On April 14, 2016, Microsoft sued the United States Department of Justice to challenge the search and seizure provisions of the 30-year old ECPA, because its customers “have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them.”  (Microsoft v. DOJ, No. 2:16-cv-00538-JLR, Complaint (W.D. Wash. Apr. 14, 2016).)

On September 2, several prominent tech companies, including Apple, Amazon, and Google, filed amici briefs that echo and reinforce Microsoft’s position.  (Accessible here and here).

Microsoft’s suit challenges the constitutionality of the antiquated Electronic Communications Privacy Act (ECPA).  Specifically, Microsoft argues that Section 2705(b) of the ECPA violates the Fourth Amendment right of its customers to be notified that the government searches or seizes their property, and it violates the company’s First Amendment right to freely speak to its customers.

Microsoft’s suit, unlike Apple’s public fight with the FBI over access to a password-protected iPhone, does not center on just one dispute.

Rather, every year, the government conducts thousands of investigations into the contents of communications stored in the cloud,  using  the ECPA as authority.  At the same time, the government places Microsoft and other service providers under “gag orders” that prohibit disclosure to the affected customers.

The government argues that Section 2705(b) of the ECPA permits these secrecy orders for a variety of enumerated reasons, including the catchall of a court determining that notification of the existence of the warrant, subpoena, or court order will result in “seriously jeopardizing an investigation or unduly delaying a trial.”

According to Microsoft’s Complaint, over the previous 18 months, federal courts have issued almost 2,600 secrecy orders prohibiting Microsoft from speaking about warrants seeking Microsoft customer’s data, with 1,752 of these warrants containing no fixed end date.

Microsoft claims that the increase in government demands for online data and the simultaneous increase in secrecy have undermined confidence in the privacy of the cloud.  These developments affect not only Microsoft’s individual customers, but also its business customers, when the government secretly searches and seizes emails of individual employees of those customers.

The Amazon, et al., amici brief makes a point that tech companies have no desire to “shield criminals” or impede governmental investigations.  In fact, many of these companies have dedicated teams working around the clock to respond to law enforcement requests for data. The companies acknowledge that their customers’ right to be informed may be limited as necessary to protect compelling state interests, but argue that the ECPA goes far beyond any necessary limits and infringes on the fundamental rights of amici and their customers.

Amazon’s brief points out that in just the last six months of 2015, their industry has collectively responded to “tens of thousands” of U.S. government data requests in criminal investigations, and that thousands of these requests come with no definite end date.  In particular:

  • In 2016, Dropbox has received over 200 gag orders of indefinite duration; and more than three-quarters of the subpoenas and search warrants received by Evernote were accompanied by indefinite gag orders.
  • In the first seven months of 2016, Yahoo has received over 700 federal search warrants for user data, and well over half – about 60% – were accompanied by gag orders of indefinite duration.
  • Between April and June of this year, nearly three-quarters (58 of 79) of all gag orders received by Snapchat had no definite end.

The Apple, et al., amici brief provided a similar statistic:

  • In 2016, Apple has received approximately 590 unlimited or indefinite duration gag orders.

Microsoft and amici companies all make the same basic argument – if law enforcement wants to ransack someone’s home, it would need to obtain a traditional “probable cause” warrant; but the ECPA does not provide the same level of due process protection to the data that their customers have in “the cloud.”

Instead, ECPA warrants are allowed under the “third-party doctrine,” which holds that a person cannot assert a Fourth Amendment protection for information knowingly provided to a third party, such as a communications services provider.

The ultimate question raised by the case is whether the court should uphold the traditional “third party doctrine” – fashioned long before “cloud” computing, or will the court analogize cloud computing storage to stashing information in a user’s private desk drawer – requiring a public search and seizure warrant.

When issued, the court’s decision will add to the judicial interpretation of the ECPA, including the extraterritoriality limits imposed on the law by the Second Circuit, in the case of In the Matter of Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056  (July 14, 2016).

It is becoming increasingly clear, however, that the ever-widening gap between the ECPA and the evolving reality will require more than judicial guidance to solve.  Rather, significant amendments to this and other legislation affecting cloud matters are needed.  We will continue monitoring and reporting on the developments in this case.