Microsoft Reveals Shoddiness of Legal Process Behind the Explosion of DOJ Secrecy Orders
Tom Burt, Microsoft's corporate vice president for customer security and trust, testifies before the House Judiciary Committee on Wednesday, June 30, 2021. Burt said it is "frightening" how often the government uses "secrecy orders" to try to access (House Committee on the Judiciary)
In an ancient Greek comedy, The Clouds, Aristophanes asked, “how can I study from below, that which is above?” Still a good question. Most of us today store sensitive personal data in the great above – emails, images and personal files that describe our health, finances and relationships. This storage in cloud computing, managed by a host of large tech companies, has become a fishing pond stocked with a never-ending supply of fish for the Department of Justice and FBI.
Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, last week blew the whistle. He gave a House Judiciary Committee hearing an alarming survey of just how routine and regular the use of the government’s extraordinary access to our data has become. Burt detailed how DOJ has repeatedly exploited the 35-year-old Electronic Communications Privacy Act to demand cloud service providers release customer data without notifying them. Historically, most people who’ve had warrants executed against their home, office, friends or business associates learn that this has happened. With a secrecy order, notification is usually never.
The Department of Justice has long deployed “secrecy orders” to seize Americans’ private digital data from these companies, while usually preventing them from alerting their customers. Burt said:
The government has transformed decades-old criminal investigative techniques into secret surveillance operations — all without rigorous review by courts. This lack of transparency inevitably leads to overuse and abuse, such as the recently revealed subpoenas of data belonging to journalists and legislators. Traditionally, secrecy was the exception. In recent years, law enforcement has turned that exception on its heads, developing a practice of reflexively asking to keep even routine investigations secret.
The Microsoft executive cited evidence showing that courts have approved secret electronic surveillance based only on cursory assertions that the government has satisfied the legal need for secrecy.
The Justice Department’s own template for a surveillance order application under 18 U.S.C. § 2703(d) does not even require a prosecutor to provide facts justifying the need for secrecy. The template merely blindly asserts that disclosure would “seriously jeopardize” the investigation for a variety of boilerplate reasons.
Since 2016, Microsoft has received an average of 7-10 secrecy orders each day, a period spanning the Obama, Trump and Biden administrations. That amounts to 2,400 to 3,500 secrecy orders a year. Keep in mind that these orders are just those aimed at Microsoft’s cloud services. Multiply these secrecy orders by those sent to Amazon Web Services, Google Cloud Platform, IBM Cloud, Oracle and many others and it is likely the number of secrecy orders issued since 2016 number is in the hundreds of thousands.
When will Amazon, Google, IBM and Oracle step up and speak out the way Microsoft has?
The targets of those searches include customers who are not the subjects of investigation, but whose privacy can be considered a collateral casualty. So can large organizations – media companies, universities, corporations and the like – who are either not notified or slapped with a gag order.
Microsoft noted an even more disturbing trend. The government has engaged in court discovery negotiations about an organization under investigation while simultaneously and secretly demanding the company provide the same records. This is done to circumvent disputes over privilege and the extent of discovery in court.
“In law enforcement’s own words, it was simply easier,” Burt said. The basis for a secrecy order should never be because it’s “easier,” yet it has become commonplace.
The fact that email accounts are private only further complicates the issue, Burt said. In 2017, for example, Microsoft received a secret subpoena that targeted a congressional staffer, but the company had no way of knowing who the individual was, or what the subpoena concerned. It was only after the secrecy order expired and Microsoft – not the government – notified the individual about the subpoena that the company learned about the troubling circumstances at issue.
How can U.S. citizens and institutions safeguard our constitutional rights and reasonable expectations of privacy – much less defend them in court – if we don’t even know our rights are at risk?
PPSA applauds Microsoft for speaking out about ongoing surveillance. Burt offered several recommended policy changes. Here they are, in summary:
Microsoft often receives secrecy orders with no expiration date. Congress should end indefinite secrecy order and limit them to 90 days.
Upon the expiration of a secrecy order, the government should provide notice to the target of the demand for data.
The current nebulous standard for approving an order should be replaced with written analysis that offers a full, meaningful review.
Secrecy orders should be narrowly tailored to achieve a compelling government interest, consistent with the First Amendment.
When one student or employee of a large organization is searched, that organization should be notified, unless a judge affirmatively finds it would lead to an adverse result. It is on this point that Google pushed backed against a gag order from the Department of Justice’s investigation of The New York Times. There is, Burt writes, “simply no justification to keep them in dark just because they use the cloud.”
Some courts have found that providers lack standing to challenge secrecy orders. Congress should codify a statutory right to allow providers to intervene to challenge harmful secrecy orders, to protect their users and to ensure the statutory and constitutional requirements are met.
Government secrecy should be the rare exception, not the norm. Congress must respond to the current state of overreach and deliver meaningful reforms, because “good enough” may be today’s watchword for secret searches and seizures, but it should never become tomorrow’s standard.