It is known from judgments (e.g. SchremsII), legal texts (e.g. PRISM) and expert commissions that there are so-called “Secret Orders” in the USA. These allow the US intelligence services, such as the NSA or CIA, to access customer data from US cloud providers if there is a suspicion of terrorism, for example. This access is to remain secret and not be disclosed to the customer. This secret access is a thorn in the side of many and problematic, since it is not clear, for example, whether industrial espionage is also being carried out in this way.
Microsoft & the Secret Order
Microsoft’s legal department (CELA) has been trying to take action against the Secret Order for a long time, the pressure from customers has always been strong against these secret accesses to customers’ data. This action is divided into several points:
- Proceedings in legal actions / contesting Secret Orders.
- as open as possible transparency also through general information
- technical procedures that customers can encrypt data independently
- Lobbying in politics
- Seeking companions and supporters
- A public report from Microsoft: Transparency report and Law Enforcements Reports: Reports hub | Microsoft Corporate Social Responsibility
- The federal court in Maryland ruled in January 2020 that Microsoft is allowed to inform customers when access has been gained through a Secret Order.
- The federal court in New York agreed to inform the customer already in September 2020 as well.
- The federal court in New York is now also negotiating with supporters from Google to Apple about another Secret Order, which is already 2 years old.
- “We strongly believe that the government should be empowered to solve crimes and protect the public, and we understand that law enforcement sometimes needs secrecy during an investigation. But secrecy orders are not necessary in cases where the data belong to large and sophisticated organizations where someone can be notified without posing a significant risk to the government’s investigation.”
oday, I’m sharing continued progress in our work to notify our enterprise customers when the U.S. government seeks access to their data. We don’t receive many U.S. requests for enterprise customer data, but when we do, they sometimes come with secrecy orders. As we have previously shared, we strongly believe our customers own their data and have a right to control it. We also believe that, absent extraordinary circumstances, customers have a right to know when law enforcement requests their email or documents, and we have a right to tell them. For these reasons, we challenge secrecy orders when we believe they need a second look by the courts.
In the past year, we filed two cases resulting in these orders being withdrawn, both of which were recently unsealed. We’re also sharing that, in recent weeks, a third case we brought received widespread support from technology companies, major media companies, the business community and prominent former federal prosecutors.
In the first case, we challenged a secrecy order in federal court in Maryland that barred us from telling our enterprise customer about a request for its data. We filed the challenge in December 2019, and, in January 2020, the government agreed to allow us to notify our customer. This case was unsealed last week, as documented in this order.
In the second, we challenged in September 2020 a similar secrecy order in federal court in New York related to a request for data belonging to another enterprise customer. In October, in response to that challenge, the government agreed to inform the customer. The court files in this case were unsealed in recent weeks including the joint letter informing the court that the government agreed to notify the customer.
In the third, we continue to challenge a secrecy order in a case we previously disclosed from a separate federal court in New York. We’ve been fighting this case for more than two years and it is now in the U.S. Court of Appeals for the Second Circuit. At the end of last month, our case received support from five amicus briefs signed by our competitors Amazon, Apple and Google; 36 prominent former federal prosecutors; news organizations like Associated Press, Gannett, the New York Times, Politico, the Seattle Times and the Washington Post; and industry groups like the National Association of Manufacturers and U.S. Chamber of Commerce. This widespread support demonstrates the negative impact secrecy orders have on communities critical to democracy, the economy and society at large.
This support includes:
- A brief from Amazon, Apple and Google
- A brief from the Business Software Alliance
- A brief from the U.S. Chamber of Commerce, Center for Democracy and Technology, Internet Association and National Association of Manufacturers
- A brief from the Reporters Committee for Freedom of the Press and 23 media organizations
- A brief from 36 prominent former federal prosecutors
We are grateful to each of these organizations for standing with us in this case.
We believe strongly that the government should be empowered to solve crime and keep the public safe, and we appreciate that law enforcement may sometimes need secrecy during an investigation. But secrecy orders are not necessary in cases where the data belongs to large and sophisticated organizations where someone can be notified without creating significant risk to the government’s investigation.
We’ve had a long track record not only in challenging individual secrecy orders but also in bringing legal cases that have led to beneficial government policies curtailing the frequency and duration of secrecy orders. We also believe Congress continues to have a role to play by bringing the Electronic Communications Privacy Act into the modern age of cloud computing. Congress enacted ECPA in 1986 when companies stored records in file cabinets or computer files on their hard drives and servers. In those days, when the government investigated a company and needed access to records, it had to go directly to the company for those records – and companies had an opportunity to protect their rights.
Today, businesses increasingly store their records in the cloud, harnessing the immense computing power the cloud provides. Some law enforcement authorities have tried to exploit this migration of business data to the cloud by issuing secret legal process requiring the cloud provider to produce the company’s data – and then obtaining a secrecy order to silence the provider. This avoids the notice that businesses have historically received when law enforcement authorities seize their property. Congress could help by updating the rules under ECPA to align with the notice requirements for warrants that apply to physical searches. Now, more than ever, businesses should not be at a disadvantage simply because they store their data in the cloud.
In addition to the challenges to secrecy orders we’re sharing today, we also made a new pledge this past November to challenge underlying requests for enterprise or public-sector cloud data.