Microsoft joins lawsuit in fight for individual privacy

Microsoft is suing the United States for violation of its First Amendment right and your Fourth Amendment rights.

It seems that this is what it has come down to: The individual right of privacy and security versus the expediency of law enforcement vis-à-vis the related issues of personal encryption and law enforcement access of private emails with an effective gag order preventing the individual from ever knowing that their electronic information was intercepted. 

On April 14, Microsoft joined many other large Internet companies in pushing back against government intrusion into their business by suing the federal government for violating Microsoft’s first amendment right to free speech by ordering Microsoft not to inform individuals when that individual’s data was accessed by law enforcement.

This will be an interesting case and no doubt a watershed for future legislation and litigation. But before we look at the possible outcomes, it is useful to understand the source of legitimacy of the government’s demands and Microsoft’s position.

Prior to 2001, the Supreme Court repeatedly affirmed an individual’s Fourth Amendment rights to privacy and protection against unreasonable search and seizure by requiring that Law Enforcement notify the subject of a search prior to the search, or at least during or as soon as practicable after, unless there were extreme mitigating circumstances such as risk of life or the flight of a felon.

[ ALSO ON CSO: The economics of back doors ]

Section 213 of Patriot Act gravely crippled, and in some cases effectively removed, a citizen’s rights under the fourth amendment by stating that law enforcement may withhold notification if it can show that their investigation may be jeopardized. Given this extremely low bar, few should be surprised that as a matter of practice, every investigation is claimed to be in jeopardy if the subject of a search is notified. In addition, although section 2705(a) of the Electronic Communications Privacy Act (ECPA) (amended by the Patriot Act) provides that notice of a search warrant must not exceed 90 days, section 2705(b) allows a judge to “delay” notification indefinitely. 

Under this “sneak and peek” indefinite delay doctrine, federal judges approved 2,600 secret searches of Microsoft’s customers in the last 18 months. That is 4.75 new search requests every day, weekends included, for the last year and a half. In the first six months of 2015, Apple revealed that it had received 1,407 similar requests for secret searches – 7.7 new searches every day. 

It would be difficult to imagine, even given the size of the population of the United States, that these requests are the targeted investigations that they should be. 

Microsoft is claiming in its recent lawsuit that section 2705(b) of the ECPA violates Microsoft’s first amendment right to free speech by preventing it from speaking with its customers and is asking the court to rule that section 2705(b) is unconstitutional and should be set aside. Microsoft goes on in their suit to describe the move of data from personal devices to cloud storage and argues that cloud storage is still personal storage and should be afforded the same protections provided to the owner of a personal hard drive. In addition, Microsoft is claiming that the “sneak and peek” tactics violate a customer’s fourth amendment rights in that the search is unreasonable due to the lack of notice. 

[ RELATED: Privacy: at what cost? ]

This lawsuit comes at an interesting time when we are seeing a collision of the federal government’s attempt to weaken personal privacy in the name of anti-terrorism with industry professional’s push to reduce crime by providing the individual with more privacy and security. Couple this with the passing of the General Data Privacy Regulation (GDPR) in Europe that increases business’s responsibility to protect its customer’s data, and we have the perfect storm of conflicting legislation with the individual and private business drowning in the center.

One thing that history has shown us is that privacy (through secrecy of passphrases and encryption) can only be maintained in an absolute. Even Benjamin Franklin realized this on a simple level when he quipped “Two people can keep a secret, if one of them is dead.”

Backdoors to encryption such as are being proposed by the Burr-Feinstein anti-encryption bill are well intentioned but will do nothing but weaken privacy to the point of non-existence and could actually increase the fraud perpetrated on the individual. In response to a post on the Burr-Feinstein bill, one security expert commented: “I can’t wait to live in a country where ransom-ware has the best crypto!”

The Chinese have a curse “May you live in interesting times.” We are all in one of the most interesting times of modern history as the decisions by the U.S. courts on the Microsoft lawsuit and the Congress’s voting on the Burr-Feinstein bill will have profound and lasting influence on American’s right to privacy and freedom for many, many years to come.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)