Microsoft sued the U.S. government on Thursday for forcing it to remain silent when it turns over data about its customers.
The complaint, filed in the U.S. District Court for the Western District of Washington and first obtained by the Wall Street Journal, alleges that the government has used a decades-old online privacy law to improperly gag Microsoft when it serves the company with warrants for user data.
The 1978 Electronic Communications Privacy Act (ECPA) allows the government to issue gag orders along those such warrants if the government has a “reason to believe” that letting the company speak out would jeopardize its investigation. But the statute does not explain what constitutes a “reason to believe” this.
Microsoft argues in its lawsuit that ECPA “violates both the Fourth Amendment, which affords people and businesses the right to know if the government searches or seizes their property, and the First Amendment, which enshrines Microsoft’s rights to talk to its customers and to discuss how the government conducts its investigations.”
“People do not give up their rights when they move their private information from physical storage to the cloud.”
In the complaint, Microsoft said that it had received 5,624 warrants for customer data between September 2014 and March 2016, with 2,576 of them requiring the company not to notify the targeted customers.
Brad Smith, Microsoft’s president and chief legal officer, wrote on the company’s blog that “based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.”
A representative for Microsoft declined to comment on the lawsuit. Emily Pierce, a Justice Department spokeswoman, said the government was “reviewing the filing.”
Online communications privacy is the subject of intense congressional focus at the moment, with a House committee on Wednesday passing the Email Privacy Act to close a loophole in ECPA that allows investigators to get Americans’ online records without a warrant if they are older than 180 days.
Microsoft noted that two sections of ECPA set different standards for delaying notice to Americans that their records are the subject of a search warrant.
The first section, concerning whether the government itself must notify an American, lets investigators ask for a 90-day delay of that notice. But the second section, which involves whether companies can notify users and which Microsoft challenged in its complaint, does not set a time limit on the initial delay. It says the gag order can last “for such period as the court deems appropriate.”
“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft’s lawsuit reads. “Microsoft therefore asks the Court to declare that Section 2705(b) is unconstitutional on its face.”
Microsoft argued that the provision of ECPA violates the First Amendment because it imposes a prior restraint on companies’ speech, a restraint that requires the government to meet a “particularly heavy” burden of justification.
“Microsoft is asking for non-disclosure orders to be disfavored and time limited,” Jennifer Granick, the director of civil liberties at Stanford University’s Center for Internet and Society, said in an email. “In the past, the government has negotiated with companies to allow more information to be disclosed in quarterly transparency reports and the like. So increased transparency—where the government agrees to limit its non-disclosure orders—is clearly a settlement option here.”
Microsoft also suggested that because gag orders restrict a certain type of speech, they are “content-based” speech restrictions, which the Supreme Court has said are “presumptively invalid” and can only be considered constitutional if they are “narrowly tailored to promote a compelling government interest.”
Because the second delayed-notice section of ECPA does not specify a time limit like the first section, Microsoft said, it “violates the First Amendment because it is not narrowly tailored to satisfy a compelling government interest.”
“This is a First Amendment fight that needed to get picked and I’m glad Microsoft picked it,” Kevin Bankston, the director of New America’s Open Technology Institute, said in a Twitter DM. “Just as in the real world with physical seizures, secrecy in digital seizures should be the exception and not the rule.”
Bankston called the Justice Department’s approach to ECPA gag orders “clearly unconstitutional” and said that, “with so many orders per year, it makes sense to strike at the root with a facial challenge to the law rather than try and challenge them all individually.” He predicted that Microsoft would succeed in convincing the court to declare the disputed section of ECPA unconstitutional.
Alex Abdo, a staff attorney at the American Civil Liberties Union’s Speech, Privacy, and Technology Project, urged Congress to step in but said that, failing legislative reform, the court should find in Microsoft’s favor.
“Congress has the opportunity to fix this problem now, by updating the Electronic Communications Privacy Act to require governmental notification, to impose the high standard required by the Constitution before gagging a company, and to limit the duration of gag orders,” Abdo said in an email. “If Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft’s case, to end the government’s unconstitutional failure to provide notice.”
Microsoft took particular umbrage with the term “reason to believe” in the section of ECPA that lets the government gag companies when it demands user data. It faulted ECPA for providing “no guidance as to the evidentiary burden the government bears in showing a ‘reason to believe’ sufficient to justify a secrecy order.”
Microsoft also focused part of Thursday’s complaint on the idea that searches without notice to their subjects violated the Fourth Amendment.
“[I]f an individual or business elects to maintain its emails on premises, the government could not execute a search warrant for those emails without the customer learning about it and having the ability to assert any rights or privileges it may have,” the lawsuit reads. “Here, Microsoft’s customers have decided to store their information and data with Microsoft in the cloud rather than on computers at their own premises. This technological fortuity, however, does not weaken the privacy interests at stake.”
The ECPA gag-order lawsuit is yet another front in the war between Silicon Valley and the government over the evolving nature of criminal and terrorism investigations, which increasingly apply laws designed for physical searches to the digital realm.
A parallel dispute between these recurring adversaries, the long-running encryption debate, recently came to a head when the Justice Department demanded Apple‘s help unlocking a terrorist’s iPhone, sparking a month-long fight over how far tech companies should go to assist law enforcement without compromising their users’ security.
This is the fourth public lawsuit that Microsoft has filed against the government. The other three involve secret National Security Letters, the disclosure of aggregate user-data request numbers, and searches of foreigners’ records stored on Microsoft servers overseas.
Update 3:15pm CT, April 14: Added DOJ response.