Microsoft Sues Government Over Its ECPA-Enabled Gag Orders

from the silent-service dept

Microsoft isn’t the first company to sue the government over its gag orders. Google, Yahoo, Twitter, and a small ISP called Calyx Internet Access have all taken the government to court over its various demands for secrecy it ties to its National Security Letter requests.

But the more the merrier. Sooner or later, someone’s going to have to side with the recipient. As Microsoft alleges in its announcement of the lawsuit, the secrecy problem is getting worse, instead of better — despite the national discussion over domestic surveillance, expanded government power and the ongoing circumvention of due process.

It’s not that Microsoft believes the government is never entitled to secrecy. It’s that the demand for secrecy seems to be its default position.

To be clear, we appreciate that there are times when secrecy around a government warrant is needed. This is the case, for example, when disclosure of the government’s warrant would create a real risk of harm to another individual or when disclosure would allow people to destroy evidence and thwart an investigation. But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.

The government is demanding information from Microsoft while telling it to shut up nearly 150 times a month.

Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data.

Worse, in a majority of these cases, Microsoft has been ordered to maintain its silence indefinitely.

Notably and even surprisingly, 1,752 of these secrecy orders, or 68 percent of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.

The lawsuit claims these gag orders violate multiple rights of multiple parties. Those whose data is being requested are having their Fourth Amendment rights violated by the undisclosed searches. Microsoft’s First Amendment rights are being violated by the accompanying gag orders.

At the center of Microsoft’s lawsuit is a terrible law: the ECPA.

Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (“ECPA”) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a “reason to believe” that disclosure might hinder an investigation. Nothing in the statute requires that the “reason to believe” be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place.

[…]

That antiquated law (passed decades before cloud computing existed) allows courts to impose prior restraints on speech about government conduct—the very core of expressive activity the First Amendment is intended to protect— even if other approaches could achieve the government’s objectives without burdening the right to speak freely. The statute sets no limits on the duration of secrecy orders, and it permits prior restraints any time a court has “reason to believe” adverse consequences would occur if the government were not allowed to operate in secret. Under the statute, the assessment of adverse consequences need not be based on the specific facts of the investigation, and the assessment is made only at the time the government applies for the secrecy order, with no obligation on the government to later justify continued restraints on speech even if circumstances change…

As the lawsuit points out, the outdated law isn’t built to handle the reality of cloud computing. Unfortunately, law enforcement agencies like the FBI are perfectly willing to exploit the loopholes this mismatch provides. Rather than approach individuals under investigation and search their home or place of business (if that’s where the communications are stored/originate) the government uses the ECPA to demand information from virtually unrelated parties like service providers, simply they provide cloud storage options.

The Fourth Amendment’s requirement that government engage only in “reasonable” searches necessarily includes a right for people to know when the government searches or seizes their property. See Wilson v. Arkansas, 514 U.S. 927, 934 (1995). For example, if the government comes into a person’s home to seize her letters from a desk drawer or computer hard drive, that person in almost all circumstances has the right to notice of the government’s intrusion. The same is true when the government executes a search of a business to seize emails from the business’s on-site server. But Section 2705(b) subjects Microsoft’s cloud customers to a different standard merely because of how they store their communications and data: the statute provides a mechanism for the government to search and seize customers’ private information without notice to the customer, based upon a constitutionally insufficient showing. In so doing, Section 2705(b) falls short of the intended reach of Fourth Amendment protections, which do not depend on the technological medium in which private “papers and effects” are stored.

It also points out how the government has used the law to treat physical searches and digital searches completely differently, thanks to the flaws in the legislation. While physical “sneak-and-peek” searches can be performed without notification of the target, the silence can only be maintained for 30-90 days. But if it goes after cloud backups, it can approach Microsoft and hit it with an indefinite demand for silence.

Considering how many ECPA reform false starts there have been over the years, Microsoft’s demand — if granted — could render some of that effort moot. It could also help fill in some of the gaps created by the recent carve-outs that have allowed the bill to finally move out of committee.

For these reasons, Microsoft asks the Court to declare that Section 2705(b) is unconstitutional on its face.

To sum up using all the metaphors, this swing for the fences could kill several birds with one stone if the court finds in favor of Microsoft: ECPA will be hobbled badly and will no longer be the go-to justification for government gag orders and, if the gag orders themselves survive, they’ll likely be limited to something less than “indefinitely” and be held to a higher level of scrutiny when they’re issued.

Filed Under: , , , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Microsoft Sues Government Over Its ECPA-Enabled Gag Orders”

Subscribe: RSS Leave a comment
17 Comments
Anonymous Coward says:

Re: NSL?

This of course always depends on how the court “decides to translate” the law.

But it is highly likely they will get a “friendly” visit by an UNELECTED member of government telling them behind closed doors that national security trumps all Constitutional Rights and to make sure that the NSL’s are heavily protected.

Anonymous Coward says:

Re: Re: Re: NSL?

not ALL because. Yes the Patriot Act is certainly a part of the problem, but the fact that we allow the government to just ignore the Constitution without consequence is the root of that problem.

America has been set to become what we defeated in WWII which incidentally was our greatest turning point and spurred a lot of this terrorism shit.

Governments need bogey men with which to strike fear into their citizens… the terrorism bit advanced by the US government is no different.

Anonymous Coward says:

Apple got more popular when they sued. Guess we better sue...

Hmm. So Microsoft is setting out to EEE the Constitution. Am I the only one who see’s this as a basic gambling con? I wonder which side is the schill, Microsoft of the Government?

I feel sorry for the judge. If he isn’t seriously interested in vetting for collusion between the parties, he is going to be assumed to be in on the scam.

I hope somebody will be sending an Amicus Curae to the court documenting some of the unsanitary engagements that Microsoft has had with various governments and their officials over the years. Any assumption that these guys are playing straight is laughable.

Dave Cortright says:

Probably too clever to work

IANAL, but… Would it be possible for the EULA to actually grant the customer *ownership* of a particular piece of hardware, even if it is just a sliver of a hard drive platter or a few billion SSD transistors. Then—in theory—law enforcement would need to get a warrant to search/seize the property of that person. Heck, even if it required a new business model (like a massive battery of drives, and each customer literally gets ownership of one) I might be willing to pay a bit for that service if it means my data must now be treated as any other property I own.

Rekrul says:

To sum up using all the metaphors, this swing for the fences could kill several birds with one stone if the court finds in favor of Microsoft: ECPA will be hobbled badly and will no longer be the go-to justification for government gag orders and, if the gag orders themselves survive, they’ll likely be limited to something less than “indefinitely” and be held to a higher level of scrutiny when they’re issued.

Hobbled Badly? Like how the ruling that national security letters were unconstitutional hobbled their use badly?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...