US government agencies have had a tough time of it in recent weeks. While the FBI’s battle with Apple has been rolling through the headlines, Microsoft’s lawsuit has been kept relatively quiet after an initial splash in the press.
In light of a potentially industry changing event, we took some time to speak to legal experts at Herbert Smith Freehills LLP to understand the impact of the lawsuit on cloud computing as an industry and a technology.
“In Microsoft’s view, the government’s increasing use of so-called “secrecy orders” to obtain access to stored customer information, without that customer’s knowledge, violates US constitutional protections that afford individuals and businesses the right to know if the government searches or seizes their information,” said Joseph Falcone, Partner at Herbert Smith Freehills, in New York.
“One provision of the Electronic Communications Privacy Act (ECPA), however, and the one at issue here, enables a federal court, upon application by the government, to enjoin a cloud services provider from notifying its customer of any governmental demand for that customer’s e-mails and documents.
“Microsoft charges that in most cases, secrecy orders issued pursuant to this provision forbid notification to the customer for unreasonably long, and in many cases indefinite, time periods, whenever the government can convince the court that such notice would result in adverse consequences to the investigation.”
In short, Microsoft’s President and Chief Legal Officer Brad Smith has seemingly set it upon himself to take on one of the worlds’ most powerful entities, in a battle to bring government policy and legislation into the 21st century. Microsoft’s issue is seemingly centred on the idea that government is abusing its power set out in the ECPA, originally written in 1986, long before the widespread use of the internet. The team maintain the position that government cannot use a collection of rules, set years before cloud computing was even an idea.
Joseph Falcone, Partner at Herbert Smith Freehills, in New York.
“The danger of such unlimited secrecy, Microsoft asserts, is also evidenced by the fact that the statute does not require the government to later justify the continued prohibition on providers from communicating to their customers about the government’s action,” said Falcone. The company believes there is a lack of accountability for the US government, enabling its agencies to act without fear of retribution. While tech giants throughout the industry have been on the receiving end of public outcry when discussing privacy and the ethical use of a customer’s data, Microsoft is seemingly taking a lone stance against the US government to reverse the trend.
“Microsoft’s complaint raises a host of US constitutional issues, doctrines and arguments,” said Falcone. “Distilled to their essence, Microsoft’s argument is that it is unconstitutional for the government and the courts to prevent it from telling its customers when authorities seek their e-mails or other stored data.”
In Smith’s blog post detailing Microsoft’s position, he highlighted the government’s current position violates the 1st and 4th constitutional amendments, but he does maintain there are circumstances where secrecy should be an option. The problem here is secrecy has become too routine, leaning towards the default setting as opposed to the exception to the rule.
“There is no way to predict at this point how the court will rule, and any ruling by the district court very likely will be appealed,” said Falcone. “It is also unclear whether the suit will result in any changes to US law or curtail what Microsoft describes as increasing government efforts to obtain electronic data, though Microsoft has signalled that it would support changes.
“Microsoft’s most recent suit is similar to a pending challenge that it lodged to US authorities’ efforts to secure, via a warrant served on Microsoft in the US, the e-mail content from a Microsoft customer whose data was stored in the EU. In that challenge, as in this one, Microsoft has cast itself as the defender of its customers’ right to privacy and their right to transparent actions by the US government.
“In addition, these actions enable Microsoft to show regulators in the EU and elsewhere that the company is seeking to limit US government efforts to secure electronic data secretly and to secure non-US stored data from the US.”
It would be very difficult to predict which way the lawsuit will go, but it would be fair to assume this is unlikely to be a short-lived story. Any decision made will likely be met by a string of appeals, delaying the impact on the industry for what could potentially be a significant amount of time.
Nick Pantlin, TMT Partner at Herbert Smith Freehills
We recently ran a poll in which our readers told us it is unlikely Microsoft will be successful, only 42% of our readers are backing the Microsoft legal team at this point, however the action itself could possible earn Microsoft new fans around the world, most particularly in Europe. With Safe Harbour now non-existent, and its successor attracting criticism from some quarters, Microsoft’s stance, seemingly protecting its customers from the big bad government, will possibly act as an effective PR tool in the European region.
While the US government is the one in the spotlight at the moment, it should be worth noting it is not the only government worldwide to undertake such activities.
“Against the backdrop of the ongoing global battle between public authority access to data for national security purposes and individuals’ right to privacy, the controversial UK Investigatory Powers Bill has been revised and introduced to the House of Commons with a deadline of 31 December 2016 for the legislation to be in place,” said Nick Pantlin, TMT Partner at Herbert Smith Freehills, in London.
“The issue of end-to-end encryption has also been debated in the UK. However, the Bill has clarified the Government’s position on encryption, making it clear that companies can only be asked to remove encryption that they themselves have applied, and only where it is practicable for them to do so. The Government asserts that it is not asking companies to weaken their security by undermining encryption.”