New Department of Justice policy requires gag orders on cloud providers to be grounded in fact
Microsoft president and chief legal officer Brad Smith: “This new policy limits the overused practice of requiring providers to stay silent.”
Image: Carnegie Europe/YouTube
The Department of Justice (DoJ) has issued a new policy that restricts when prosecutors can use gag orders to prevent cloud providers from telling customers that their emails and documents have been accessed by the government.
As a result, Microsoft says it will move to dismiss a lawsuit it filed against the DoJ last year. At the time, Microsoft revealed it had been issued 2,576 secrecy orders in the past 18 months, 68 percent of which had no expiry date.
Under the new policy, issued by the DoJ’s deputy attorney general last week, each secrecy order “should have an appropriate factual basis” and only last “as long as necessary to satisfy the government’s request”.
The new rules only apply to gag orders obtained under the Electronic Communications Privacy Act/Stored Communications Act and don’t affect existing procedures for national security letters.
“This new policy limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud. It helps ensure that secrecy orders are used only when necessary and for defined periods of time,” Microsoft president and chief legal officer Brad Smith said in a blogpost.
Until today, vague legal standards have allowed the government to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand. That will no longer be true.”
Smith said the binding policy issued by the DoJ should cut the number of orders that have a secrecy order attached. It should also “end the practice of indefinite secrecy orders, and make sure that every application for a secrecy order is carefully and specifically tailored to the facts in the case”.
Microsoft’s suit argued that long and indefinite secrecy orders violated customers’ Fourth Amendment right to know when the government accesses searches or seizes their property.
Microsoft also contended it had a right under the First Amendment to tell customers about how government action is affecting their data.
It said the simultaneous rise of government demands from cloud providers and secrecy orders undermined consumers’ confidence of privacy in the cloud.
Smith renewed Microsoft’s campaign for Congress to modernize the Electronic Communications Privacy Act, which was passed in 1986.
“Specifically, the US Senate should advance the ECPA Modernization Act of 2017, introduced in July by Sens. Mike Lee, R-Utah, and Patrick Leahy, D-Vermont… It is time to update this outdated 1986 law that regulates government access to contemporary electronic communications,” he wrote.