Feds use gag orders to collect cloud data in secret, Microsoft executive tells Congress
The Justice Department is abusing secret subpoenas to collect cloud user data at alarming rates, a top Microsoft executive testified in front of the House Judiciary Committee on Wednesday.
Tom Burt, Microsoft’s vice president of customer security and trust, told lawmakers that the company currently receives between 2,400 to 3,500 secrecy orders each year. That’s roughly a third of the total number of requests that federal law enforcement sends to Microsoft, and it’s a number that has grown as more companies and organizations rely on cloud providers to serve as their virtual offices.
The hearing comes on the heels of a revelation earlier this month that the Justice Department had used such gag orders to secretly subpoena Microsoft and Apple for data from two members of Congress, Capitol Hill staffers and some family members.
“If law enforcement wants to secretly search someone’s physical office, it must meet a heightened burden to obtain a sneak and peek warrant,” said Burt, and the sole representative from a technology company on the witness list. “If law enforcement wants to secretly search your virtual office in the cloud they just serve a boilerplate warrant and secrecy order to your cloud provider that prevents notice to you.”
Requests from law enforcement for data from companies like Apple and Microsoft often comprise identifying information like device information and addresses, known as metadata. While the data doesn’t provide as much information as the content of an email itself, for instance, it can help establish communication between parties.
Because such orders are often vaguely written, tech companies may be unaware of whose data they are turning over — making it difficult to know when to fight such requests, Burt said.
Microsoft proposed that Congress should limit indefinite secrecy orders to a “reasonable time” such as 90 days and that the government should be required to provide notice to the target of a demand for data after the order is expired.
There are no legal requirements for companies to notify the subjects of a subpoena after a gag order is lifted though both Microsoft and Apple have policies in place to make those notifications.
“Only the customer can actually exercise their Fourth Amendment right but you can’t exercise that right if you don’t know it’s violated,” said Burt.
The company also lobbied against so-called “rubber-stamping” by judges of boilerplate warrants that provide little support for why a warrant needs to be conducted in secret.
Other tech companies report tens of thousands of law enforcement requests for data each year, though it’s unclear exactly how many are subject to gag orders. Google, Amazon, Apple and Twitter all filed amicus briefs in federal court backing a 2016 Microsoft lawsuit against the Justice Department challenging that the agency’s use of such orders violated the First and Fourth Amendments.
Concerns about the overreach of federal law enforcement when it comes to hiding warrants is one of the rare bipartisan agreements on the Hill. Members of both parties have expressed concerns about the use of such orders to potentially evade Fourth Amendment rights.
“Technology has vastly outpaced the law,” committee chairman Rep. Jerry Nadler (D-N.Y.) chairman of the House Judiciary Committee said. “Just because it is easier for prosecutors to seek sweeping amounts of data from service providers does not mean they should be allowed to do so.”
Experts argued that a failure to address the trend could further erode Americans’ privacy expectations.
“The minute you go to the cloud it loses that protection,” said Jonathan Turley, a law professor at George Washington University Law School. “I think a lot of people would be very surprised when they find out their information would be very readily available to the government.”
Some members of Congress are already working to limit the way secret subpoenas chill the work of journalists. Rep. Jamie Raskin (D-Md.) on Thursday will introduce in the House legislation to shield journalist’s digital records.