We live in turbulent times. We want to be kept safe from threats like terrorism by ensuring law enforcement has the tools necessary to do its important work. At the same time, cybercrime has touched nearly all of us in some way, and we want our emails and photos to stay secure and under our control. This tension has led to a debate that suggests we must choose a side. The truth is that both public safety and online security are too important to sacrifice either, and we believe that a choice is unnecessary. Instead, we can and must find modern solutions that work for everyone.
Since the summer of 2013 when this debate intensified, we’ve grown our work toward solutions, building on policies and programs we’ve had in place for decades. Much of our work since 2013 stems from the commitments we outlined that year. This work includes lawsuits to reinforce legal protections for customers, advocacy for new national laws, and support for international cooperation. Some of this work we’ve done in partnership with other technology companies through the Reform Government Surveillance Coalition.
Our legal cases
We’ve challenged the U.S. government in court multiple times since 2013, including taking one of these cases to the U.S. Supreme Court. These challenges were resolved in Microsoft’s favor, including through helping to bring about meaningful policy changes and updates to U.S. law to modernize the rules governing demands for data. We take these lawsuits seriously and only bring legal challenges when they are necessary to answer important questions about the rights of our customers. Each time we file a lawsuit, we also work on constructive policy solutions to help resolve the underlying issue.
Our first lawsuit, filed in the summer of 2013, was intended to provide our customers with greater transparency about the overall number of U.S. national security-related requests we receive for their data. At a time when our global customers told us they were concerned about the revelations disclosed by Edward Snowden, we believed this information was vital to helping them make decisions about their data. We were grateful the U.S. Department of Justice worked collaboratively to settle this lawsuit with Microsoft and others in the industry. The decision enabled us to publish U.S. National Security Order Reports twice per year with the range of requests we received in each six-month period. As we noted in our blog post about our first report, the data revealed that a small fraction of our customer base has been subject to such orders.
Our second lawsuit challenged a secrecy order we received that would have prevented us from notifying an enterprise customer of a National Security Letter requesting its data. As we outlined in our 2013 commitments, we believe these requests should usually be redirected to our customers or that we should be able to tell our customers about them. After all, businesses in the physical world would know if the government obtained a warrant to search their filing cabinets, and these businesses would have the choice to comply with warrants or to challenge aspects of them in court. This lawsuit was resolved when the government withdrew its request.
In our third lawsuit, we challenged a U.S. search warrant for customer email in our datacenter in Ireland belonging to a non-U.S. citizen. American law dictated that U.S. search warrants stop at the U.S. border, and the U.S. government maintains a data-sharing agreement with Ireland allowing it to properly access this data in accordance with Irish law. We had many concerns with the government’s warrant, but we were particularly troubled by the notion of unilaterally giving the U.S. government access to people’s data abroad, which would open the door to give other governments access to the data of American people and businesses.
After a three-judge panel in an appeals court decided in July 2016 that the government’s warrant was not lawful and that Microsoft should not be required to respond to it, the Justice Department appealed the case to the U.S. Supreme Court in October 2017. In January 2018, 289 different groups and individuals from 37 countries filed briefs with the court in support of our challenge. As we argued before the court in February 2018, this was an issue for Congress to resolve by enacting new laws to facilitate cross-border data requests in a way that preserves people’s fundamental rights. Congress passed new legislation in April 2018, creating a framework for international agreements for such requests and rendering our case moot.
Our fourth lawsuit, filed in April 2016, challenged the routine nature of secrecy orders that often accompany government requests for people’s data. Of course, there are times when secrecy is vital to an investigation, but too often these orders are used unnecessarily, or are unnecessarily indefinite and prevent us from telling customers of intrusions far after investigations are over. In an 18-month period before we filed the suit, we received 2,576 secrecy orders, and 68 percent of these were permanent, meaning we could never tell the customer someone accessed their data — even after an investigation was over.
After months of Microsoft working for change, in October 2017, the U.S. Department of Justice (DOJ) announced a new binding policy for government prosecutors that responds to the concerns raised by our lawsuit. As a result, we took steps to dismiss our lawsuit. This is an important step for both privacy and free expression, and we’re pleased the DOJ took these steps to protect the constitutional rights of all Americans.
