Microsoft Corp. responded swiftly to a pre-dawn fax from the FBI in January. The two terrorists who killed a dozen people at the newspaper Charlie Hebdo in Paris had Microsoft e-mail accounts stored on servers in the U.S., and 45 minutes later their contents were en route to the agency, to be shared with French authorities.
The company hasn’t always been so eager to comply. A year earlier, it rebuffed a request from the Department of Justice for a suspected drug trafficker’s e-mails. Those were in a data center in Dublin — and according to Microsoft, the arm of American law enforcement doesn’t extend to Ireland. That set in motion a legal challenge putting Microsoft and its general counsel, Brad Smith, in the lead of a charged battle between the U.S. technology industry and the U.S. government. Microsoft has lost twice. In seven days its lawyers will make their arguments before the U.S. Court of Appeals in New York.
More than two dozen companies, including Apple Inc. and Cisco Systems Inc., have filed briefs on Microsoft’s behalf in the case, which is about due process and the right to privacy, and money. Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws — and from unilateral U.S. search-and-seizure missions.
“Some public-sector companies say, ‘I cannot put my data in the data center of an American company unless you win this case,”’ Smith, 56, said from Microsoft’s campus in Redmond, Washington. “I have had that said to me on multiple occasions.”
The U.S. government’s contention is that it can demand electronic data anywhere U.S. companies keep them, and that it doesn’t need to ask a local jurisdiction’s permission. A magistrate and a federal judge have agreed. If Microsoft doesn’t prevail in the appeal, Smith said it will go to the U.S. Supreme Court.
Microsoft is engaged in similar battles in Belgium and Brazil, where an executive faces criminal charges because the company has refused to turn over Skype records. The Ireland fight is viewed as critical: Microsoft, Amazon.com Inc., Google Inc. and others have spent billions to build data centers in other countries, in part to be able to assure foreign clients of their data’s security, and Microsoft’s losing the case could jeopardize that.
Edward Snowden’s exposure of clandestine data collection by the U.S. — sometimes with industry collaboration — has already cost companies. They could forgo more than $35 billion in sales by 2016 because of doubts about the security of their cloud-based systems, according to the Information Technology & Innovation Foundation.
But Smith said he’s also fighting for higher-minded reasons. “There are certain issues of principle that it’s important to stand up to defend,” he said. However fast technology advances, “timeless values should endure. Privacy is a timeless value.”
There’s irony in any tech company confronting the government on privacy matters, considering how much heat many take for mining their own customer information and using it for advertising and other profitable purposes. JP Schmetz, chief scientist at German publisher Hubert Burda Media, which owns Focus magazine, agrees with Microsoft in the Ireland case — and makes sure his company runs Windows on machines with settings to keep user data from being shared with the company.
Dominic Carr, a Microsoft spokesman, said the company meets “the most stringent international cloud compliance standards” for privacy and security but added, “As we advocate for stronger privacy protections for customers we recognize that companies should also be held to a high standard.”
Microsoft has been among the most aggressive in the industry in challenging the U.S. on its access to customers’ information. In 2013, Smith wrote a blog post pledging the company would protect them “from government snooping” and “technological brute force.” He said this year that the Ireland case was a good one to go to the mat over, because the records are stored in a friendly country, “not Iran,” and the U.S. investigation doesn’t involve national security.
The circumstances are different from those in the Charlie Hebdo instance, when France used its law enforcement treaty with the U.S. to make its request through the FBI. The U.S. didn’t follow treaty protocols or contact Irish authorities before demanding the e-mails from the Dublin data center.
According to the U.S., working through treaties is slow and cumbersome and not required by law, and the lower courts agreed. Ireland is backing Microsoft in court; the company’s getting support from the left and right, from the American Civil Liberties Union to Fox News.
In the early days of computing, people kept programs on their machines at home or in the office. Now that so much data’s in the cloud, on third-party systems that rent out storage and computing space, it can get complicated when a government makes a demand.
It could come from, say, Singapore for communications between Canada and Germany that are warehoused in Australia. “These are the most far-fetched law school hypotheticals you could ever come up with — except they are coming true, said Nuala O’Connor, chief executive officer of the Center for Democracy & Technology.
Microsoft was confronted with one in January when, Smith said, police burst past the gates of the Sao Paulo apartment of a top executive and ordered he appear in court because the company hadn’t given up records of a Brazilian’s Skype calls. While failing to do so violates Brazilian law, if Microsoft did forfeit them it would be breaching U.S. wiretapping bans.The executive faces misdemeanor criminal charges in Brazil; Microsoft could be accused of a felony in the U.S. “It meets the legal definition of a mess,” Smith said.
A 22-year Microsoft veteran, Smith has been pushing back against government requests since he became general counsel in 2002. That year, the U.S. National Security Agency asked telephone and Internet companies to voluntarily give the agency access to bulk communications content, an appeal outlined in a document Snowden leaked.
It notes that one, Company F, declined. That, Smith revealed later, was Microsoft. He and then-Chief Executive Office Steve Ballmer thought hard about it, knowing their decision would “need to stand the test of time,” he said in a speech to the Brookings Institution.
Smith, who led Microsoft’s support for gay marriage in Washington state, is an uncommon general counsel in the industry, one more widely involved in political and social issues that “other companies are hoping they can avoid,” said Anne Marie Slaughter, CEO of the New American Foundation, who got to know Smith when they were students at Princeton University’s Woodrow Wilson School of Public and International Affairs, in a group of friends that included U.S. Supreme Court Justice Elena Kagan and former New York Attorney General Eliot Spitzer.
The U.S. and other countries should work on a legal framework for cross-border data-access protocols, Smith said. In Brazil, Microsoft is caught in a “firing line between two sets of laws,” just one of “what will be many instances like this if governments don’t come together to put their laws on a similar path.”
Think of what would happen, he said, if China demanded the e-mails of a U.S. citizen kept in the data-storage center that Chinese Internet giant Alibaba Group Holding Ltd. is opening in Santa Clara, California. “Do we want American privacy rights to be subject to foreign laws rather than our own?” he said. “If the answer is no, we better decide we’re not going to try to impose our law on other people.”
© Copyright 2022 Bloomberg News. All rights reserved.