The Department of Justice (DOJ) is allowing law enforcement agencies to invade innocent users’ privacy, security, and rights, and is doing so using a law which undermines Cloud Computing, the Constitution, and the entire relationship between technology and law that exists today.
30 Years Later, Pre-Internet ECPA Still Has Immense Effects on Internet Users
Imagine a situation in which a landlord is served a search warrant for one of his tenants, with explicit directions to open a tenant’s apartment, allow a governmental entity to search said apartment, and never tell the tenant, because as a ‘third party,’ said landlord has no right to the contents of the apartment.
Now, imagine that said governmental entity has been given perpetual access to the apartment, there is a perpetual gag order on the landlord that he never communicate that the government entity has and will continue to search the tenant’s apartment, and that all of this can be done without due process.
If it sounds illegal or unconstitutional, when it comes to data stored online, it’s not, and you can thank a law passed five years before the birth of the World Wide Web.
This gross invasion of privacy is being done through a section in the Electronic Communications Privacy Act (“ECPA”), a Reagan-Era law which has spent the past 30 years as the de facto standard for mandating electronic communications, a law which has been mutated by the USA PATRIOT Act, a law that relies on the centuries-old All Writs Act, and a law which could be standing between many honest, legitimate, law-abiding organizations and the value of cloud computing.
Gag Orders, Non-Criminal Investigations, and Your Fourth Amendment Rights
Under the “Gag Order” provision of the ECPA, the United States Government can access your emails, your files, and any other information that a government body feels is necessary to an “investigation.”
Under 18 U.S.C. § 2705(b), a section titled “Preclusion of Notice to Subject of Governmental Access,” a governmental entity is not required to notify a subscriber or customer during an investigation, and may request information “for such period as the court deems appropriate,” not to notify any other person of the existence of the warrant, subpoena, or court order.
Investigations without Charges, Gag Orders without End Dates
Essentially, as was the case of Fox News Correspondent James Rosen or so many others, a governmental entity such as the FBI can call you a “criminal co-conspirator” without charging you of a crime, demand that a service provider/tech company (Microsoft, Google, Mozilla, Dropbox) that they turn over information they have without notifying you, and do so using a subjective timeframe, which all too often means “forever.”
As noted by Microsoft, from September 2014 to March 2016, Microsoft alone received 5,624 federal demands for customer information or data. 2,576 were accompanied by gag or secrecy orders. Over two-thirds of the gag orders (1,752) had no end date.
Worse yet, the number of requests has been ramping up. The 18-month period ending March 2016 included 2,576 gag or secrecy orders. The number of requests in an amended filing included 3,250 gag or secrecy orders over the course of 20 months (September 2014-May 2016), an additional 674 secrecy orders issued in two months.
Microsoft Files Suit: Technology, Media, and Civil Liberties Organizations Join In
In the words of the Microsoft’s Chief Legal Officer Brad Smith, “it’s not every day that Fox News and the ACLU are on the same side of an issue.”
But such is the case in Microsoft Corporation vs. United States Department of Justice and Loretta Lynch, one which allowed many rivals to set aside their differences, and continues to gain massive support from leaders in technology, media, and civil rights, among others.
Microsoft Corporation v. United States Department of Justice, et al
On April 14, 2016, Microsoft filed a lawsuit in federal court to protect citizens’ constitutional and fundamental rights of privacy and free expression. From the suit:
“Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them. Yet the Electronic Communications Privacy Act (“ECPA”) allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a “reason to believe” that disclosure might hinder an investigation.
Nothing in the statute requires that the “reason to believe” be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time secrecy orders may be kept in place. 18 U.S.C. § 2705(b).
Consequently, as Microsoft’s customers increasingly store their most private and sensitive information in the cloud, the government increasingly seeks (and obtains) secrecy orders under Section 2705(b).
This statute violates both the Fourth Amendment, which affords people and businesses the right to know if the government searches or seizes their property, and the First Amendment, which enshrines Microsoft’s rights to talk to its customers and to discuss how the government conducts its investigations—subject only to restraints narrowly tailored to serve compelling government interests.” –Microsoft Corporation v. The United States Department of Justice
People have a right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures. Organizations have a responsibility to be transparent with their customers—especially when it comes to disclosing nearly any investigations into their Constitutional rights, and by not notifying its customers, Microsoft’s legal team believes that the organization is complicit in the DOJ’s violations of your rights as a United States Citizen.
The law undercuts the Fourth Amendment by preventing those affected from challenging the lawfulness of the search or seeking redress through the judicial system for violations. Gag orders that run indefinitely allow the government to avoid being held accountable for any wrongdoing. In addition, the service of warrants to third parties is done without any meaningful oversight, putting the DOJ in the position of policing itself—something it does with no particular enthusiasm or effectiveness.
In response to Microsoft’s suit against it, the Department of Justice filed a motion to dismiss, arguing that there is “compelling” interest in keeping criminal investigations private and insists Microsoft has no grounds for this lawsuit.
Additionally, the DOJ added to its motion to dismiss, claiming that “Microsoft’s challenge effectively asks this Court to adjudicate the lawfulness of thousands of such court orders from across the United States,” and that “Microsoft doesn’t have standing to challenge the legal provision because its rights are not being violated and it can’t speak for its users.”
To simplify, the DOJ opposes Microsoft’s suit, because the department made too many requests of other courts, and that the DOJ believes the consumers (remember, the consumers who have not been notified) need to represent themselves because ‘Microsoft has no rights.’
Wipfli Joins Tech, Media, Legal, and Civil Rights Leaders Filing Amicus Briefs
Over the past few months, a plethora of organizations of all sizes, from all industries, and with varying political views joined Microsoft in its fight for the constitutional rights of people with data stored in the cloud. Among them was Wipfli, who on September 22, 2016 filed an amicus curie brief to join the fight for consumer protections in the cloud.
“Being a trusted advisor of cloud services, our clients rely on Wipfli to be their proponent in these matters,” explains Ryan Risley, Director and Chief Technology Officer in Wipfli’s Technology Consulting Practice. “We are pleased to contribute to this important brief as a strong advocate for digital privacy for the future.
As of September 2, 2016, over eighty companies, press associations, and legal groups have signed onto the suit, joining five law professors and five former law enforcement professionals who oppose the application of the ECPA as it regards data stored in the cloud:
|Organizations||Media, Publishers, Associations, and Rights Groups|
See ACLU/ACLU Foundation v. Department of Justice, et al and Court Documents, Microsoft Corporation v. Department of Justice, et al for more information.
The authority of the 30-year old Electronic Communications Privacy Act (ECPA) gives the government too much power in a modern, technologically connected, cloud-first environment, and as such should be modified or repealed to address the needs of law abiding businesses and consumers today.
Essentially, the DOJ is exercising a loophole which insists that a tech company has to turn over papers and effects, but has no right to notify the person whose papers and effects because said tech company is merely a third party and is not the rightful owner.
As a trusted provider of cloud services, and key player to organizations in many of the industries joining Microsoft in this fight for privacy and constitutional rights, Wipfli is proud to support the plaintiff in this battle against government overreach. Our clients rely on us to be their proponent in these matters and it’s critical that this initiative succeed.
For more information on your Due Process Rights as an internet user, visit DigitalDueProcess.org.