We believe customers have a right to know when law enforcement requests their email or documents, and we have a right to tell them. The reason is simple – we believe our customers own their data and have the right to control it. Absent extraordinary circumstances, government agents should seek data directly from our enterprise customers, and if they seek our customers’ data from us, they should allow us to tell our customers when demands are made. We believe strongly that these fundamental protections should not disappear just because customers store their data in the cloud rather than in file cabinets or desk drawers.
When a law enforcement agency presents Microsoft with a legally valid warrant, court order or subpoena requesting data that belongs to one of our enterprise customers, we seek to redirect that request to the customer. And in the vast majority of cases, that is exactly what happens. There are times, however, when the government comes to us for data and prevents us from telling our enterprise customers that it is seeking their data. We agree that there are some limited circumstances in which law enforcement must be able to operate in secret to prevent crime and terrorism and keep people safe. And while we agree that secrecy orders that prevent us from notifying our customers may be appropriate in those limited circumstances, we also believe there are times when those orders go too far. In those cases, we will litigate to protect our customers’ rights.
Curbing the overuse of secrecy orders
We filed a lawsuit in late 2018 to protect these rights, which was recently unsealed by a U.S. District Court. This legal challenge follows our prior litigation to curb the overuse of secrecy orders and highlight the growing need for principles to govern law enforcement access to data in the United States and internationally. This is an important fight we take on out of principle, and it is a fight we will continue to mount.
On Sept. 5, 2018, Microsoft challenged a secrecy order issued by a federal magistrate judge in Brooklyn, New York in connection with a federal national security investigation. The secrecy order prevents Microsoft from notifying our enterprise customer that we received a warrant seeking its data. Based on the limited information available to us in this case, we feel the secrecy order was too broadly drawn and is inconsistent with the U.S. government’s policy that secrecy orders be narrowly tailored. We argued to the court that there must be an executive or representative of the company (our customer) — which has thousands of employees — who can be notified of the warrant’s existence, without jeopardizing the federal law enforcement investigation. The lower court denied our effort to modify the secrecy order to permit that notification. We have challenged that order in the lower court, and we will pursue an appeal in the appellate court if necessary, and continue to stand up for the principle that our customers are entitled to know when the government obtains their data.
Although we have hit an initial hurdle in this case, it follows a successful litigation strategy that we have pursued for several years to curtail the overuse and overbreadth of secrecy orders. As a cloud services provider, Microsoft has an important role in forcing governments to go before impartial judges to justify their conduct and to make sure they use their investigative powers in accordance with the rule of law. When law enforcement seeks access to a customers’ data, our thorough review of law enforcement demands helps ensure that governments are respecting the rights of internet users around the world.
We take this responsibility seriously, and have repeatedly called for principles to govern law enforcement access to data in the United States and internationally. The first such principle is the universal right to notice — i.e., absent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers must have a right to tell them. Moving into the 21st century should not mean a brand-new rule that allows the government to execute a warrant without any notice to the target of that warrant.
Microsoft will continue to advocate for this principle globally and will bring legal challenges to protect our customers’ right to notice when we think governments have overstepped their legal boundaries.
Tags: cloud, data privacy, Government, universal right to notice