Microsoft sues US Justice Department over secret data requests

Microsoft Corp. filed suit in federal court Thursday against the Department of Justice and its head, Attorney General Loretta Lynch, over government data requests under the Electronic Communications Privacy Act (ECPA) of 1986. Microsoft is specifically challenging the government’s prohibition barring it from notifying customers about official requests for access to their private communications.

The company’s complaint makes clear that it regularly receives requests from the government for its customers’ private data stored on Microsoft’s remote servers. It states, “Between September 2014 and March 2016, Microsoft received 5,624 federal demands for customer information or data. Of those, nearly half—2,576—were accompanied by secrecy orders, forbidding Microsoft from telling the affected customers that the government was looking at their information.”

Corporations and individuals increasingly store their data on remote servers operated by Microsoft and other technology companies, a practice known as cloud storage. US intelligence and police agencies look on the growth of the Internet “cloud” as an opportunity to further expand their already massive surveillance of people both at home and abroad.

Microsoft notes that documents stored physically—for example, in a desk drawer—or digitally on “local computers and on-premises servers” can be accessed only with a warrant and with notice.

The government is using cloud computing to bypass notification. Microsoft’s brief before the federal court in Seattle contends that this practice violates the US Constitution’s Fourth Amendment ban on “unreasonable searches and seizures” and its requirement that the government obtain a court warrant based on a showing of “probable cause.” The company argues that “the transition to the cloud does not alter the fundamental constitutional requirement that the government must—with few exceptions—give notice when it searches and seizes the private information or communications of individuals or businesses.”

The ECPA, signed into law by then-President Ronald Reagan, allows courts to issue what are essentially secret warrants to search data stored by electronic communication service providers. Under the ECPA, courts can issue these warrants with orders that the provider (in this case, Microsoft) not notify the targets of surveillance that they are being targeted, potentially indefinitely.

Microsoft’s suit follows on the heels of the legal battle between Apple Inc. and the Federal Bureau of Investigation, in which the FBI attempted to force Apple to unlock the iPhone of Syed Farook, one of the deceased perpetrators of the December 2015 San Bernardino terror attack. The FBI ended its legal case on March 28 after it claimed to have successfully hacked the phone.

Neither Microsoft nor Apple have any genuine interest in protecting democratic rights. They are concerned that customers will shun their services if they are compromised by the FBI or National Security Agency. Both companies have cooperated with the NSA in its PRISM program, revealed by whistleblower Edward Snowden in 2013. Microsoft, in particular, has been a close partner of the American surveillance state. It unlocked Outlook.com’s encryption for the NSA prior to its launch and helped the NSA triple the amount of intercepted Skype video calls within nine months of Skype’s purchase by Microsoft.

In a related development, reddit, the popular aggregator site, removed a so-called “warrant canary” from its transparency report in March. The “canary” was a paragraph that stated it had never received a classified request for data. Its removal means that the web site, the world’s 33rd most popular, has likely received a request for user information that it is not allowed to discuss publicly.

Reddit CEO Steve Huffman said, “I’ve been advised not to say anything one way or the other. Even with the canaries, we’re treading a fine line.”

Meanwhile, the 6th US Circuit Court of Appeals, based in Cincinnati, ruled on April 13 that the government does not need a warrant when requesting cell-site location information. This ruling, which affects Michigan, Ohio, Kentucky and Tennessee, allows the government to obtain approximate location data for cellphone users during the course of an investigation.

Investigators generally use this information to establish suspects’ locations after the fact, not in real time. However, this use of warrantless cellphone data-gathering requests parallels the use of Sting Ray devices, for which the FBI now supposedly obtains a warrant, and similar, cheaper devices for which police departments and the federal government do not obtain warrants.

The 6th Circuit Court ruling allows the government to seek only a court order, which requires the “reasonable grounds” standard, rather than a warrant, which requires a stricter “probable cause” showing. The ruling echoes decisions in the federal appeals courts for the 5th and 11th circuits, which together cover Texas, Louisiana, Mississippi, Alabama, Georgia and Florida. However, it contradicts laws and court rulings in New Jersey, Maine and Montana. These conflicting rulings can be resolved only through a Supreme Court decision.