Microsoft's decision to take on the U.S. government's habit of stamping "Secret" on court orders demanding data stored on the company's servers was largely motivated by business concerns, a legal expert said Thursday.
The Redmond, Wash. firm also implied that business reasons drove it to ask that a section of a 1986 law be declared unconstitutional.
"The government's secrecy orders forbid cloud service providers from letting businesses know that the government has obtained their data," said Brad Smith, Microsoft's chief legal officer, in a post to a company blog yesterday. "Not surprisingly, business customers regularly convey to us their strong desire to know when the government is obtaining their data. And not surprisingly, they want the opportunity for their own lawyers to review the situation and help decide whether to turn over information or contest the issue in court."
In too many instances, that's not possible, Microsoft argued Thursday when it sued the U.S. Department of Justice (DOJ) and Attorney General Loretta Lynch.
The lawsuit asked for a judgment declaring unconstitutional part of the Electronic Communications Privacy Act (ECPA), a 30-year-old law that government agencies increasingly cite when forcing email, Internet and cloud storage service providers to hand over data to aid criminal investigations.
Smith in his post, and Microsoft in the complaint filed with a Seattle federal court, alleged that the government has been routinely putting gag orders on data demands. Of the 5,624 federal requests over the last 18 months, 48% were accompanied by a gag order that forbid Microsoft from informing customers that their data had been given to authorities. More than two-thirds of the gag orders did not have a fixed end date.
"This means that we effectively are prohibited forever from telling our customers that the government has obtained their data," Smith said.
While Smith characterized the lawsuit as an attempt to restore "our customers' constitutional and fundamental rights -- rights that help protect privacy and promote free expression," the battle was also fought because Microsoft is concerned that the government's actions risk its fastest-growing businesses, its cloud-based Azure platform and Office 365.
Microsoft's motivation came from business customers who worry that their cloud-stored emails, documents and other data are being accessed without their knowledge, said Michael Carroll, a professor of law and director of the Program on Information Justice and Intellectual Property at the American University Washington College of Law, in Washington, D.C.
"'What does it mean when I move my data to the cloud?'" Carroll said, taking the role of a business that has, or is considering, migrating some or all of its on-premises infrastructure to Microsoft's data centers. Uncertainty about who accesses data, and when, generates what Carroll called "business blowback," and hesitancy to shift to the cloud.
"Businesses want a more certain legal environment," said Carroll. "Having the secrecy [of the gag orders] as a standard part of data requests is not going to work for them."
By taking the government to court, Microsoft is trying to clarify that "legal environment" for its customers, said Carroll.
While Carroll and other legal experts who spoke to Computerworld declined to predict the outcome of Microsoft's lawsuit, they all agreed that the company forced the issue to roll back the habitual use of gag orders.
"Microsoft is signaling that there's a problem that needs fixing," said Carrol. "The signal is to both Justice and Congress."
"In the cloud environment, where data is stored with a third party, obviously Microsoft gets notice when the warrant is served, but that's not good enough," echoed James Dempsey, executive director of the Berkeley Center for Law & Technology at the University of California Berkeley School of Law. "Constitutionally, the person whose privacy has been infringed deserves to see the notice. [But the law] is out of sync with how people use cloud services today."
Not surprisingly, that was a large part of Microsoft's argument.
"The transition to the cloud does not alter the fundamental constitutional requirement that the government must -- with few exceptions -- give notice when it searches and seizes the private information or communications of individuals or businesses," Microsoft's complaint stated. "People do not give up their rights when they move their private information from physical storage to the cloud."