In response to complaints over authorities’ overreaching powers to intercept technology companies’ customer data, the US Department of Justice has announced a new approach to so-called “sneak-and-peek” searches which it says will better protect citizens’ rights and improve their trust in technology companies.
Until now, companies were forced to hand over their customers’ data and were banned from notifying them that this was taking place.
Last year, Microsoft sued the federal government for the thousands of such legal demands it had been forced to comply with, stating it put its customers’ trust at jeopardy. With the support of Apple, Google, Amazon, the company contested the number of searches done under the veil of secrecy orders, with no time limit, and thus extended indefinitely.
Thou shalt sneak and peek no more
Under the policy changes, an “individualized and meaningful” assessment of whether or not a secrecy order is appropriate should be performed and, unless special circumstances say otherwise, customers should be notified within a year of the prosecutors’ access to their private data.
Microsoft is reportedly “taking steps to dismiss” its lawsuit against the US government, but in a blog post, the company’s president and chief legal officer, Brad Smith, said that the company is “committed to working with Congress” on the issue.
He continued to say that the company supports the Electronic Communications Privacy Act (ECPA) Modernization act of 2017, a bill put forward the Senate in July, which would update the 1986 version of the ECPA. Among other things, the bill would restrict the use of secrecy orders to specific circumstances and time frames.
Smith said: “We hope Congress will make this positive step forward more permanent by updating outdated laws to better protect our digital rights while still enabling law enforcement to do its job.”
Technology companies, and particularly those in the cloud business, take customer privacy issues to heart, as their ability to protect the data puts their reputation on the line, with fears over privacy already being the cloud’s weakest link.
Microsoft has been specifically fervent in its efforts to keep customer data outside of US authorities’ jurisdiction, and the 2016 lawsuit was the fourth it filed against the US government.
The first, in 2014, contended that companies should be allowed to disclose to their customers when authorities were pursuing investigations relating to national security laws, and resulted in their being allowed to disclose numbers of orders in brackets of 100 (the first being 0-99, the second 100-199, etc.) and to specify whether the orders sought out customer content.
The second took place the same year, and related to an FBI National Security Letter which requested information belonging to one of Microsoft’s enterprise customers; the company challenged this on the grounds of an associated non-disclosure agreement, which it claimed went against its constitutional right to free expression. As a result, the FBI withdrew the letter.
Finally, Microsoft contested a federal search warrant for customer emails hosted in its data center in Ireland. The company’s refusal was upheld by the Second Circuit Court of Appeals, but was recently pushed back into the limelight when the US Supreme Court agreed to review the case.