We live in turbulent times. We want to be kept safe from threats like terrorism by ensuring law enforcement has the tools necessary to do its important work. At the same time, cybercrime has touched nearly all of us in some way, and we want our emails and photos to stay secure and under our control. This tension has led to a debate that suggests we must choose a side. The truth is that both public safety and online security are too important to sacrifice either, and we don’t believe a choice is necessary. Instead, we can and must find modern solutions that work for everyone.
Since the summer of 2013 when this debate intensified, we’ve grown our work toward solutions, building on policies and programs we’ve had in place for decades. Much of our work since 2013 stems from the commitments we outlined that year. This work includes lawsuits to reinforce legal protections for customers, advocacy for new national laws, and support for international cooperation. Some of this work we’ve done in partnership with other technology companies through the Reform Government Surveillance Coalition.
Our legal cases
We’ve challenged the U.S. government in court four times since 2013. Three of these challenges have been resolved in Microsoft’s favor, and one will be heard by the U.S. Supreme Court in 2018. We take these lawsuits seriously and only bring legal challenges when they are necessary to answer important questions about the rights of our customers. Each time we file a lawsuit, we also work on constructive policy solutions to help resolve the underlying issue.
Our first lawsuit, filed in the summer of 2013, was intended to provide our customers with greater transparency about the overall number of U.S. national security-related requests we receive for their data. At a time when our global customers told us they were concerned about the revelations disclosed by Edward Snowden, we believed this information was vital to helping them make decisions about their data. We were grateful the U.S. Department of Justice worked collaboratively to settle this lawsuit with Microsoft and others in the industry. The decision enabled us to publish U.S. National Security Order Reports twice per year with the range of requests we received in each six-month period. As we noted in our blog post about our first report, the data revealed that a small fraction of our customer base has been subject to such orders.
Our second lawsuit challenged a secrecy order we received that would have prevented us from notifying an enterprise customer of a National Security Letter requesting its data. As we outlined in our 2013 commitments, we believe these requests should usually be redirected to our customers or that we should be able to tell our customers about them. After all, businesses in the physical world would know if the government obtained a warrant to search their filing cabinets, and these businesses would have the choice to comply with warrants or to challenge aspects of them in court. This lawsuit was resolved when the government withdrew its request.
In our third lawsuit, we challenged a U.S. search warrant for customer email in our datacenter in Ireland belonging to a non-U.S. citizen. American law dictates that U.S. search warrants stop at the U.S. border, and the U.S. government maintains a data-sharing agreement with Ireland allowing it to properly access this data in accordance with Irish law. We have many concerns with the government’s warrant, but we’re particularly troubled that if we give the U.S. government access to people’s data abroad, we will also be forced to give other governments access to the data of American people and businesses.
We were encouraged by the amicus briefs in this case. In all, 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations supported our challenge, and spoke out about the case’s implications for business across the U.S. economy. A three-judge panel in an appeals court in New York decided in July 2016 that the government’s warrant is not lawful and that Microsoft should not be required to respond to it. We believe the decision impacts people everywhere in three positive ways: It ensures that people’s privacy rights are protected by the laws of their own countries, it helps ensure that the legal protections of the physical world apply in the digital domain, and it paves the way for better solutions to address both privacy and law enforcement needs.
In October 2017, the U.S. Supreme Court granted a request by the Department of Justice to review Microsoft’s appeals court victory. We’re prepared to keep arguing vigorously for our case, even while we prioritize our collaboration toward new law addressing both privacy and law enforcement needs.
Our fourth lawsuit, filed in April 2016, challenged the routine nature of secrecy orders that often accompany government requests for people’s data. Of course there are times when secrecy is vital to an investigation, but too often these orders are used unnecessarily, or are unnecessarily indefinite and prevent us from telling customers of intrusions far after investigations are over. In an 18-month period before we filed the suit, we received 2,576 secrecy orders, and 68 percent of these were permanent, meaning we could never tell the customer someone accessed their data — even after an investigation was over.
