Today marks another important step in ensuring that people’s privacy rights are protected when they store their personal information in the cloud. In response to concerns that Microsoft raised in a lawsuit we brought against the U.S. government in April 2016, and after months advocating for the United States Department of Justice to change its practices, the Department of Justice (DOJ) today established a new policy to address these issues. This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud. It helps ensure that secrecy orders are used only when necessary and for defined periods of time. This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans.
Until now, the government routinely sought and obtained orders requiring email providers to not tell our customers when the government takes their personal email or records. Sometimes these orders don’t include a fixed end date, effectively prohibiting us forever from telling our customers that the government has obtained their data.
As we said when we filed the lawsuit, we believe customers have a constitutional right to know when the government gets their email or documents, and we have a right to tell them. These are important principles established by both the Fourth and First Amendments to the U.S. Constitution.
We believe strongly that these fundamental protections should not disappear just because customers store their personal information in the cloud rather than in file cabinets or desk drawers. We were not alone in this belief, as a diverse and broad array of companies, academics, business groups, civil liberties organizations and former law-enforcement officials signed amicus briefs in support of our position in the case.
We understand there are instances in which the government might need a secrecy order for legitimate reasons. This could include situations where disclosing the government’s request for data could create a risk of harm to an individual. It could also include cases where disclosure would thwart the government’s investigation, or lead to the destruction of evidence.
But our lawsuit was based on a growing and disturbing trend. We highlighted the fact that the government appeared to be overusing secrecy orders in a routine fashion — even where the specific facts didn’t support them — and were seeking indefinite secrecy orders in a large number of cases. When we filed our case we explained that in an 18-month period, 2,576 of the legal demands we received from the U.S. government included an obligation of secrecy, and 68 percent of these appeared to be indefinite demands for secrecy. In short, we were prevented from ever telling a large number of customers that the government had sought to access their data.
Until today, vague legal standards have allowed the government to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand. That will no longer be true. The binding policy issued today by the Deputy U.S. Attorney General should diminish the number of orders that have a secrecy order attached, end the practice of indefinite secrecy orders, and make sure that every application for a secrecy order is carefully and specifically tailored to the facts in the case.
The new policy came after months of Microsoft working for change, both in its lawsuit and in public fora. As a result of the issuance of this policy, we are taking steps to dismiss our lawsuit. We applaud the Department of Justice for taking these steps, but that doesn’t mean we’re done with our work to improve the use of secrecy orders. We have been advocating for our customers before the DOJ for a long time, and we’ll continue to do that. We will continue to turn to the courts if needed. And we are committed to working with Congress. Today’s policy doesn’t address all of the problems with the Electronic Communications Privacy Act (ECPA) — the law at the heart of this issue — and we renew our call on Congress to amend it.
Specifically, the U.S. Senate should advance the ECPA Modernization Act of 2017, introduced in July by Sens. Mike Lee, R-Utah, and Patrick Leahy, D-Vermont. This bill includes a provision that addresses secrecy orders. This action would build on the bipartisan work of the U.S. House of Representatives, which has twice passed ECPA reform legislation — unanimously last session and by voice vote earlier this year – under the leadership of Chairman Bob Goodlatte, R-Virginia, Rep. Kevin Yoder, R-Kansas, and Rep. Jared Polis, D-Colorado. It is time to update this outdated 1986 law that regulates government access to contemporary electronic communications.
From the first day that we filed our lawsuit, we benefited from the extensive support of many individuals and organizations who voiced their concerns around the use of broad and indefinite secrecy orders. We are thankful for the nearly 90 technology companies, media enterprises and organizations, academics, business groups and companies, civil liberties groups and former law-enforcement officials who signed friend-of-the-court briefs in this case. Additionally, we appreciate the support we received from the ACLU, which at one point sought to join our lawsuit, and others in the business, legal and policy communities who were concerned about these issues and have voiced their support for reforms and new legislative solutions.
Our lawsuit challenging the government’s use of secrecy upholds our commitment to challenge overbroad secrecy orders and is the fourth public one we’ve filed against the U.S. government related to our customers’ right to privacy and transparency. The first resulted in the settlement of a lawsuit allowing us to disclose the number of legal requests we receive. The second resulted in the government withdrawing a National Security Letter after we challenged a non-disclosure order attached to the letter. The third, a challenge to a U.S. search warrant for customer email in Ireland belonging to a non-U.S. citizen, resulted in a favorable ruling in the Second Circuit Court of Appeals, which is now pending in the U.S. Supreme Court.
As we’ve advocated in our other cases, we hope Congress will make this positive step forward more permanent by updating outdated laws to better protect our digital rights while still enabling law enforcement to do its job.