by Eric Packel | BakerHostetler
Prior to the Information Age, sensitive papers were stored in file cabinets and drawers. When home computers arrived, information was digitized and moved to hard drives or other electronic media, still possessed by the user. Today, with the general availability of high-speed Internet service, many individuals are moving information to the so-called cloud – which means that private documents, photos, and emails are now stored on servers owned by technology giants like Microsoft and Apple, typically housed in forbidding and remote massive facilities.
But should the rules on government access to private data depend on where the data is stored? Is private data any less private if it is not kept in the home? A Microsoft lawsuit against the U.S. Department of Justice sheds light on a little-known provision of the Electronic Communications Privacy Act (ECPA), which enables the secret and unchallenged seizure of consumer information held by cloud providers.
At issue in Microsoft’s lawsuit is Section 2705(b) of the ECPA, which permits a court to issue secrecy orders so that cloud providers are not only compelled to produce customer information sought by a government entity, but are also barred from notifying those customers that the government has asked for or obtained their private communications and data. This prevents individuals from asserting any rights available to them concerning a search of their information by the government. Gag orders under Section 2705(b) can be prolonged or even indefinite, depending on the circumstances of the investigation.
As 
Microsoft states in its complaint, this means the government is treating private information differently when it is stored in the cloud. As the lawsuit points out:
A customer that stored paper documents in file cabinets or emails on on-site servers would generally know contemporaneously about the execution of a warrant by law enforcement – and would be able to assert any rights concerning any documents or data seized during the search. A customer storing documents and mail remotely in the cloud should be in the same position.
Accordingly, Microsoft seeks to invalidate Section 2705(b) as unconstitutional. Microsoft asserts that the use of Section 2705(b) violates the Fourth Amendment prohibition against unreasonable searches and seizures and also invokes the First Amendment, since ECPA gag orders, which bar Microsoft from disclosing a search to its customers, operate as a prior restraint on speech about government conduct.
Microsoft claims that the U.S. government has, in just the last 18 months, asked it to maintain secrecy regarding 2,576 legal demands, prohibiting Microsoft from speaking to those customers about demands for their data. Among those secrecy orders, 1,752 contain no end date, so Microsoft is forever barred from telling those customers that the government obtained their data.
First passed in 1986, the ECPA is, not surprisingly, a clumsy government tool for the collection of private information; 1986 was long before cloud computing or general consumer use of the Internet and email. As many critics have already noted, technology has outpaced the ECPA, and Congress is already considering reform via the Email Privacy Act. The bill would update privacy protections for electronic communications stored by third-party providers.
Of course, it’s not the first time that antiquated laws have come up against modern technology. In its ongoing skirmish with Apple over searching encrypted iPhones, the FBI is relying on the All Writs Act (AWA), originally passed by the First Congress in 1789. Although the FBI found a third party to break into a terrorist’s iPhone in the San Bernardino case, so Apple was not forced to create a special version of its operating system (dubbed by some as “FBiOS”), the battle over locked iPhones and the use of the AWA continues in a drug case in New York.
Microsoft’s action highlights the importance of protecting customers’ information in order to remain competitive in the global marketplace. Businesses and individuals may want to avoid U.S. cloud providers if they know that their data, including confidential and proprietary business information, could be subject to access by U.S. law enforcement or government agencies without prior knowledge or warning.
Whether Microsoft’s lawsuit is successful remains to be seen, but with the Microsoft case coming on the heels of Apple’s stand against the FBI, a trend seems to be emerging where the government may no longer be able to count on voluntary cooperation by information providers to simply – and quietly – turn over private information. It appears that the tech giants of today will no longer allow themselves to be used as arms of the state. [24×7]
About the Author
BakerHostetler, one of the nation’s largest law firms, represents clients around the globe. With offices coast to coast, our more than 900 lawyers litigate cases and resolve disputes that potentially threaten clients’ competitiveness, navigate the laws and regulations that shape the global economy, and help clients develop and close deals that fuel their strategic growth.
Author Eric A Packel focuses his practice on privacy, data security, and technology issues for BakerHostetler. He has worked with the Cyber Crime division of the FBI, the U.S. Secret Service, local law enforcement, and prominent forensics experts in data incident investigations, and often counsels clients on appropriate strategies to respond to regulatory investigations following breach incidents.
In the Seattle office of BakerHostetler, Randal Gainer is a Certified Information System Security Professional (CISSP) who advises banks, professional services firms, universities, telecommunications companies, retail businesses and hospital systems regarding compliance with computer network security laws and standards, and helps businesses conduct information system risk assessments and negotiate the data security terms of vendor agreements.
