order in the event that circumstances change. The company is also arguing that Section 2705(b) violates the Fourth Amendment’s prohibition against unreasonable search and seizure, stating:
The Fourth Amendment’s requirement that government engage only in “reasonable” searches necessarily includes a right for people to know when the government searches or seizes their property… Section 2705(b) subjects Microsoft’s cloud customers to a different standard merely because of how they store their communications and data: the statute provides a mechanism for the government to search and seize customers’ private information without notice to the customer, based upon a constitutionally insufficient showing. In so doing, Section 2705(b) falls short of the intended reach of Fourth Amendment protections, which do not depend on the technological medium in which private “papers and effects” are stored.
I’ve criticized some of Microsoft’s data-hoovering practices around Windows 10, and I stand by those criticisms — but I’m also glad to see the company raising the question of how user privacy should be protected in the digital age. Companies like Apple, Google, and Microsoft have their own reasons for supporting stronger protections for personal privacy, including wanting to reassure foreign users and clients that they aren’t bending over to give the US government free access to their own databases. The fact that Silicon Valley has its own reasons for supporting increased user privacy in some areas doesn’t mean they want to curb their own data gathering — but it does mean there are multiple areas where groups with disparate interests can find common ground. Hopefully Microsoft’s willingness to challenge the government’s use of secrecy orders is the beginning of a trend, not a rare once-off.