When French authorities investigating the Charlie Hebdo massacre in Paris traced the e-mail addresses of two suspects to accounts on Microsoft servers, the company was asked to hand over the contents immediately. In less than an hour, it complied. No laws or international treaties required Microsoft to respond so quickly. The decision, taken while the suspected attackers were still at large, was a judgment call—one that Brad Smith, Microsoft general counsel, says the company shouldn’t have been left to make on its own. “If those in government want to shift the line between safety and privacy, the appropriate path is to do so by changing the law rather than asking those of us in the private sector to shift this balance by ourselves,” he said on Jan. 20 at a conference on data security in Brussels.
Edward Snowden’s 2013 revelations about U.S. government surveillance sparked a debate about privacy in the U.S., but Congress has yet to respond. A bipartisan bill that would update procedures for cross-border digital searches—a process governed by decades-old privacy laws and treaties that the companies consider inadequate—failed to make it out of the Senate Judiciary Committee last fall.
Another bill that would have restricted the National Security Agency’s bulk collection of Americans’ metadata died on the Senate floor in November. That legislation, known as the USA Freedom Act, also proposed revamping the Foreign Intelligence Surveillance Court, the panel of judges that reviews government requests for electronic surveillance warrants. “Congress hasn’t shown an interest in trying to figure this out,” says Marc Zwillinger, a lawyer in Washington who’s represented Apple and Yahoo!, among others, in their responses to government requests for data. “The providers are stuck in the middle.”
Several court cases involving government surveillance and the private sector are pending. Twitter filed a federal suit last fall arguing that its First Amendment rights were blocked because it wasn’t allowed to reveal the exact number of orders it gets from the government to hand over customer information. In December, Microsoft filed a suit arguing that U.S. federal courts don’t have the authority to issue warrants for electronic property stored outside the country. The U.S. had sought to seize user data stored by Microsoft in Ireland.
Some of the attorneys representing companies on data privacy issues previously worked at the U.S. Department of Justice. These lawyers, including Zwillinger and Richard Salgado, the head of Google’s law enforcement and national security division, “are intimately familiar with the challenges that law enforcement faces,” says Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute, a liberal think tank in Washington. “And with all that knowledge—or despite it—they are putting a stick in the ground and saying, ‘Here, and no further.’ ”
Zwillinger last year filed motions with the Foreign Intelligence Surveillance Court on behalf of Yahoo to declassify court documents in a 2008 case in which he unsuccessfully challenged a government order for user data. The court records, which the government made public last fall, shed light on some of the tactics federal authorities have used to compel disclosures. In Yahoo’s case, authorities threatened to levy a daily fine of $250,000, with the amount set to double each week the company resisted turning over the information. That meant Yahoo would have faced penalties of about $25 million during the first month and about $400 million in the second. By the end of the third month, those fines would have totaled more than $7 billion—Yahoo’s annual revenue at the time. The company turned over the information.
A provision in the USA Patriot Act that deals with records seizures during terrorist investigations is scheduled to expire this summer. Privacy advocates hope the deadline will revive congressional efforts to rewrite the country’s surveillance laws. Either way, the challenges from the private sector are likely to continue. In recent months, several companies, including Apple, Google, and WhatsApp, have implemented advances in encryption technology that make it virtually impossible for investigators to collect user data from a company, even with a warrant. FBI Director James Comey and British Prime Minister David Cameron have accused the tech industry of endangering public security in favor of privacy.
The bottom line: Some U.S. tech companies have challenged laws governing data requests by intelligence agencies and investigators.
This story was originally published in Businessweek.