Microsoft Triumphs in Fight to Notify Users of Government Data Requests

Brandy Hough, MJLST Staffer

 

This week, Microsoft announced it will drop its secrecy order lawsuit against the U.S. government after the Deputy U.S. Attorney General issued a binding policy limiting the use and term of protective orders issued pursuant to 18 U.S.C. §2705(b) of the Electronic Communications Privacy Act of 1986 (“ECPA”), also referred to as the Stored Communications Act (“SCA”).

 

The ECPA governs requests to obtain user records and information from electronic service providers. “Under the SCA, the government may compel the disclosure of . . . information via subpoena, a court order under 18 U.S.C. § 2703(d), or a search warrant.” Pursuant to 18 U.S.C. § 2705(b), a government entity may apply for an order preventing a provider from notifying its user of the existence of the warrant, subpoena, or court order. Such an order is to be granted only if “there is reason to believe” that such notification will result in (1) endangering an individual’s life or physical safety; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of witnesses; or (5) seriously jeopardizing an investigation or delaying a trial.

 

Microsoft’s April 2016 lawsuit stemmed from what it viewed as routine overuse of protective orders accompanying government requests for user data under the ECPA, often without fixed end dates. Microsoft alleged both First and Fourth Amendment violations, arguing that “its customers have a right to know when the government obtains a warrant to read their emails, and . . . Microsoft has a right to tell them.” Many technology leaders, including Apple, Amazon, and Twitter, signed amicus briefs in support of Microsoft’s efforts.

 

The Deputy Attorney General’s October 19th memo states that “[e]ach §2705(b) order should have an appropriate factual basis and each order should extend only as long as necessary to satisfy the government’s interest.” It further outlines steps that prosecutors applying for §2705(b) orders must follow, including one that states “[b]arring exceptional circumstances, prosecutors filing § 2705(b) applications may only seek to delay notice for one year or less.” The guidelines apply prospectively to applications seeking protective orders filed on or after November 18, 2017.

 

Microsoft isn’t sitting back to celebrate its success; instead, it is continuing its efforts outside the courtroom, pushing for Congress to amend the ECPA to address secrecy orders.

 

Had the case progressed without these changes, the court should have ruled in favor of Microsoft. Because the way § 2705(b) of the SCA was written, it allowed the government to exploit the “vague legal standards . . . to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand.”This behavior violated both the First Amendment – by restraining Microsoft’s speech based on “purely subjective criteria” rather than requiring the government to “establish that the continuing restraint on speech is narrowly tailored to promote a compelling interest”  – and the Fourth Amendment – by not allowing users to know if the government searches and seizes their cloud-based property, in contrast to the way Fourth Amendment rights  are afforded to information stored in a person’s home or business. The court therefore should have declared, as Microsoft urged, that § 2705(b) was “unconstitutional on its face.”