On Wednesday, the U.S. Department of Justice (DOJ) unveiled recommended practices for law enforcement to follow when seeking enterprise customer data held by cloud service providers. These guidelines, from the DOJ’s Computer Crime and Intellectual Property Section, advise prosecutors to go directly to enterprises when seeking access to their data when practical and when it would not otherwise jeopardize the investigation, rather than attempting to go through cloud service providers. While DOJ has followed this approach for some time, we view it as a positive step that DOJ has now decided to memorialize these practices in writing. These recommendations build upon the policy DOJ recently introduced in October, 2017 curbing the use of secrecy orders attached to legal demands for customer data.
The DOJ’s new policy in October established reasonable limits and rules for the use of secrecy orders, ensuring that secrecy is the exception, not the rule, when the government searches and seizes private information or communications stored online. The document released yesterday addresses a related issue, detailing for prosecutors practical considerations regarding the nature of cloud computing and recognizing the complications that may arise in seeking enterprise customer data from the service provider, rather than the enterprise itself.
What does this mean for businesses? Speaking generally, these recommendations represent a growing awareness that requests for data should be case-specific and should, to the extent possible, be directed to the enterprises that own their data. Microsoft believes businesses have a right to control their data and to understand when the government requests their data for an investigation.
We are seeing businesses of all kinds leverage advancements made possible by cloud computing to revolutionize their industries or offer new products and services. Businesses seeking to take advantage of the benefits offered by cloud computing need to be able to trust that the sensitive data they store in the cloud remains under their control. A critical element of maintaining that trust is confidence in the legal protections afforded to our most sensitive information. The document released by DOJ Wednesday should help businesses have that confidence when they store their data in the cloud.
More remains to be done to ensure that digital documents and communications stored in the cloud receive the same legal protections as physical documents stored in a filing cabinet, and Microsoft will continue to advocate for new legislation that reforms the outdated laws that currently govern these issues. These recommended practices are a step in the right direction toward providing even greater protections for the cloud. They give clear and useful guidance to law enforcement, which will help them better investigate crimes and keep us safe, and help provide peace of mind for businesses to know that they trust and control the security of the data they store in the cloud.