Sergey Nivens - Fotolia
Microsoft is stepping up the campaign by technology firms against US government surveillance with a legal case aimed at winning the right to tell customers when their data is being monitored.
The move comes just weeks after technology firms rallied around Apple in the face of FBI demands that the iPhone maker create software to bypass security features on the device to access stored data.
The tech firms are calling on government to balance privacy with national security in both the US and the UK, where the government is putting the finishing touches to its controversial Investigatory Powers Bill, which the tech firms say lacks clarity around encryption, judicial authorisation, bulk collection, transparency, judicial process, oversight, and network integrity and cyber security requirements.
Microsoft is the latest technology firm to push back against the secrecy of US government data access requests, which it claims are rapidly increasing in number.
The legal case challenges the constitutionality of section 2705(b) of the US Electronic Communications Privacy Act, which allows the government to obtain secrecy orders preventing companies from letting their customers know when their data is the target of a federal warrant.
Microsoft argues that the law contravenes the citizens’ Fourth Amendment constitutional right to be informed if the government searches or seizes citizens’ property and the company’s First Amendment right to talk to its customers about how government actions affect their data.
Read more about the Investigatory Powers Bill
- The Home Office has tweaked the draft Investigatory Powers Bill to take on committee recommendations, but questions remain.
- Bulk data collection provided by the UK’s draft Investigatory Powers Bill is unnecessary for security and law enforcement surveillance, according to Erka Koivunen, cyber security adviser at F-Secure.
- The draft Investigatory Powers Bill could have major implications for telecommunication companies operating in the UK.
- Facebook, Google, Microsoft, Twitter and Yahoo say they are particularly concerned about six key aspects of the UK’s draft Investigatory Powers Bill.
Exploiting move to cloud
According to Microsoft, the US government has required it to maintain secrecy about 2,576 legal demands in the past 18 months, with 68% having no fixed end date, effectively preventing the company from ever telling affected customers the government has obtained their data.
“We believe that, with rare exceptions, consumers and businesses have a right to know when the government accesses their emails or records,” said Brad Smith, president and chief legal officer at Microsoft.
“Yet it’s becoming routine for the US government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation,” Smith wrote in a blog post.
In court documents, Microsoft said: “People do not give up their rights when they move their private information from physical storage to the cloud,” reports Reuters.
Microsoft added that the government had exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.
Smith said that, while Microsoft appreciates that there are times when secrecy around a government warrant is needed – such as when disclosure would allow people to destroy evidence – the company questions whether these orders are grounded in specific facts that truly demand secrecy.
“To the contrary, it appears that the issuance of secrecy orders has become too routine,” he said.
Call for limits on secrecy orders
Microsoft is calling for the US Department of Justice to adopt a policy setting reasonable limitations on the use of secrecy orders – failing which, it wants Congress to amend the Electronic Communications Privacy Act to implement “reasonable rules”.
“If there’s a good reason to justify a secrecy order initially and that reason continues, prosecutors should be able to extend the order based on necessity. If not, we should be able to tell our customer what happened,” Smith said.
The case is the fourth public case Microsoft has filed against the US government related to customers’ rights to privacy and transparency.
The first lawsuit enabled Microsoft to disclose the number of legal data access requests the company receives, and the second resulted in the government withdrawing a National Security Letter after the company challenged a non-disclosure order attached to the letter.
The third, a challenge to a US search warrant for customer email in Ireland belonging to a non-US citizen, is pending in the US Court of Appeals for the Second Circuit.
Microsoft’s latest case against the US government, and the submissions by technology firms over concerns about the UK’s Investigatory Powers Bill, underline the fact that it is bad for tech firms’ business if governments are allowed to access data in the cloud without proper checks and balances.
Tech firms threaten to leave UK
In the UK, some technology firms have indicated that they have contingency plans to leave the UK if the final draft of the bill is not clear that it will not require weakened encryption or back-door access.
In its report on the Investigatory Powers Bill, Parliament’s Science and Technology Committee said the bill is too vague and needs to be redrafted to avoid economic damage.
The call was welcomed by technology industry association TechUK, which urged the government to “take on board” the committee’s recommendations.
Although some revisions have been made, technology firms are urging further changes.
In a written submission to the House of Commons Public Bill Committee – which is currently examining the bill – technology firms Apple, Facebook, Google, Microsoft, Twitter and Yahoo reiterated their concerns.
“As we made clear in our evidence to the joint committee, the actions the UK government takes here could have far-reaching implications – for British citizens, our users and for the future of the global technology industry.
“Decisions made today about UK legislation will set precedents which may be copied elsewhere and have wider ramifications for all parties, both in the UK and overseas,” the technology firms said.