Getty Images

Microsoft drops lawsuit after US revises data access policy

Microsoft has dropped a lawsuit pushing for reforms of state surveillance practices in response to changes in US data access request policy, but says more reform is necessary

Microsoft has responded to changes in US data access request policy by withdrawing a legal case against the US government over privacy rights.

The case was filed in April 2016 as part of the company’s fight against a US law that prevented companies from telling customers the government had requested their data.

Following whistleblower Edward Snowden’s revelations about mass surveillance in 2013, Microsoft was among several big US technology firms calling for surveillance reforms because of concerns that public loss of trust would hurt their businesses.

The case attracted the support of other tech firms, such as Apple, Google, Amazon, Cisco Systems and Mozilla, as well the US Chamber of Commerce, the National Association of Manufacturers, Delta, Eli Lilly, BP America, the Washington Post, Fox News, the National Newspaper association, the Electronic Frontier Foundation (EFF) and several other organisations.

But Microsoft is taking steps to dismiss the case after the Department of Justice (DOJ) set out a policy to address concerns about people’s privacy rights when they store personal information in the cloud.

“This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud,” said Brad Smith, Microsoft president and chief legal officer.

“It helps ensure that secrecy orders are used only when necessary and for defined periods of time. This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans,” he wrote in a blog post.

US government sought orders in ‘routine fashion’

Until now, Smith said the US government routinely sought and obtained orders requiring email providers to not tell their customers when the government takes their personal email or records. 

Sometimes these orders do not include a fixed end date, added Smith, effectively prohibiting service providers from ever telling customers that the government has obtained their data.

“As we said when we filed the lawsuit, we believe customers have a constitutional right to know when the government gets their email or documents, and we have a right to tell them. We believe strongly that these fundamental protections should not disappear just because customers store their personal information in the cloud,” he said.

Smith said while there are instances in which the government might need a secrecy order for legitimate reasons, such as where disclosing the government’s request for data could create a risk of harm to an individual, the lawsuit was in response to the fact that the government appeared to be overusing secrecy orders in a “routine fashion” and were seeking indefinite secrecy orders in 68% of cases.

Until now, he said vague legal standards have allowed the government to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand.

But Smith said this will no longer be true because the binding policy issued on 24 October 2017 by the deputy US attorney general should diminish the number of orders that have a secrecy order attached, end the practice of indefinite secrecy orders, and make sure that every application for a secrecy order is carefully and specifically tailored to the facts in the case.

Challenging secrecy orders

Smith said the new policy came after months of Microsoft working for change, both in its lawsuit and in public discussions.

“As a result of the issuance of this policy, we are taking steps to dismiss our lawsuit,” he said, but added that while Microsoft applauds the DOJ for taking these steps, that does not mean it will stop its work to improve the use of secrecy orders.

“We have been advocating for our customers before the DOJ for a long time, and we’ll continue to do that. We will continue to turn to the courts if needed.  And we are committed to working with US Congress,” said Smith.

“Today’s policy doesn’t address all of the problems with the Electronic Communications Privacy Act (ECPA) [adopted in 1986] – the law at the heart of this issue – and we renew our call on Congress to amend it.

“Our lawsuit challenging the government’s use of secrecy upholds our commitment to challenge overbroad secrecy orders and is the fourth public one we’ve filed against the US government related to our customers’ right to privacy and transparency,” he said.

According to Smith, the first case resulted in the settlement of a lawsuit allowing Microsoft to disclose the number of legal requests received, and the second resulted in the government withdrawing a National Security Letter after the company challenged a non-disclosure order attached to the letter.

The third case challenged a US search warrant for a customer’s email in Ireland belonging to a non-US citizen, resulted in a favourable ruling in the appeals court, which is now pending in the US Supreme Court.

“As we’ve advocated in our other cases, we hope Congress will make this positive step forward more permanent by updating outdated laws to better protect our digital rights while still enabling law enforcement to do its job,” he said.

Read more about US tech surveillance concerns

Read more on Privacy and data protection