Microsoft Corporation has filed suit against the US Department of Justice (DoJ) seeking to declare unconstitutional a provision of federal law that authorizes US authorities to obtain e-mails and other private data under what Microsoft describes as a "veil of prolonged (or even indefinite) secrecy."
In a case that potentially could alter the way US law enforcement seeks to secure electronic data from tech companies, including cloud storage providers, Microsoft asserts that the US government's increasing use of "secrecy orders" in pending investigations to obtain access to customer information stored in Microsoft's "cloud" platform, without that customer's knowledge, violates US constitutional protections that afford people and organizations the right to know if the government searches or seizes their information. See Microsoft Corp. v. US Department of Justice, et al., Case No. 16-cv-00538 (W.D. Washington).
At issue in this federal court action, filed in Microsoft's home state of Washington, is the Electronic Communications Privacy Act (ECPA), a US statute enacted well before the advent of ubiquitous e-mail traffic and cloud storage. Among its various provisions, the ECPA authorizes US law enforcement to obtain a person's stored electronic data from a provider of electronic communications or other "remote computing service[s]" (which includes cloud storage providers) via service of a search warrant, subpoena or court order on that provider. In general, the government must provide notice of the search and seizure to the target of the investigation, though the government may delay such notice for a limited time (usually up to 90 days) where notice would otherwise imperil the investigation.
One provision of the ECPA, however, and the one challenged here, enables a federal court, upon application by the government, to prevent a cloud provider from notifying a customer of any governmental demand for that customer's e-mails and other stored documents. (It is Microsoft's policy to alert the affected customer when the company receives a legal demand for that customer's information, unless it is forbidden by law or court order law from doing so.) Microsoft charges that secrecy orders issued pursuant to this provision often forbid notification to the customer for "unreasonably long," and in many cases "unlimited," time periods, whenever the government can convince the court that such notice would result in adverse consequences to the investigation. Complaint, para. 4. The problem with such unlimited secrecy, Microsoft asserts, is further evidenced by the fact that the statute does not require the government to later justify the continued prohibition on providers from communicating to their customers about the government's action.
Microsoft's Complaint raises various US constitutional issues, but its argument boils down to this: Microsoft believes it is unconstitutional to prevent it from telling its customers when authorities seek their e-mails or other stored data from Microsoft. In other words, Microsoft brings this case "because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them." Complaint, para. 1. Notably, Microsoft does not dispute that in some cases, the exigencies of a criminal investigation do warrant secrecy, at least temporarily. In Microsoft's view, however, the government is exploiting the rapid growth of and transition to cloud computing to "expand its power to conduct secret investigations," Complaint, para. 4, and currently makes far too routine use of secrecy orders. (The company claims, for example, that over the past 18 months, federal courts have issued almost 2,600 secrecy orders to Microsoft, with over two-thirds of these having no fixed duration. See Complaint, para. 5.) Per Microsoft, these secrecy orders prevent Microsoft's customers, and the general public, "from ever learning the full extent of government access to private online information." Complaint, ¶ 16. This is unfair, and unconstitutional, asserts Microsoft, because "[p]eople do not give up their rights when they move their private information from physical storage to the cloud." Complaint, ¶ 1.
It is difficult to gauge at this point how the court will rule, and any decision by the federal district court very likely will be appealed. It is also unclear whether the suit will result in any changes to US law or curtail what Microsoft describes as increasing government efforts to obtain electronic data, though Microsoft has signalled that it would support such changes. Indeed, in a statement announcing the filing, Microsoft's president and chief legal officer, Brad Smith, seemed to indicate that the action might be resolved via changes in DoJ policies or via amendments to the ECPA:
While today's lawsuit is important, we believe there's an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders. Congress also has a role to play in finding and passing solutions that both protect people's rights and meet law enforcement's needs. If the DOJ doesn't act, then we hope that Congress will amend the Electronic Communications Privacy Act to implement reasonable rules. In fact, secrecy provisions in ECPA today are out of step with other U.S. laws that contain clearer limitations on secrecy provisions and allow law enforcement flexibility for extensions.
The DoJ has 60 days to respond to the suit, and has not commented substantively to date. The agency presumably will continue to take the position that secrecy orders are necessary to ensure that investigation targets do not have the opportunity to delete data or otherwise move their electronic data to another platform, and that long-term secrecy orders are needed when authorities are undertaking complex long-term investigations.
Microsoft's suit comes at a time when US authorities are viewing electronic data as increasingly critical to solving, and preventing, criminal activity. Indeed, Microsoft's suit comes one day after two US senators released draft legislation (the "Compliance with Court Orders Act of 2016") which provides that entities, including tech companies and cloud providers, that receive a court order for data relevant to a criminal investigation must provide it to the government in an "intelligible" (read: unencrypted) format, or else provide the technical assistance necessary to make the data intelligible. The draft legislation, which has been released for stakeholder discussion, notes at the very outset that "no person or entity is above the law," which may be a reference to persons and entities that are viewed by law enforcement as increasingly resistant to government demands for electronic information.
Microsoft's most recent suit is somewhat similar to a pending court challenge (on which we previously commented here) that it lodged to US authorities' efforts to secure, via a search warrant served on Microsoft in the US, the e-mail content of a Microsoft customer whose data was stored in the EU. In that challenge, as in this one, Microsoft has cast itself as the defender of its customers' right to privacy as well as their right to transparent actions by the US government. In addition, these actions help Microsoft to show regulators in the EU and elsewhere that the company is seeking to limit US government efforts to secure electronic data secretly and to obtain non-US stored data.
Ultimately, Microsoft's suit is its latest response to the increasing challenges that it faces as it seeks to negotiate a path between compliance with US law and the need for US investigators to have access to stored data relevant to criminal investigations, and the privacy demands of its customers as well as privacy regulators outside the US.