Microsoft Says Secret Data Requests Are Now The Norm, Sues U.S. Government

Microsoft filed a lawsuit in a federal court against the U.S. government over its expanding use of gag orders for data requests. The company said that almost half of the data requests are secret, with more than two thirds of the gag orders having no time limit for expiration, meaning the users would never be notified about them.

Microsoft, which is now a major cloud services provider, has become increasingly worried at how many of the data requests from the U.S. government are accompanied by gag orders. Once a gag order is served, the company can no longer notify its users about the warrants it received for their data.

The company believes that the U.S. government is using the increasing popularity of cloud services as a way to skirt around the Fourth Amendment, which gives people the right to know when the government searches or seizes their property. Microsoft also believes that these gag orders violate the First Amendment, which guarantees the company the right to talk to its customers.

Evolution Of Data Storage (And The Degradation Of Privacy Rights)

In the past, individuals and businesses would keep their information in documents stored in file cabinets and desk drawers on local premises. That data then transitioned to being stored on local computers and servers, but it remained within a user’s physical possession and control. In both of those eras, the government had to notify the user or the company when it needed access to that data, and then it would serve them a warrant.

Now, more and more personal data is stored in the “cloud,” or on other companies’ servers, because that’s how the world evolved to allow people access to their data from wherever they may be. However, Microsoft believes that people still have the same expectations of privacy, even if the government can technically now take that data whenever it wishes, without notifying its customers.

Microsoft also said that businesses that are its cloud customers routinely tell it that they want to be notified about government requests so that their own lawyers can take a look at the legal requests and then decide whether or not they have to turn over the data.

Microsoft has argued before that law enforcement everywhere, including in the European Union, should go directly to its enterprise customers to obtain their data. However, the company is only now making the argument that individuals should be notified, as well.

As discussed in a previous post about the new Email Privacy Act (EPA), it shouldn’t matter that it’s now easier for governments to avoid telling individuals when their data is requested, just because that data is stored somewhere else.

That data is theirs and therefore they should be notified when the government has access to it. However, the Email Privacy Act has so far made the compromise to remove the initial rule that would’ve required the government to give notice to users. That may still change if Microsoft wins this lawsuit by the time the bill reaches the Senate, where it could be amended.

Microsoft’s Solution

Microsoft hopes that regardless of how the lawsuit continues, the Department of Justice should immediately issue a new policy that restricts these out-of-control gag orders from law enforcement.

If that doesn’t happen, then the company wishes Congress would amend the Electronic Communications Protection Act (likely through the new EPA reform) to require government notice for warrants. Microsoft also said that the current ECPA allows the government to issue more secret orders than it would be able to serve under other laws.

If Congress amends the law, then the company hopes it follows three principles:

-Transparency: People have the right to know when the company storing their information has been sent a legal request for their data. The companies themselves should also have the right to tell their customers when a request was served.

-Digital neutrality: Customers should benefit from the same type of privacy protections in the online world as they do in the offline world.

-Necessity: Secrecy orders should be adapted to only what’s necessary for an investigation. If there’s a good reason for the secrecy to continue, then that order could be extended based on necessity.

Microsoft’s Lawsuits Against U.S. Government

Microsoft also noted that although this is the fourth lawsuit it has filed against the U.S. government to protect its customers’ privacy, it hasn’t taken this action lightly, and it has only done so when it considered the government's requests to be out-of-bounds.

In the first lawsuit, Microsoft settled with the U.S. government, allowing the company to disclose how many data requests it receives. The second one was because of a government-issued National Security Letter, which the government ended up withdrawing. The U.S. government has a tendency to withdraw its NSLs when challenged, likely there's a potential issue of unconstitutionality. It would prefer to lose a case by withdrawing an NSL, but continue to issue NSLs to other companies or individuals unwilling to challenge them in Court.

The third lawsuit is the one where Microsoft challenged a U.S. search warrant for an email of a customer from Ireland. This lawsuit is still pending in the U.S. Court of Appeals for the Second Circuit.

Microsoft filed this fourth one in the U.S. District Court for the Western District of Washington.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • KenZen2B
    So here is a simple where to solve the problem of gag orders for secret data requests.

    1. Secret data requests with gag orders should only be used for anti-terrorism cases. Gag orders shall have a life time of 180 days.

    2. All other data requests should first go to the companies holding the data and make the data read only for a period of 180 days, after which the read only protection of the data is turned off. Within the 180 days, the government should go to the owner of the data with court orders for turn over of requested data.
    Reply
  • rhenry01
    Moral of the story is ...... Encrypt everything with strong encryption.
    Reply
  • RedJaron
    Part 1 could easily be exploited by the gov't, or anyone really, by classifying anything they wanted as terrorism or suspected terrorist ties.
    Reply
  • Rooknoir
    Hmm. I see a pretty major possible issues regarding this bit, but it likely has no bearing on either of us:

    In a situation where a person being investigated has the means and motive to flee the country if they suspected they were being investigated of a crime

    In a situation where a company or organization could easily destroy related data that is not specifically in the data request

    I agree with the time constraint, but that should be able to be extended with the permission of a federal judge depending on the investigation. Narrowing it down to specifically 'anti-terrorism' will either create loopholes through precedent or be too restrictive for what is needed.
    Reply
  • firefoxx04
    If requests for terrorism were truly FOR TERRORISM then I think we would be fine with companies handing things over, the problem is that there is no way to know for sure and agents can simply claim the data is required for counter terrorism operations.

    Those that are willing to sacrifice privacy for freedom deserve neither. Not sure who really said that but its true.
    Reply
  • jkhoward
    I hope that I never upset anyone that works for the agencies making these request.
    Reply
  • Rooknoir
    17818483 said:
    If requests for terrorism were truly FOR TERRORISM then I think we would be fine with companies handing things over, the problem is that there is no way to know for sure and agents can simply claim the data is required for counter terrorism operations.

    Those that are willing to sacrifice privacy for freedom deserve neither. Not sure who really said that but its true.

    "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." Is the quote. Using it in response to this situation, I would say, is alarmist.
    Reply
  • manleysteele
    There is a process for legally obtaining a secret warrant which the FBI understands very well. If they are attempting to circumvent this process by utilizing gag orders, that's not just wrong. It is unconstitutional and therefore illegal.
    Reply
  • clonazepam
    In the meantime...

    July: Hello from Microsoft. This is your monthly letter to inform you there were no data requests from govt agencies for the month of June.
    August: ...
    September: ...
    October: ...
    November: Hello from Microsoft. This is your monthly letter to inform you there were no data requests from govt agencies for the month of October.
    Reply
  • Roy_5_
    You shouldn't expect anything stored in the cloud to be private, heck even locally on Windows your data is not private if you are connected to the Internet. Anyone who thinks they have privacy now days is nieve.
    Reply