After months of Microsoft working for change, in October 2017, the U.S. Department of Justice (DOJ) announced a new binding policy for government prosecutors that responds to the concerns raised by our lawsuit. As a result, we took steps to dismiss our lawsuit. This is an important step for both privacy and free expression, and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans. However, doesn’t mean we’re done with our work to improve the use of secrecy orders. We are committed to working with Congress to further address the issue.
To be clear, while we do challenge government requests we believe are unlawful, we work to respond quickly to requests within the law. We are as serious about our legal obligations to public safety as we are about safeguarding our customers’ privacy. After the January 2015 attacks on Charlie Hebdo in Paris, we received a request from the French government working with the FBI. After determining the request was lawful, we responded within 45 minutes of receiving it. After the November 2015 attacks in Paris we received 14 lawful requests for data related to terrorist suspects, some at large in France and Belgium, and responded within 30 minutes on average. Following the March 2017 attack in London, we responded to a lawful request in under 30 minutes.
Modernizing national laws
Several judges who have heard Microsoft’s lawsuits have noted that it would be better for Congress to create new law rather than have courts hear arguments about old law. We agree. Microsoft advocates for several pieces of proposed legislation to help modernize the law. For example, the Clarifying Lawful Overseas Use of Data (CLOUD) Act would help provide a logical solution for cross-border requests for data and would create a concrete path for the U.S. government to enter into modern bilateral agreements with other nations. More broadly, we’ve advocated for efforts to update the Electronic Communications Privacy Act, which was written in 1986 — more than 30 years ago — but still determines when and how law enforcement can access people’s data.
This isn’t only a U.S. issue. Governments around the world have the opportunity today to enact laws that will enable their people to better trust technology and realize its benefits for years to come. We’ve detailed a range of these policies in our book and website, A Cloud for Global Good.
Updating international agreements
Many of the threats to our safety today are global, and law enforcement needs to work globally to address them. Today we have a set of mutual legal assistance treaties (MLATs) that allow law enforcement agencies around the world to exchange evidence, but today’s system wasn’t built for the digital age. As a result of changes in technology and the evolving nature of criminal activity, this system is overburdened, and therefore can be unnecessarily slow. Though the MLAT system will always play an important role and needs to be modernized, we should also explore a new, complementary process that creates a modern and lasting set of specific rules to govern cross-border access to digital evidence. That’s why we’ve proposed a set of recommendations to help resolve these issues while respecting national borders and people’s rights.
We’re encouraged that the U.S. and UK have negotiated the first agreement that would streamline the process of sharing digital evidence. This agreement, if implemented by both sides, could provide a blueprint for a new type of treaty that will allow allies to be nimble in fighting global threats. We were also one of the first companies to sign up for the U.S.-EU Privacy Shield agreement, an important achievement helping to ensure data can flow across the Atlantic while enabling people to retain their rights.
Continuing our work
Given the increased work we’ve done on lawsuits and advocacy over the past five years, we’re sometimes asked if all of it is only a response to the recent debate. While these issues have moved more squarely into the public domain, and require that we work harder to address customer concerns, we’ve long adhered to the same principles. Our Government Security Program was launched in 2003 to assure customers our software is secure and free of backdoors. And we’ve often reiterated that we do not provide any government with direct and unfettered access to customer data. We believe governments must come through the front door with appropriate legal process rather than helping themselves to customer data.
Then in 2013, a story by Barton Gellman, a reporter for The Washington Post, made it clear that governments were getting data by intercepting it at major global internet hubs. This concerned us and our customers. For this reason, we announced in a December 2013 post that we would expand our work to ensure governments use valid legal process to access customer data. One of our commitments was to increasing encryption in our services — both when data is traveling and when it’s at rest — and we’ve provided updates on this work along the way. We will continue to update our encryption in a range of Microsoft products and services. And we’ve openly stated we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys.
As all our work continues, we will provide regular updates on this website and hope it helps inspire others to join us in working toward solutions. We don’t have the answers, and no company or industry will solve these issues alone, but we hope the steps we’ve taken can be a small part of solutions that will require a dialogue among people, governments, the academic community, and the private sector.