Microsoft hails victory for the cloud as US curbs ‘sneak and peek’ practices

24 Oct 2017

Image: Gorodenkoff/Shutterstock

Microsoft drops lawsuit but wants changes in federal laws.

Microsoft is dropping its lawsuit against the US Department of Justice (DoJ) over ‘sneak and peak’ tactics that prevented tech companies from informing customers when investigators sought access to emails and other communications in the cloud.

In the latest development, the DoJ has issued a new binding policy that requires prosecutors to conduct an individualised and meaningful assessment for the need of protection against disclosure prior to seeking a gag order against cloud providers.

‘Until now, the government routinely sought and obtained orders requiring email providers to not tell our customers when the government takes their personal email or records’
– BRAD SMITH

Microsoft had sued the DoJ over these gag orders and had received the backing of other major players in the cloud industry, including Amazon and Google.

This is separate to an ongoing case involving emails stored on a Microsoft data centre in Dublin that is winging its way to the US supreme court.

As cloud grows, so too does ‘Big Brother’ snooping

The surge in the growth of cloud has resulted in major cloud providers seeing an increase in the frequency of warrants from investigators such as the FBI seeking information.

‘We hope Congress will make this positive step forward more permanent by updating outdated laws to better protect our digital rights while still enabling law enforcement to do its job’
– BRAD SMITH

“This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud,” said Microsoft president and chief legal officer Brad Smith.

“It helps ensure that secrecy orders are used only when necessary and for defined periods of time. This is an important step for both privacy and free expression. It is an unequivocal win for our customers, and we’re pleased the DoJ has taken these steps to protect the constitutional rights of all Americans.”

He continued: “Until now, the government routinely sought and obtained orders requiring email providers to not tell our customers when the government takes their personal email or records. Sometimes, these orders don’t include a fixed end date, effectively prohibiting us forever from telling our customers that the government has obtained their data.”

Smith said Microsoft believes that customers have a constitutional right to know when the government gets their emails or documents, and that tech companies have a right to tell them.

“These are important principles established by both the fourth and first amendments to the US constitution.

“We believe strongly that these fundamental protections should not disappear just because customers store their personal information in the cloud rather than in file cabinets or desk drawers. We were not alone in this belief, as a diverse and broad array of companies, academics, business groups, civil liberties organisations and former law-enforcement officials signed amicus briefs in support of our position in the case.”

Smith accepted that there are instances where the government might need a secrecy order for legitimate reasons that could protect lives and prevent the destruction of evidence.

“But our lawsuit was based on a growing and disturbing trend. We highlighted the fact that the government appeared to be overusing secrecy orders in a routine fashion – even where the specific facts didn’t support them – and were seeking indefinite secrecy orders in a large number of cases.

“When we filed our case, we explained that in an 18-month period, 2,576 of the legal demands we received from the US government included an obligation of secrecy, and 68pc of these appeared to be indefinite demands for secrecy.

“In short, we were prevented from ever telling a large number of customers that the government had sought to access their data,” Smith said.

He added that the lawsuit Microsoft filed over ‘sneak and peek’ tactics was the fourth of four such lawsuits over data privacy. The third – regarding a search warrant for customer email in servers in Ireland – is now pending in the US supreme court.

“As we’ve advocated in our other cases, we hope Congress will make this positive step forward more permanent by updating outdated laws to better protect our digital rights while still enabling law enforcement to do its job.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com