Privacy Advocates Celebrate as Judge Rules Microsoft Can Sue the DOJ
That “so-called” judge is at it again. U.S. District Judge James Robart, whom President Trump lambasted recently for issuing the court order that halted his temporary travel ban, has ruled that the federal government can’t get out of being sued over its surveillance operations.
Last April, Microsoft sued the Department of Justice over the FBI’s use of “sneak-and-peak” email searches and its refusal to allow the company to notify its customers that their data was under surveillance. The suit alleges that the FBI violated users’ Fourth Amendment right against unlawful search and seizure, as well as Microsoft’s First Amendment right to free speech. Robart rejected the Fourth Amendment complaint on the grounds that Microsoft couldn’t sue on behalf of its customers, but said the company had made a solid enough argument on the free speech issue to send it through to trial.
“The public debate has intensified as people increasingly store their information in the cloud and on devices with significant storage capacity,” Robart said in Thursday’s ruling. “Government surveillance aided by service providers creates unique considerations because of the vast amount of data service providers have about their customers.”
In its initial suit, Microsoft said the secrecy orders often prohibit the company from ever telling customers when the FBI presents a warrant for surveillance, even if the investigation is no longer active. Of the 2,600 orders Microsoft had received, it said more than two-thirds had no fixed end date.
Microsoft has drawn wide support from the tech industry. Apple, Google and Amazon all publicly came out against the federal law that allows sneak-and-peek searches. The case highlights the growing legal complexity associated with cloud computing, big data and privacy rights. On one side, the government argues they need the searches to aid in investigations and protect citizens. On the other, privacy advocates say that the government is too liberal with its use of gag orders that prevent companies from notifying their users of the searches.
Putting an end to service providers’ obligatory and sometimes indefinite silence would be a significant first step toward effecting real and meaningful change in privacy laws, says Ladar Levison, founder and CEO of email service provider Lavabit. Levison has achieved hero status among privacy advocates for his refusal to help the FBI gain access to Edward Snowden’s email account in 2013. When they demanded Lavabit’s SSL encryption key in order to get Snowden’s password, Levison shut down the company rather than comply. If people only knew how extensive the government’s reach was, he says, there would be a much bigger groundswell of demand for a right to privacy.
“It’s my belief that if the millions of people who have been placed under surveillance found out that they had been placed under surveillance, and the dubious set of circumstances that led to their lives being inspected by government agents, that this issue of privacy and surveillance would carry a lot more weight with a lot more individuals.”
One of the trickiest parts of the legal process surrounding a push for privacy legislative reform is exactly what Microsoft ran into in Robart’s courtroom: you can’t sue on behalf of someone else’s violated Fourth Amendment rights. But Levison says that even if Microsoft can’t sue to keep customers’ data private, eliminating the gag order will be a big step.
“From my perspective as a service provider, the only time we’re put in this position of having to defend our clients in court is when they can’t defend themselves. Microsoft has to defend their customers when their customers can’t defend themselves, but if Microsoft can tell them there’s been this accusation made against them in regards to criminal activity, and thus is being asked to turn over their property—notice I refer to their information as property—it allows that individual to make a Fourth Amendment claim.”
It’s a busy time for privacy advocates. The U.S. House of Representatives unanimously passed the Email Privacy Act this month, reforming the Electronic Communications Privacy Act (ECPA) and requiring law enforcement agencies to obtain a warrant to access emails 180 days or more older. Also this month, a U.S. judge ordered Google to comply with search warrants seeking customer emails stored on servers outside of the United States, departing from the precedent set by a federal appeals court seven months ago in a similar case involving Microsoft. And we won’t soon forget the furor surrounding the FBI’s attempt to compel Apple to create a backdoor into the iPhone belonging to the terrorist responsible for the San Bernadino shooting last year.
“These issues are on the cusp of being settled, and unfortunately they’ll be settled for all time. How often do we debate states rights or the ability of the federal government to levy an income tax? We’re on the verge of hashing out what is going to be the constitutionality and law surrounding these types of service provider requests,” said Levison. “These issues are deeper and more complex than most people realize.”