However, we are not done with our work to improve the use of secrecy orders. We continually stand up for our customers’ rights, providing commitments to protect their data and, when necessary, going to court going to court to challenge orders to ensure that secrecy is the section, not the rule.
To be clear, while we do challenge government requests that we believe are unlawful, we work to respond quickly to requests within the law. We are as serious about our legal obligations to public safety as we are about safeguarding our customers’ privacy. After the January 2015 attacks on Charlie Hebdo in Paris, we received a request from the French government working with the FBI. After determining the request was lawful, we responded within 45 minutes of receiving it. After the November 2015 attacks in Paris, we received 14 lawful requests for data related to terrorist suspects, some at large in France and Belgium, and responded within 30 minutes on average. Following the March 2017 attack in London, we responded to a lawful request in under 30 minutes.
Modernizing national laws
Several judges who have heard Microsoft’s lawsuits have noted that it would be better for Congress to create new law rather than have courts hear arguments about old law. We agree. Microsoft advocates for proposed legislation to help modernize the laws governing technology. For example, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted by Congress in April 2018, helped provide a solution for cross-border requests for data and created a concrete path for the U.S. government to enter into modern bilateral agreements with other nations. More broadly, we’ve advocated for efforts to update the Electronic Communications Privacy Act (ECPA), which was written in 1986 — more than 30 years ago — but still determines when and how law enforcement can access people’s data.
In June 2021, we testified before Congress on the need for legislative reform on the use of secrecy orders attached to requests for data. As we noted in that testimony and in an op-ed in The Washington Post, there is an urgent need to reform the ECPA and enact new legislation to address the use of these orders.
This isn’t only a U.S. issue. Governments around the world have the opportunity today to enact laws that will enable their people to better trust technology and realize its benefits for years to come. We’ve detailed a range of these policies in our book and website, A Cloud for Global Good.
Updating international agreements
Many of the threats to our safety today are global, and law enforcement needs to work globally to address them. Today we have a set of mutual legal assistance treaties (MLATs) that allow law enforcement agencies around the world to exchange evidence, but today’s system wasn’t built for the digital age. As a result of changes in technology and the evolving nature of criminal activity, this system is overburdened, and therefore can be unnecessarily slow. Though the MLAT system will always play an important role and needs to be modernized, we should also explore a new, complementary process that creates a modern and lasting set of specific rules to govern cross-border access to digital evidence. That’s why we’ve proposed a set of recommendations to help resolve these issues while respecting national borders and people’s rights.
We’re encouraged that the U.S. and UK have negotiated the first agreement that would streamline the process of sharing digital evidence and continue to advocate for governments around the world to engage with each other to modernize the processes for governments to request data, while protecting privacy and the rule of law. This agreement provides a framework for a new type of treaty that will allow allies to be nimble in fighting global threats.
Continuing our work
Given the increased work we’ve done on lawsuits and advocacy over the past five years, we’re sometimes asked if all of it is only a response to the recent debate. While these issues have moved more squarely into the public domain and require that we work harder to address customer concerns, we’ve long adhered to the same principles. Our Government Security Program was launched in 2003 to assure customers our software is secure and free of backdoors. And we’ve often reiterated that we do not provide any government with direct and unfettered access to customer data. We believe governments must come through the front door with appropriate legal process rather than helping themselves to customer data.
Then in 2013, a story by Barton Gellman, a reporter for The Washington Post, made it clear that governments were getting data by intercepting it at major global internet hubs. This concerned us and our customers. For this reason, we announced in a December 2013 post that we would expand our work to ensure governments use valid legal process to access customer data. One of our commitments was to increasing encryption in our services — both when data is traveling and when it’s at rest — and we’ve provided updates on this work along the way. We will continue to update our encryption in a range of Microsoft products and services. And we’ve openly stated we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys.
As all our work continues, we will provide regular updates on this website and hope it helps inspire others to join us in working toward solutions. We don’t have the answers, and no company or industry will solve these issues alone, but we hope the steps we’ve taken can be a small part of solutions that will require a dialogue among people, governments, the academic community, and the private sector.