Bekker's Blog

Blog archive

On the Offensive: Microsoft Sues U.S. Government over Secrecy Orders

On the theory that sometimes the best defense is a good offense, Microsoft struck out at the U.S. Department of Justice and U.S. Attorney General Loretta Lynch with a lawsuit on Thursday.

The suit tacitly acknowledges one of the most powerful objections to using cloud services, in which a megavendor like Microsoft stores much of the most vital data for millions of customers in, virtually, one place. While centralizing that data under one vendor's control brings powerful cost efficiencies and delivers enterprise-class features for small customers and even home users, it also becomes an extremely attractive target for criminal hackers, spies and government investigators.

The specific parts of that objection that Microsoft is tackling with its lawsuit Thursday are two investigative practices of the U.S. government. One is investigators demanding customers' data directly from cloud providers like Microsoft, rather than from the customers' themselves. The second practice is obtaining secrecy orders under the Electronic Communications Privacy Act (ECPA) that bars Microsoft from telling customers, often indefinitely, about the seizures.

"Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them," reads the opening line of the 17-page complaint for declaratory judgment filed in the U.S. District Court, Western District of Washington at Seattle.

In the court filing, Microsoft argues that the twin practices are unconstitutional, violating both customers' Fourth Amendment protections against unreasonable searches because they don't know the searches occur, and Microsoft's First Amendment right to tell customers what has happened.

To document the scope of the problem, Microsoft noted in the filing that between September 2014 and March 2016, it received 5,624 federal demands for customer information or data, nearly half were accompanied by secrecy orders, and 1,752 of those secrecy orders contained no time limit.

Referring to a pre-cloud era when individuals and businesses stored their data first in file cabinets and later in PCs and on-premises servers, Microsoft's lawsuit contends that those individuals knew they were under investigation because they could watch authorities parading through their offices and leaving with their files or hardware.

"The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft," the complaint states.

Partners got a taste of Microsoft's increased focus on protecting data from the government in July when Brad Smith, now president and chief legal officer of Microsoft, spoke for the first time at the Microsoft Worldwide Partner Conference.

In its complaint, Microsoft doesn't directly argue that current U.S. government policies threaten its cloud business model or make note of the international mood of distrust surrounding U.S.-based multinational companies.

However, one argument in the filing hints strongly at how much Microsoft perceives itself as being in a defensive crouch:

"These twin developments -- the increase in government demands for online data and the simultaneous increase in secrecy -- have combined to undermine confidence in the privacy of the cloud and have impaired Microsoft's right to be transparent with its customers, a right guaranteed by the First Amendment."

Posted by Scott Bekker on April 14, 2016