Unfinished business on government surveillance reform

In the year since news reports surfaced about U.S. government surveillance practices, a lot has changed. And there even have been some initial positive reforms. We all want to live in a safe and secure world and governments – including the U.S. government – play a vital role in helping to protect our communities. But the reality is clear. The U.S. Government needs to address important unfinished business to reduce the technology trust deficit it has created.

It was a year ago this week that the Guardian and Washington Post published their first reports about the extent of U.S. government surveillance of phone and Internet records, sometimes in partnership with others. As the story evolved, we learned that the government was not just seeking a relatively small amount of content from Internet companies via legal orders. It’s now apparent that the government intercepted data in transit across the Internet and hacked links between company data centers. These disclosures rightly have prompted a vigorous debate over the extent and scope of government surveillance, leading to some positive changes. But much more needs to be done.

With the advent of mobile devices and cloud services, technology has never been more powerful or more personal. But as I encountered in virtually every meeting during a recent trip to Europe, as well as discussions with others from around the world, people have real questions and concerns about how their data are protected. These concerns have real implications for cloud adoption. After all, people won’t use technology they don’t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties. In particular, a year on, there are five things the U.S. government still needs to do:

Recognize that U.S. search warrants end at U.S. borders: We’re concerned about governmental attempts to use search warrants to force companies to turn over the contents of non-U.S. customer communications that are stored exclusively outside the United States. The U.S. government wouldn’t stand for other governments seeking to serve search warrants within American borders to seize the content of U.S. citizens’ emails without going through U.S. legal process. Why should it expect other governments to react any differently?

The U.S. government should stop trying to force tech companies to circumvent treaties by turning over data in other countries. Under the Fourth Amendment of the U.S. Constitution, users have a right to keep their email communications private. We need our government to uphold Constitutional privacy protections and adhere to the privacy rules established by law. That’s why we recently went to court to challenge a search warrant seeking content held in our data center in Ireland. We’re convinced that the law and the U.S. Constitution are on our side, and we are committed to pursuing this case as far and as long as needed.

End bulk collection: President Obama expressed a desire to end bulk collection of data of telephone records. While Microsoft has never received an order related to bulk collection of Internet data, we believe the USA Freedom Act should be strengthened to prohibit more clearly any such orders in the future.

Reform the FISA Court: We need to increase the transparency of the FISA Court’s proceedings and rulings, and introduce the adversarial process that is the hallmark of a fair judicial system. There remains a fundamental truth about legal disputes: a judge who hears only one side of a case is less likely to render a just result. Congress needs to recognize and act on the need for FISA Court reform.

Commit not to hack data centers or cables: We believe our efforts to expand encryption across our services make it much harder for any government to successfully hack data in transit or at rest. Yet more than seven months after the Washington Post first reported that the National Security Agency hacked systems outside the U.S. to access data held by Yahoo! and Google, the Executive Branch remains silent about its views of this practice. Shouldn’t a government that prosecutes foreigners who hack into U.S. companies stop its own employees from hacking into such businesses? Why must we continue to wait for an assurance on this issue?

Continue to increase transparency: Earlier this year, we won the right to publish important data on the number of national security-related demands that we receive. This helped to provide a broader understanding of the overall volume of government orders. It was a good step, but we believe even more detail can be provided without undermining national security.

While the focus today is on the actions the U.S. government needs to take, it is clear that many of the issues and solutions to them are international in nature. We need an international effort to restore the trust of Internet users and strike the right balance between privacy and security. That’s why we remain committed to the creation of new international legal frameworks. Around the world, governments are increasingly recognizing the need for such action, and now it’s time for people to roll up their sleeves and pursue them.

While we continue to press the government for reforms, we’ve also taken actions ourselves as a company, as well as with others in the industry. These include expanding our use of encryption across our services, increasing the transparency of our code, and strengthening legal protections for customers, something that is already yielding results. In December, we came together with others in the industry to call for reforms in government surveillance practices, and as a result of litigation, we were able to publish additional details about the volume of national security orders for customer data we receive from the US government.

Despite these steps, a year after the first news reports, there is much more to do. The U.S. has both a responsibility and an opportunity to show new leadership on these issues. It was 225 years ago this Sunday that James Madison stood up in the first Congress and proposed the Bill of Rights, including what became the Fourth Amendment to our Constitution. He built on English law and colonial experience to preserve for future generations the right of people to be secure from unreasonable government searches. But by definition it is up to our own generation to preserve this fundamental constitutional protection. The advance of technology makes these issues even more important. Now is the time to act.

Editor’s note: On May 19, Brad Smith addressed the need for additional government surveillance reforms and ways that government and corporations can address peoples’ desires for better transparency, control and accountability when it comes to their data. Video highlights are available below.

About the Author

General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft

Brad Smith is Microsoft's General Counsel and Executive Vice President of Legal and Corporate Affairs. He leads the company's Department of Legal and Corporate Affairs (LCA), which has approximately 1,100 employees located in 55 countries. Mr. Smith is responsible for the company's legal work, its intellectual property portfolio and patent licensing business as well as its government affairs and philanthropic work. He also serves as Microsoft's corporate secretary and its chief compliance officer. Mr. Smith currently co-chairs the board of directors of Kids in Need of Defense (KIND) and is the chair-elect of the Leadership Council on Legal Diversity. In Washington state, Mr. Smith has served as chair of the Washington Roundtable, a leading Washington state-based business organization, and he has advanced several statewide education initiatives.