You are here

Cloud privacy: Microsoft legal win vs. DoJ (or was it a Pyrrhic victory?)

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

After 18 months of fighting, the U.S. Department of Justice has agreed to stop the “overuse” of gag orders when seeking to snoop on users’ email or other cloud data. The DoJ also promised a time limit on requests for secrecy.

Microsoft and others are happy about that because it would allow them to tell cloud customers that the feds peeked at their data. But the Electronic Communications Privacy Act of 1986 is still in force, which presents a problem. And—lest we forget—FISA also remains in place.

So what does it mean for you? In this week’s Security Blogwatch, we get ready to rumble.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Simpson’s Paradox

What’s the craic? Catherine Shu is on the other foot: [You’re fired!—Ed.]

Microsoft said it will drop its lawsuit against the [DoJ] over gag orders that prevent companies from telling customers when their personal data has been accessed by investigators.

Prosecutors [must now] give more detailed reasons when applying for gag orders and [it’s] much harder to seek one that lasts indefinitely.

The DOJ’s new policy says prosecutors must “conduct an individualized and meaningful assessment regarding the need for protection from disclosure.”

Someone’s happy in Redmond this week. Microsoft CLO Brad Smith says Now it’s Congress’ turn:

Today marks another important step in ensuring that people’s privacy rights are protected when they store … information in the cloud. [The] DOJ today established a new policy to address these issues … an important step for both privacy and free expression.

Customers have a constitutional right to know when the government gets their email or documents, and we have a right to tell them. … These fundamental protections should not disappear just because customers store their personal information in the cloud rather than in file cabinets.

In April 2016 … we highlighted the fact that the government appeared to be overusing secrecy orders in a routine fashion … and were seeking indefinite secrecy orders in a large number of cases. … In short, we were prevented from ever telling a large number of customers that the government had sought to access their data.

The binding policy issued today by the Deputy U.S. Attorney General should diminish the number of orders that have a secrecy order attached, end the practice of indefinite secrecy orders, and make sure that every application … is carefully and specifically tailored.

[But] today’s policy doesn’t address all of the problems with the Electronic Communications Privacy Act (ECPA) … and we renew our call on Congress to amend it. … It is time to update this outdated 1986 law … to better protect our digital rights while still enabling law enforcement to do its job.

What’s the background to this Microsoft complaint? Cyrus Farivar brings us up to speed—Microsoft to drop lawsuit:

In April 2016, Microsoft sued the DOJ, asking a judge to declare unconstitutional the specific portion of federal law that deals with delayed notice, known as 18 USC 2705(b). Numerous large tech companies have sided with Microsoft in this case, including Apple, Google, Dropbox, Amazon, and Salesforce.

By February 2017, a federal judge in Seattle ruled in the company’s favor, allowing the case to go forward, and had set a trial date for June 2018.

To which, Gorshkov expostulates thuswise:

It is NOT an unequivocal win for anybody but the Justice Department. By changing their policy, Microsoft has dropped their lawsuit, so there is no ruling and no precedent set.

At some point in the future, there is nothing to stop the Justice Department from re-implementing the policy, and it would take—again—years for THAT resulting lawsuit to reach the point where they had to change it again to avoid precedent. They can yo-yo this thing forever if they want to.

And XXongo has this pointed question:

[Brad Smith] says that there is a "binding policy issued today by the Deputy U.S. Attorney General" but doesn't … tell us what the word "binding" means—How "binding"? Just until the next time the Attorney General decides to change it?

And Admiral***hat thinks it’s a trap:

Dropping the lawsuit was a bad idea. We now have no official legal ruling or precedent. The DOJ could reverse its policy at any time, and tech companies would have no recourse.

But Grant Ellis plays a lawyer on TV:

You're unlikely to get more binding precedent if you continue the lawsuit, though.

If Justice changes the policy again, the plaintiff will be able to make a 'recurring but evading review' argument.

We interrupt our stream of consciousness to bring you this PSA from Richard Lawler:

This situation shouldn't be confused with Microsoft's other lawsuit, which is fighting a request by the US government to access email data on a server in Ireland.

In other news, Taylor Hatmaker is brimming with Bipartisan bill seeks to reform a law that allows spy agencies to surveil US citizens:

On Tuesday, a bipartisan group in Congress proposed legislation to rein in a controversial loophole in the Foreign Intelligence Surveillance Act (FISA) that provisions U.S. spy agencies with a legal loophole to conduct warrantless surveillance on American citizens.

The timing comes on the day of a closed Senate Intelligence Committee session debating a bill that would reauthorize the … law, which is set to expire at the end of this year. … The legislation seeks to limit Section 702 surveillance. … It would require intelligence agencies to obtain a warrant.

Section 702 is hotly contested for its role in a surveillance practice known as incidental collection.

Oh. Here’s the EFF’s David Ruiz—FBI Director Wray is Wrong:

Newly-minted FBI Director Christopher Wray threw out several justifications for the continued, warrantless government search of American communications.

Constitutionality … U.S. courts have delivered opinions in lawsuits involving data collected under Section 702, but no single court has delivered an opinion specifically on the constitutionality of Section 702. It’s an issue that EFF is currently fighting. … Wray is mischaracterizing the court’s opinion.

Oversight … Congressional oversight is a myth. … As for judicial oversight, the court that approves warrants under Section 702 … has rebuked the NSA in multiple opinions. … While Section 702 is subject to government oversight, it doesn’t look like the NSA pays much attention. [And] there can be no meaningful public oversight so long as we are kept in the dark

Safety … Unwilling to explain Section 702 success stories, Wray instead relied on the hypothetical. … He conjured hypothetical mass shootings and lone gunmen. … Wray’s suggestion of “another attack” … suggests fear will help steer Americans towards the right decision. … Fear drove McCarthyism … Japanese American internment … the Chinese Exclusion Act and it helped drive the Patriot Act.

Meanwhile, the best gag of the day comes from Delicieuxz:

If privacy is something Microsoft is interested in, then why Windows 10?

The moral of the story? If you run a cloud service and receive a secret subpoena, your legal counsel can ask pointed questions about why it’s secret and for how long.

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

And finally …

Having more money means it’s more likely you’re a cat

Or:why Simpson’s Paradox makes my head hurt


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. Department of Justice (cc0)

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]