Adding to the number of recent, high-profile confrontations between the government and tech companies concerning the limits of government investigations and the protection of privacy interests, last week, Microsoft filed a declaratory suit against the U.S. Department of Justice and the Attorney General of the United States. Microsoft claims that a provision of the Electronic Communications Privacy Act enacted prior to the era of cloud computing violates the First and Fourth Amendments because it allows courts to issue “gag orders” that prevent tech companies from telling customers when federal agents have examined their data, including email content or other private information.
Specifically, under Section 2705(b) of the Electronic Communications Privacy Act of 1986, the government is permitted to apply to the court for an order commanding providers of electronic communications services or remote computing services not to notify “any other person” of the existence of a warrant, subpoena, or court order. Under this provision, the court “shall enter such an order” if it determines that there is “reason to believe” that notification will result in: (1) endangering the life or physical safety of an individual, (2) flight from prosecution, (3) destruction of or tampering with evidence, (4) intimidation of potential witnesses, or (5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
Microsoft complains that the provision does not require the “reason to believe” to be grounded in the facts of the particular investigation, contains no time limit on the secrecy orders, and does not mandate that the orders be narrowly tailored to further the government’s asserted interests, including by not requiring that the court consider less restrictive alternatives. In its Complaint, Microsoft acknowledges that there may be exceptional circumstances when the government’s interest in investigating criminal conduct justifies an order temporarily barring notifying a customer that the government has obtained the customer’s private communications and data, but it contends that the provision at issue is too broad.
Microsoft explains that its customers are increasingly storing their emails and documents on remote servers owned by third parties – i.e., the cloud, using free web-based services, such as Microsoft Outlook, but that this transition does not alter the constitutional requirement that the government, with few exceptions, must give notice when it searches and seizes the private information or communications of individuals or businesses. Microsoft alleges that, as its customers increasingly store their private information in the cloud, the government increasingly seeks and obtains secrecy orders under this provision. Between September 2014 and March 2016, Microsoft received 5,624 federal demands for customer information or data, of which nearly half − 2,576 − were accompanied by secrecy orders that forbid Microsoft from telling the affected customers that the government was looking at the information. Of these secrecy orders, 1,752 contained no time limit, meaning Microsoft can never inform the affected customers.
Microsoft claims that, by subjecting cloud customers to a different standard by which they are entitled to notice, and not requiring the government to establish that the continuing restraint on speech is narrowly tailored to promote a compelling interest, the provision is facially overbroad under the First Amendment and violates the Fourth Amendment’s protection against unreasonable searches and seizures. Accordingly, Microsoft requests that a federal court in Seattle declare this provision unconstitutional.
This suit highlights the increasing conflicts between government and privacy interests in this new world of technology and the challenges of balancing those interests through the application of existing law. With this case, a court will have to define the boundaries of these balancing interests and the extent of privacy interests over emails, documents, photos, and other data stored in the cloud in company data centers.