Article Lead Image

Max Fleishman

ACLU seeks to join Microsoft lawsuit over customer data secretly acquired by feds

Microsoft says it has received nearly 2,600 secret data requests over the past 18 months.


Dell Cameron


Posted on May 26, 2016   Updated on May 26, 2021, 5:16 pm CDT

The American Civil Liberties Union said Thursday that it would try to join Microsoft in suing the federal government over its use of gag orders tied to demands for customer data.

The tech giant filed suit in April over the thousands of warrants it receives under the Electronic Communications Privacy Act, a 1986 law that lets agencies demand customer records and prevent companies from alerting the public or even the targeted customers.

“A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” Alex Abdo, a senior staff attorney at the ACLU’s Speech, Privacy, and Technology Project, said in a statement. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.”

The group argues that it is essentially impossible for someone wronged by ECPA‘s gag-order provision to request judicial review of the law because, by definition, they wouldn’t know they’d been wronged. Only the tech companies, it says, are capable of bringing suits.

Microsoft says in its complaint, filed in the U.S. District Court for the Western District of Washington, that it has received more than 5,000 requests to hand over customers’ private data since September 2014 and that nearly 2,600 of those warrants included gag orders.

The company accuses the Justice Department of exploiting the rise of cloud computing “as a means of expanding its power to conduct secret investigations.”

“As individuals and business have moved their most sensitive information to the cloud,” Microsoft argued, “the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft.”

Microsoft also argued that this flood of secret requests—many of which do not specify a time frame or end date for collection—undermined the public’s confidence in the privacy of the cloud and “impaired Microsoft’s right to be transparent with its customers, a right guaranteed by the First Amendment.”

ECPA reformers argue that the law is the product of an era in which politicians could not have foreseen the complex privacy issues that cloud computing provokes.

For example, one provision allows investigators to demand records without a warrant as long as the records are more than 180 days old. Thirty years ago, Congress assumed that emails stored online for more than 180 days were essentially abandoned property whose seizure did not merit a showing of probable cause.

That logic obviously no longer applies. Thanks to virtually unlimited storage space, most people store vast troves of communications, from emails to text messages, for years without deleting it.

Next week, the Senate Judiciary Committee will consider the Email Privacy Act, which would close the 180-day loophole and make other tweaks to the law. The bill passed the House unanimously.

Last week, Microsoft, along with more than 60 other tech companies and civil-society groups, sent Congress a letter supporting the Email Privacy Act. While they aren’t completely happy with its language, they lauded the bill as a “carefully negotiated compromise” that would “impose a warrant-for-content rule with limited exceptions.”

Share this article
*First Published: May 26, 2016, 3:30 pm CDT