Protecting Privacy in the Cloud

Posted by Annmarie Levins
Associate General Counsel

Today  I am testifying  before a House Judiciary Subcommittee that is contemplating reforms to the Electronic Communications Privacy Act (ECPA), an important but increasingly outdated law passed by Congress in 1986.  Microsoft is part of a broad coalition that supports modernization of the legislation.  ECPA regulates whether and how law enforcement can compel third-party telecommunications and Internet service providers to disclose user account information and customers’ stored communications.  ECPA was originally designed to strike a balance between the legitimate needs of law enforcement, the burdens on service providers in responding to government demands for data and the public’s reasonable expectation of privacy. 

In the nearly quarter-century since ECPA became law, the balance has shifted between the rights of users and law enforcement.  Technological advancements—rather than decisions by Congress—have put more of our sensitive personal information within the reach of law enforcement. 

As our General Counsel Brad Smith stated in his speech at the Brookings Institution in January, Microsoft believes that now is a critical time to address these issues.  We are on the cusp of a potentially transformative age in Internet-based “cloud computing.”  Cloud computing services have the potential to increase efficiencies for businesses and government, lower IT costs, create energy savings and spur innovative job-creating enterprises.  They can enable small and medium-sized businesses, individual entrepreneurs and other innovators to tap into computing resources that previously had been available only to the largest companies.  These capabilities can help drive innovation, make American  businesses more competitive and ultimately contribute to economic growth. 

But unless we are able to preserve and protect users’ privacy, the potential of cloud computing will not be fulfilled.  This is one reason Microsoft has joined a broad coalition of advocacy groups, technology companies, and academics in the launch of the Digital Due Process Coalition.  This Coalition is focused on updating ECPA to account for the profound changes in technology over the last two decades and to ensure that users’ legitimate expectations of privacy are respected while also fulfilling the needs of law enforcement. 

As a former federal criminal prosecutor, I would note that Microsoft would not support these changes if we felt they would undermine the ability of law enforcement to conduct lawful investigations. In my current capacity, I established the Microsoft Digital Crimes Unit to assist law enforcement with its work in pursuing digital crimes and to provide training to prosecutors and investigators around the world. Importantly, nothing in the DDP Coalition’s proposals would hamper Microsoft’s ability to help law enforcement respond to emergency situations where death or serious bodily injury is threatened.

Microsoft believes that decisions about the right balance between users’ reasonable expectations of privacy and law enforcement’s legitimate interests should be made by Congress with input from all key stakeholders, rather than as a result of unanticipated shifts in technology.  We view the Digital Due Process Coalition’s proposals as a good starting point for Congress’s inquiry into ECPA modernization. Smart, targeted reforms of ECPA are essential to restore a proper balance between privacy and law enforcement in the digital age.  They will also help cloud computing fully deliver on its potential of increased efficiency, cost savings and innovation for governments, businesses and individual users.  We look forward to engaging in a robust debate over how best to modernize this important statute, with today’s hearing providing a great starting point.

!–>!–more–>