Microsoft today asked a federal court to invalidate part of a 1986 law that it alleged has been abused by the government when authorities demand the company hand over customers' data, including documents, emails and other information stored in the cloud.
In a lawsuit targeting the U.S. Department of Justice (DOJ) and Attorney General Loretta Lynch, Microsoft asked for a judgment that would declare unconstitutional a section of the Electronic Communications Privacy Act (ECPA), a 30-year-old law that government agencies increasingly cite when forcing email, Internet and cloud storage service providers to hand over data to aid criminal investigations.
Microsoft didn't object to the ECPA as a whole, but to what it said had become the routine issuing of gag orders alongside the demands for data.
"We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records," said Brad Smith, Microsoft's chief legal officer, in a long post to a company blog Thursday. "Yet it's becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret."
"This is a very aggressive move on Microsoft's part," said Michael Carroll, a professor of law and director of the Program on Information Justice and Intellectual Property at the American University Washington College of Law, in Washington, D.C. "They're essentially saying, 'I want to violate the gag orders, but I don't want to be sued for doing that.' So they're disputing the constitutionality of the gag orders."
Microsoft ticked off statistics to make its point that secrecy had become habitual: In the last 18 months, the Redmond, Wash. company received 5,624 federal demands for customer information or data. Of those, 2,576, or 48%, were tagged with secrecy orders that prevented Microsoft from telling customers that it had been compelled to hand over their information. About 68% of the gag orders -- 1,752 to be exact -- had no end date. "This means that we effectively are prohibited forever from telling our customers that the government has obtained their data," Smith said.
In the complaint filed with a Seattle federal court, Microsoft said that was unacceptable.
"There may be exceptional circumstances when the government's interest in investigating criminal conduct justifies an order temporarily barring a provider from notifying a customer that the government has obtained the customer's private communications and data," the complaint read. "But Section 2705(b) [of the ECPA] sweeps too broadly."
Microsoft asked the court to strike the section on the grounds that it violates both the First and Fourth Amendments to the Constitution.
"I think this is a smart strategy," Chris Calabrese, vice president of policy at the Center for Democracy and Technology, a Washington, D.C.-based advocacy group, said of Microsoft's lawsuit. "This is important for the courts, and judges, to work out because in a lot of ways, what we need is some clarification on the secrecy [aspects of the orders]."
Calling the ECPA "antiquated," Microsoft hammered on the impact of data demands and gag orders on cloud-based services, the fastest-growing part of its business.
"The government ... has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations," Microsoft's lawyers asserted. "As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft."
"Microsoft was like the frog in boiling water," said Jim Dempsey, executive director of the Berkeley Center for Law & Technology at the University of California Berkeley School of Law. "[The gag orders] just got to be too routine. They saw it in individual cases, then in dozens, then hundreds, then thousands. They reached a breaking point, much like Apple did with unlocking orders."
In effect, what Microsoft said in its complaint is that the law has been grossly misused by the government, either through policy or practice. "Microsoft is arguing that this is a systemic problem, and gotten to the point where gag orders are issued on a blanket basis. It's interesting that they've taken the declaratory route, which is almost like a class action. This is a systemic problem [Microsoft argued], and it deserves a systemic solution," Dempsey said.
DOJ spokeswoman Emily Pierce declined to comment on the Microsoft complaint, saying, "We are reviewing the filing."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.