Keeping Secrecy the Exception, Not the Rule

Posted in Uncategorized

This morning we filed a new lawsuit in federal court against the United States government to stand up for what we believe are our customers’ constitutional and fundamental rights – rights that help protect privacy and promote free expression. This is not a decision we made lightly, and hence we wanted to share information on this step and why we are taking it.

An Issue of Fundamental Rights

We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records. Yet it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.

To be clear, we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation. But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.

The urgency for action is clear and growing. Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data. Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.

We believe these actions violate two of the fundamental rights that have been part of this country since its founding. These lengthy and even permanent secrecy orders violate the Fourth Amendment, which gives people and businesses the right to know if the government searches or seizes their property. They also violate the First Amendment, which guarantees our right to talk to customers about how government action is affecting their data. The constitutional right to free speech is subject only to restraints narrowly tailored to serve compelling governmental interests, a standard that is neither required by the statute being applied nor met by the government in practice here.

An Issue with Important Practical Consequences

The issue also has practical implications, and it’s important to consider them.

First, the issue has vital practical ramifications given the evolution of technology. Before the digital age, individuals and businesses stored their most sensitive correspondence and other documents in file cabinets and desk drawers. As computers became prevalent, users moved their materials to local computers and on-premises servers, which continued to remain within a user’s physical possession and control. In both eras, the government had to give notice when it sought a warrant to seize private information and communications, except in the rarest of circumstances.

Cloud computing has spurred a profound change in the storage of private information. Today, individuals increasingly keep their emails and documents on remote servers in data centers – in short, in the cloud. But the transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must – with few exceptions – give notice when it searches and seizes private information or communications.

The same is true for businesses large and small. In the past, when a business’ email server was housed in its own building, the government by definition had to give notice in order to enter the building or otherwise require the business to produce an employee’s emails. Now businesses actively are migrating their information technology infrastructure to servers hosted by cloud service providers. In this new context, the government’s secrecy orders forbid cloud service providers from letting businesses know that the government has obtained their data. Not surprisingly, business customers regularly convey to us their strong desire to know when the government is obtaining their data. And not surprisingly, they want the opportunity for their own lawyers to review the situation and help decide whether to turn over information or contest the issue in court.

In 2013 we committed publicly to challenging individual secrecy orders for legitimate business customers, given our belief that the government can often obtain the information it needs from the headquarters of a business without notifying a specific individual there who is under investigation. In some cases we’ve convinced the government to redirect its request to our business customers. In other cases we’ve litigated the issue, and, in one recent situation, the government argued that we should be held in contempt for refusing to turn over email until a court ruled on the secrecy issue. Fortunately, we prevailed on the contempt issue in that case. But as we’ve monitored requests over time, we’ve concluded that this issue is recurring and needs to be considered in the context of the broader constitutional rights that are at stake.

It’s also important to consider the issue in the practical context of government investigations. Even if there is a solid basis for secrecy at the beginning of an investigation, circumstances can change. The government may drop the investigation or may take some step that alerts an individual to its existence. Yet even then these lengthy or permanent secrecy orders prevent cloud service providers from discussing with the customer the fact that his or her emails were accessed.

An Issue That Calls for a Principled Solution

Whenever we raise concerns such as these, we try to couple our focus on the problem with some suggestions for possible solutions. We definitely appreciate that we do not have all the answers and that others may offer better ideas than we have thought about so far. But we believe it’s important to help think constructively about possible steps forward.

While today’s lawsuit is important, we believe there’s an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders. Congress also has a role to play in finding and passing solutions that both protect people’s rights and meet law enforcement’s needs. If the DOJ doesn’t act, then we hope that Congress will amend the Electronic Communications Privacy Act to implement reasonable rules. In fact, secrecy provisions in ECPA today are out of step with other U.S. laws that contain clearer limitations on secrecy provisions and allow law enforcement flexibility for extensions.  

If policymakers update the rules governing secrecy orders, we hope they will be guided by three principles that we think are important for our customers and for law enforcement. First, transparency: People have a right to know as soon as reasonably possible when the government serves a provider with a legal demand to access their records or emails. Providers like Microsoft have a right to inform customers and be transparent with the public. Second, digital neutrality: Customers generally shouldn’t be entitled to less notice just because they have moved their emails to the cloud. And finally, necessity:  Secrecy orders should be adapted to what’s necessary for the investigation, and no more. If there’s a good reason to justify a secrecy order initially and that reason continues, prosecutors should be able to extend the order based on necessity. If not, we should be able to tell our customer what happened.

As I noted at the beginning, we don’t take lightly this type of action – filing a lawsuit against any government. We only do so when we believe that critical principles and important practical consequences are at stake. Today’s lawsuit is the fourth public case we’ve filed against the U.S. government related to our customers’ right to privacy and transparency. The first lawsuit resulted in a good and appropriate settlement allowing us to disclose the number of legal requests we receive. The second resulted in the government withdrawing a National Security Letter after we challenged a non-disclosure order attached to the letter. The third, a challenge to a U.S. search warrant for customer email in Ireland belonging to a non-US citizen, is pending in the U.S. Court of Appeals for the Second Circuit.

Today’s suit, filed in the U.S. District Court for the Western District of Washington, can be found here.

Ultimately, we view this case as similar to the other three that we have filed. It involves the fundamental right of people and businesses to know when the government is accessing their content and our right to share this information with them.