Microsoft Clears the Air About Fighting CLOUD Act Abuses
Five of the largest U.S. technology companies pledged support this year for a dangerous law that makes our emails, chat logs, online videos and photos vulnerable to warrantless collection by foreign governments.
Now, one of those companies has voiced a meaningful pivot, instead pledging support for its users and their privacy. EFF appreciates this commitment, and urges other companies to do the same.
Microsoft’s long-titled “Six Principles for International Agreements Governing Law Enforcement Access to Data” serves as the clearest set of instructions by a company to oppose the many privacy invasions possible under the CLOUD Act. (Dropbox published similar opposition earlier this year, advocating for many safeguards.)
Quickly, Microsoft’s principles are:
- The universal right to notice
- Prior independent judicial authorization and required minimum showing
- Specific and complete legal process and clear grounds to challenge
- Mechanisms to resolve and raise conflicts with third-country laws
- Modernizing rules for seeking enterprise data
To understand how these principles could serve as a bulwark for privacy, we have to first revisit how the CLOUD Act does the opposite.
The CLOUD Act, Revisited
Bypassing responsible legislative procedure and robbed of a stand-alone floor vote before being signed into law in March, the CLOUD Act created new mechanisms for U.S. and foreign police to seize data across the globe.
Under the CLOUD Act, the president can enter into “executive agreements” that allow police in foreign countries to request data directly from U.S. companies, so long as that data does not belong to a U.S. person or person living in the United States. Now, you might wonder: Why should a U.S. person worry about their privacy when foreign governments can’t specifically request their data? Because even though foreign governments can’t request U.S. person data, that doesn’t mean they won’t get it.
As we wrote before, here is an example of how a CLOUD Act data request could work:
“London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would receive no prior judicial review for this request. The London police could avoid notifying U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.
Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages could be used to criminally charge the U.S. person with potentially unrelated crimes, too.”
Many of the CLOUD Act’s privacy failures—failure to require notice, failure to require prior judicial authorization, and the failure to provide a clear path for companies and individuals to challenge data requests—are addressed by Microsoft’s newly released principles.
The Microsoft Principles
Microsoft’s principles encompass both itself and other U.S. technology companies that handle foreign data, including cloud technology providers. That’s because the principles sometimes demand changes to the actual executive agreements—changes that will affect how any company that receives CLOUD Act data requests can publicize, respond to, or challenge them. (No agreements have been finalized, but EFF anticipates the first one between the United States and the United Kingdom to be released later this year.)
Microsoft has committed to the “universal right to notice,” saying that “absent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers must have a right to tell them.”
EFF agrees. For years, we have graded companies explicitly on their policies to inform users about U.S. government data requests prior to fulfilling such requests, barring narrow emergency exceptions. It is great to see Microsoft’s desire to continue this practice for any CLOUD Act data request it receives. The company has also demanded that it and other companies be allowed to fight nondisclosure orders that are tied to a data request. This is similar to another practice that EFF supports.
Providing notice is vital to empowering individuals to legally defend themselves from overbroad government requests. The more companies that do this, the better.
Further, Microsoft committed itself to “transparency,” saying that “the public has a right to know how and when governments seek access to digital evidence, and the protections that apply to their data.”
Again, EFF agrees. This principle, while similar to universal notice, serves a wider public. Microsoft’s desire is to not only inform users whose data is requested about those data requests, but to also spread broader information to everyone. For instance, Microsoft wants all cloud providers to “have the right to publish regular and appropriate transparency reports” that unveil the number of data requests a company receives, what governments are making requests, and how many users are affected by requests. This type of information is crucial to understanding, for instance, if certain governments make a disproportionate number of requests, and, if so, what country’s persons, if any, are they targeting? Once again, EFF has graded companies on this issue.
Microsoft’s interpretation on transparency also includes a demand that any executive agreement negotiated under the CLOUD Act must be published “prior to its adoption to allow for meaningful public input.” This is the exact type of responsible procedure that Congressional leadership robbed from the American public when sneaking the CLOUD Act into the back of a 2,232-page government spending bill just hours before a vote. Removing the public from a conversation about their right to privacy was unacceptable then, and it remains unacceptable now.
Microsoft additionally demanded that any CLOUD Act data requests include “prior independent judicial authorization and required minimum showing.” This is a big deal. Microsoft is demanding a “universal requirement” that all data requests for users’ content and “other sensitive digital evidence” be first approved by a judicial authority before being carried out. This safeguard is nowhere in the CLOUD Act itself.
One strong example of this approval process, which Microsoft boldly cites, is the U.S. requirement for a probable cause warrant. This standard requires a judicial authority, often a magistrate judge, to approve a government search application prior to the search taking place. It is one of the strongest privacy standards in the world and a necessary step in preventing government abuse. It serves as a bedrock to the right to privacy, and we are happy to see Microsoft mention it.
Elsewhere in the principles, Microsoft said that all CLOUD Act requests must include a “specific and complete legal process and clear grounds to challenge.”
Currently, the CLOUD Act offers individuals no avenue to fight a request that sweeps up their data, even if that request was wrongfully issued, overbroad, or illegal. Instead, the only party that can legally challenge a data request is the company that receives it. This structure forces individuals to rely on technology companies to serve as their privacy stewards, battling for their rights in court.
Microsoft’s demand is for a clear process to do just that, both for itself and other companies. Microsoft wants all executive agreement data requests to show proof that prior independent judicial review was obtained, a serious crime is under investigation as defined by the executive agreement, and that the data request is not for an investigation that infringes human rights.
Finally, a small absence: EFF would like to see Microsoft commit to “minimization procedure” safeguards for how requested data is stored, used, shared, and eventually deleted by governments.
You can read the full set of principles here.
A Broader Commitment
Microsoft’s principles are appreciated, but it must be noted that some of their demands require the work of people outside the company’s walls. For example, lawmakers will decide how much to include the public when negotiating executive agreements under the CLOUD Act. And lawmakers will decide what actually goes in those agreements, including restrictions on the universal right to notice, language about prior judicial review, and instructions for legal challenges.
That said, Microsoft is powerful enough to influence CLOUD Act negotiations. And so are the four companies that, as far as we know, still non-conditionally support the CLOUD Act—Apple, Google, Facebook, and Oath (formerly Yahoo). EFF urges these four companies to make the same commitment as Microsoft and to publish principles that put privacy first when responding to CLOUD Act data requests.
EFF also invites all companies affected by the CLOUD Act to also publish their own set of principles similar to Microsoft’s.
As for Microsoft, Apple, Google, Facebook, and Oath, we can at least say that some have scored well on EFF’s Who Has Your Back reports, and some have shown a healthy appetite for defending privacy in court, challenging government gag orders, search warrants, and surveillance requests. And, of course, if these companies falter, EFF and its supporters will hold them accountable.
The CLOUD Act has yet to produce its first executive agreement. Before that day comes, we urge technology companies: support privacy and fight this dangerous law, both for your users and for everyone.