Microsoft today asked a federal court to invalidate part of a 1986 law that it alleged has been abused by the government when authorities demand the company hand over customers' data, including documents, emails and other information stored in the cloud.
In a lawsuit targeting the U.S. Department of Justice (DOJ) and Attorney General Loretta Lynch, Microsoft asked for a judgment that would declare unconstitutional a section of the Electronic Communications Privacy Act (ECPA), a 30-year-old law that government agencies increasingly cite when forcing email, Internet and cloud storage service providers to hand over data to aid criminal investigations.
Microsoft didn't object to the ECPA as a whole, but to what it said had become the routine issuing of gag orders alongside the demands for data.
"We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records," said Brad Smith, Microsoft's chief legal officer, in a long post to a company blog Thursday. "Yet it's becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret."
"This is a very aggressive move on Microsoft's part," said Michael Carroll, a professor of law and director of the Program on Information Justice and Intellectual Property at the American University Washington College of Law, in Washington, D.C. "They're essentially saying, 'I want to violate the gag orders, but I don't want to be sued for doing that.' So they're disputing the constitutionality of the gag orders."
Microsoft ticked off statistics to make its point that secrecy had become habitual: In the last 18 months, the Redmond, Wash. company received 5,624 federal demands for customer information or data. Of those, 2,576, or 48%, were tagged with secrecy orders that prevented Microsoft from telling customers that it had been compelled to hand over their information. About 68% of the gag orders -- 1,752 to be exact -- had no end date. "This means that we effectively are prohibited forever from telling our customers that the government has obtained their data," Smith said.
In the complaint filed with a Seattle federal court, Microsoft said that was unacceptable.
"There may be exceptional circumstances when the government's interest in investigating criminal conduct justifies an order temporarily barring a provider from notifying a customer that the government has obtained the customer's private communications and data," the complaint read. "But Section 2705(b) [of the ECPA] sweeps too broadly."
Microsoft asked the court to strike the section on the grounds that it violates both the First and Fourth Amendments to the Constitution.
"I think this is a smart strategy," Chris Calabrese, vice president of policy at the Center for Democracy and Technology, a Washington, D.C.-based advocacy group, said of Microsoft's lawsuit. "This is important for the courts, and judges, to work out because in a lot of ways, what we need is some clarification on the secrecy [aspects of the orders]."
Sign up for Computerworld eNewsletters.