When Apple CEO Tim Cook refused to help the FBI get into a mass murderer’s iPhone last winter, he was hailed for his boldness in fighting the government on a matter of principle. In fact, Cook was borrowing from the playbook of a top executive at Apple’s dowdier rival Microsoft—a genial, sandy-haired man named Brad Smith.
Smith has taken the government to court four times in the past three years, each time accusing it of breaching the Constitution in its efforts to get its hands on Microsoft customers’ data. He believes computers and the Internet have weakened vital checks on government surveillance that have typically helped to assure personal privacy. Now Smith, Microsoft’s president and chief legal officer, says he is waging a legal war on the government in an attempt to restore those checks. “We shouldn’t depart from the historic balance,” Smith says, speaking in his bland corner office on Microsoft’s quiet campus in Redmond, Washington.
Smith’s cases affect anyone who stores data in the cloud, from large corporations to the millions of individuals using Skype and Web mail. The smartphones, browsers, and dating apps we have so enthusiastically embraced generate piles of data that can be reviewed by investigators. But restraints on the investigators’ power were mostly devised in a world where data was stored on paper. The Fourth Amendment and the laws and court rulings built around it force cops to get a warrant from a judge if they want to tap your phone, read your postal mail, or inspect papers in your home, for example. But while the police need a warrant to search your smartphone, they don’t need one to see many digital traces about your life, such as logs of your past movements from a cellular network. Unless the Supreme Court or Congress decide otherwise, our cloud data doesn’t have the same protections given to physical papers.
Smith says that as Microsoft and other tech companies stand up to the government in court, they can help restore the limits on surveillance powers that their own products have (unintentionally) weakened. Just this summer a federal appeals court ruled in Microsoft’s favor, rejecting the Department of Justice’s claim that U.S. warrants served on the company could now be used to pull in data held in other countries. “We are in a new age of technology that requires a new understanding of our fundamental rights,” says Smith.
Challenging the government over the scope of search warrants may seem like administrative arcana next to causes that get crowds of protesters onto the streets. But there is a connection between Microsoft’s court cases and other civil rights battles, says Neil Richards, a law professor at Washington University. Protest movements can’t form, he says, unless people with unconventional ideas can communicate and organize without the government looking over their shoulder. “It’s only because of freedom of speech and protection from surveillance that we have desegregation, or marriage equality, or the trans bathroom fight in the upper South,” he says. “We need the breathing space to [protest] in an age of digital surveillance.”
Google, Twitter, and other tech companies have also challenged the government over surveillance in recent years, but Smith stands out. Technology executives at his level aren’t usually so visible and active on issues of privacy and security, says Ashkan Soltani, a privacy researcher who was until this year chief technologist at the Federal Trade Commission. When Tim Cook fought the FBI, Smith gave fiery speeches in his support while the leaders of Google and Facebook cautiously backed Apple in clipped, anodyne statements.
Yet while he believes Microsoft is working to bring about a historic change in the history of American civil rights, Smith, who holds hundreds of thousands of Microsoft shares, also has financial and fiduciary motivations. Microsoft is betting the company on its cloud computing services. To win and keep customers, particularly among companies overseas, it must be seen as a safe, trustworthy custodian of their data.
As private, civic, and professional life come to rely more on the Internet, the ways that Microsoft and other tech companies translate their mixed motivations into court cases, PR campaigns, and lobbying efforts will shape the future of self-expression, political dissent, and social progress.
Smith, 57, has been fighting the government for much of his career as a lawyer at Microsoft, which he joined in 1993. When he rose to general counsel in 2002, one of his first tasks was to settle antitrust charges with the Department of Justice and state attorneys general who had sought to break up the company. The same year he had to negotiate with European and U.S. authorities who accused Microsoft of breaking privacy rules. Later Smith spent several years wrestling EU antitrust charges that led to the company being fined more than $2 billion.
In June 2013, Smith began to feel the urge to challenge the U.S. government on a different front. “When Edward Snowden took four laptops and got on a plane, the world started to change,” he says. “We started to learn things we didn’t know and ask questions we were not asking.”
