Microsoft Sues Government Over Its ECPA-Enabled Gag Orders
from the silent-service dept
Microsoft isn’t the first company to sue the government over its gag orders. Google, Yahoo, Twitter, and a small ISP called Calyx Internet Access have all taken the government to court over its various demands for secrecy it ties to its National Security Letter requests.
But the more the merrier. Sooner or later, someone’s going to have to side with the recipient. As Microsoft alleges in its announcement of the lawsuit, the secrecy problem is getting worse, instead of better — despite the national discussion over domestic surveillance, expanded government power and the ongoing circumvention of due process.
It’s not that Microsoft believes the government is never entitled to secrecy. It’s that the demand for secrecy seems to be its default position.
To be clear, we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation. But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.
The government is demanding information from Microsoft while telling it to shut up nearly 150 times a month.
Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data.
Worse, in a majority of these cases, Microsoft has been ordered to maintain its silence indefinitely.
Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.
The lawsuit claims these gag orders violate multiple rights of multiple parties. Those whose data is being requested are having their Fourth Amendment rights violated by the undisclosed searches. Microsoft’s First Amendment rights are being violated by the accompanying gag orders.
At the center of Microsoft’s lawsuit is a terrible law: the ECPA.
Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (“ECPA”) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a “reason to believe” that disclosure might hinder an investigation. Nothing in the statute requires that the “reason to believe” be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place.
That antiquated law (passed decades before cloud computing existed) allows courts to impose prior restraints on speech about government conduct—the very core of expressive activity the First Amendment is intended to protect— even if other approaches could achieve the government’s objectives without burdening the right to speak freely. The statute sets no limits on the duration of secrecy orders, and it permits prior restraints any time a court has “reason to believe” adverse consequences would occur if the government were not allowed to operate in secret. Under the statute, the assessment of adverse consequences need not be based on the specific facts of the investigation, and the assessment is made only at the time the government applies for the secrecy order, with no obligation on the government to later justify continued restraints on speech even if circumstances change…
As the lawsuit points out, the outdated law isn’t built to handle the reality of cloud computing. Unfortunately, law enforcement agencies like the FBI are perfectly willing to exploit the loopholes this mismatch provides. Rather than approach individuals under investigation and search their home or place of business (if that’s where the communications are stored/originate) the government uses the ECPA to demand information from virtually unrelated parties like service providers, simply they provide cloud storage options.
The Fourth Amendment’s requirement that government engage only in “reasonable” searches necessarily includes a right for people to know when the government searches or seizes their property. See Wilson v. Arkansas, 514 U.S. 927, 934 (1995). For example, if the government comes into a person’s home to seize her letters from a desk drawer or computer hard drive, that person in almost all circumstances has the right to notice of the government’s intrusion. The same is true when the government executes a search of a business to seize emails from the business’s on-site server. But Section 2705(b) subjects Microsoft’s cloud customers to a different standard merely because of how they store their communications and data: the statute provides a mechanism for the government to search and seize customers’ private information without notice to the customer, based upon a constitutionally insufficient showing. In so doing, Section 2705(b) falls short of the intended reach of Fourth Amendment protections, which do not depend on the technological medium in which private “papers and effects” are stored.
It also points out how the government has used the law to treat physical searches and digital searches completely differently, thanks to the flaws in the legislation. While physical “sneak-and-peek” searches can be performed without notification of the target, the silence can only be maintained for 30-90 days. But if it goes after cloud backups, it can approach Microsoft and hit it with an indefinite demand for silence.
Considering how many ECPA reform false starts there have been over the years, Microsoft’s demand — if granted — could render some of that effort moot. It could also help fill in some of the gaps created by the recent carve-outs that have allowed the bill to finally move out of committee.
For these reasons, Microsoft asks the Court to declare that Section 2705(b) is unconstitutional on its face.
To sum up using all the metaphors, this swing for the fences could kill several birds with one stone if the court finds in favor of Microsoft: ECPA will be hobbled badly and will no longer be the go-to justification for government gag orders and, if the gag orders themselves survive, they’ll likely be limited to something less than “indefinitely” and be held to a higher level of scrutiny when they’re issued.