May 23, 2014
Microsoft Challenges FBI On Policy Of Notifying Enterprise Customers Of Government Data Requests
Peter Suciu for redOrbit.com - Your Universe Online
Software giant Microsoft could be singing the tune that it fought the law and IT won.
Newly disclosed documents that were released on Thursday shed light on the unusual efforts that tech companies have had to take to combat government data requests following leaks from former National Security Agency contractor-turned-leaker Edward Snowden that revealed details of the U.S. government's massive data-collection efforts.
According to the Wall Street Journal, Microsoft filed its challenge less than two weeks after Snowden first revealed himself in June of last year. However, that filing could have been in the works much earlier.
"The timing was more coincidental," Microsoft's general counsel, Brad Smith, said in an interview with WSJ reporters Danny Yadron and Jennifer Valentino-DeVries. "Obviously the concern of the customer is substantially greater in the wake of Snowden disclosures."
This particular case involved the FBI wanting to know more – much more it seems – about a particular user, and the request for the data came with a gag order. Microsoft has also noted that it has a standing policy against such gag orders and instead of complying the company opted to take the FBI to court. The tech giant claimed that the gag order violated its constitutional right to free expression.
The filing, which was made in federal court, came around the same time the Snowden leaks revealed the scale of government surveillance programs. Soon after the FBI had backed down, and as Russell Brandom of The Verge noted, "Microsoft had called the FBI's bluff."
Despite the fact that Microsoft has a policy against gag orders, some of this information is only now coming to light.
"A federal court in Seattle unsealed documents related to an FBI National Security Letter that Microsoft successfully challenged in court late last year," Microsoft's Smith said on the company's official blog on Thursday. "This marks an important and successful step to protect Microsoft's enterprise customers regarding government surveillance.
"Because information about the case wasn't public until today, this is our first opportunity to discuss it in detail. Given the strong ongoing worldwide interest in these issues, we wanted to provide some additional context on the matter," Smith added. "The FBI's letter in this case sought information about an account belonging to one of our enterprise customers. Enterprise customers at Microsoft include legitimate businesses, governments, and non-governmental organizations. Like all National Security Letters, this one sought only basic subscriber information."
Late last year Microsoft had also announced that it was committed to notifying business and government customers if it received legal orders related to their respective data, and it vowed that it will continue to challenge any gag orders in court. Microsoft further said it would preserve its ability to alert customers when governments seek to obtain its client's data.
Smith also stressed that despite Microsoft's strong language this type of request for data is actually quite rare.
"Government requests for customer data belonging to enterprise customers are extremely rare," Smith wrote. "We therefore have seldom needed to litigate this type of issue. In those rare cases where we have received requests, we've succeeded in redirecting the government to obtain the information from the customer, or we have obtained permission from the customer to provide the data. We're pleased with the outcome of this case, which validates our approach."
Microsoft's stance has earned kudos from privacy advocates.
"Companies are now starting to stand up for users' privacy," Alex Abdo, an attorney at the American Civil Liberties Union, told the WSJ. "Microsoft deserves credit for this."
However, the paper also reported that Abdo questioned whether the tech giant would have fought the government so hard if the FBI had targeted an individual user rather than a large business customer.