The U.S. Department of Justice is moving to scale back the use of orders forcing technology companies to turn over customer data without alerting users to the clandestine interception of their information.
Microsoft Corp., which sued the government over the practice last year, and other internet giants have argued that the future of cloud computing is in jeopardy if customers can’t trust that their data will remain private. In response to new guidelines quietly issued last week by the DOJ aimed at making “sneak-and-peek” searches more selective, Microsoft said Monday it plans to drop its lawsuit, which was backed by rivals including Alphabet Inc.’s Google and Amazon.com Inc.
The rapid growth of the cloud, in which customer data is stored by providers like Microsoft, Apple Inc., Amazon and Google in the technology companies’ own servers, has increased the frequency of warrants seeking information.
Going forward, prosecutors must “conduct an individualized and meaningful assessment” of whether a secrecy order is needed, according to a memo issued by Deputy attorney general Rod Rosenstein. For internet users whose data is sought, the government shouldn’t delay notifying them for more than a year, except “barring exceptional circumstances,” according to the memo. Microsoft argued in court that too many data requests carry secrecy provisions, often of indefinite duration, that violate the company’s free-speech rights.
“Until today, vague legal standards have allowed the government to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand,” Microsoft president and Chief Legal Officer Brad Smith, said in a statement. “That will no longer be true.”
The DOJ said the changes will protect the rights of citizens and preserve companies’ relationships with their customers.
“This update further ensures that the department can protect the rights of citizens we serve, while allowing companies to maintain relationships with their customers by notifying those suspected of crimes, or believed to have information relevant to a crime, in a timely manner that information was obtained relating to their user accounts,” the department said in an emailed statement.
The dispute centered on the application of the Stored Communications Act, part of the 1986 Electronic Communications Privacy Act, a law that predates the advent of the World Wide Web. Microsoft contended that while some cases might require secrecy because disclosure could create a risk of harm or endanger the government’s case, the practice had become far too common.
In the 18 months before Microsoft sued in April 2016 in Seattle, the company said 2,756 of the legal demands it received from the U.S. government came with secrecy orders and two-thirds appeared to extend indefinitely. Microsoft defeated the government’s bid for dismissal of the suit in February, though the judge didn’t rule on the merits of the case.
In September, Microsoft announced new cloud encryption technology that could offer an end-run around government secretive snooping by enabling customers to control access to content stored in Microsoft data centers.
The company said that despite the government announcing a new approach to sneak-and-peek searches, Congress should change the law. Microsoft supports the ECPA Modernization Act, a bipartisan bill introduced in July that would, among other things, address secrecy orders. The company also didn’t rule out further litigation on the issue.
“We applaud the Department of Justice for taking these steps, but that doesn’t mean we’re done with our work to improve the use of secrecy orders,” Smith wrote. “We have been advocating for our customers before the DOJ for a long time, and we’ll continue to do that. We will continue to turn to the courts if needed.”
By Dina Bass and Chris Strohm