Smith has memorized the exact date—October 30, 2013—that the Washington Post published what he considers the worst of the secrets revealed by the onetime National Security Agency IT contractor. It described a U.S.-U.K. project called Muscular, which harvested data from the private networks of Google and Yahoo without the companies’ knowledge. “It perhaps more than anything else caused a whole industry to step back and ask, ‘Hey what’s going on here?’” says Smith. “It caused us to get more engaged in the public discussion and to take steps to build a stronger foundation for the future so the world can trust these computing devices and services.”
Trust was a problem for Microsoft and other large Internet companies after the Snowden leaks. Smith says existing and potential customers outside the United States expressed concern that using Microsoft services would open up their data to indiscriminate access by American intelligence agencies. Microsoft and other companies named in the leaks protested that they did not let the government directly access its systems; that they handed over data only in response to legitimate requests. In an angry letter to Attorney General Eric Holder, Smith warned that the Constitution was “suffering” because government lawyers wouldn’t let Microsoft publicly explain the protocols followed for data requests in the name of national security. The company also joined Google in a legal action (later joined by Facebook and Yahoo as well) that won them the right to report approximately how many requests they have received from the secret Foreign Intelligence Surveillance Court, which signs off on NSA activity inside the U.S.
Then, in December 2013, Smith took matters even further than other tech companies were willing to venture. Microsoft refused to comply with a warrant from a New York magistrate judge demanding e-mails and other data related to a narcotics investigation.
The e-mails of the person in question turned out to be stored in a Microsoft data center in Ireland; Microsoft’s lawyers argued that the 1986 Electronic Communications Privacy Act restricts warrants to U.S. territory. A judge ruled against Microsoft in May 2014, saying that the warrant was valid because it had been served on Microsoft in the U.S. The company appealed and lost, but on a second appeal the federal Second Circuit ruled in Microsoft’s favor this July. The government has not said whether it will take the case to the Supreme Court.
Jennifer Daskal, an associate professor of law at American University’s Washington College of Law and author of a Yale Law Review paper on the case, says it shows how the nature of digital information confounds long-standing legal traditions that we rely on to protect our rights. “In the context of search and seizure of digital communications, I don’t think the Fourth Amendment is providing sufficient protection in the way that it was intended,” she says. “It’s a big problem."
In a separate case that Smith launched this April, he alleges that the government violates the Fourth and First Amendments by routinely obtaining gag orders that prohibit companies from telling customers about requests for data. In the 18 months prior to filing that suit, Microsoft received 2,576 demands for data that came with gag orders, 70 percent of which had no expiration date. Gag orders are generally allowed by the 1986 Electronic Communications Privacy Act when necessary for reasons of safety or to protect an investigation. But Smith says they are plainly being used in other circumstances—to prevent Microsoft from speaking, he argues, and to keep its customers from knowing they are under investigation. “We are talking about rights that are already enshrined in the Constitution,” he says. Amazon, Google, Apple, and Fox News have since joined the case.
A legal theory that is even older, known as the third-party doctrine, means that certain digital information about our lives can be collected from companies without a warrant at all. In 1979 the Supreme Court determined that cops didn’t need a judge’s approval to record the numbers dialed from any particular phone line. Since every phone bill you received already revealed that the phone companies knew this information, the Court reasoned, it shouldn’t be considered private. Today lower courts have extrapolated that reasoning to dozens of companies that now hold data about our private lives, allowing information such as cell-phone location logs to be accessed by authorities without a warrant.
But today’s Internet and the 1979 phone network are so different that the doctrine is essentially unworkable, says Steven Bellovin, a professor at Columbia University. Law enforcement is collecting data well beyond even the third-party rule’s generous limits, he says, speaking independently of his position on the Privacy and Civil Liberties Oversight Board that serves as a check on federal counterterrorism activities. “I think that the pendulum has swung in many ways to give law enforcement a tremendous amount of power,” he says. Richards, of Washington University, notes that the Supreme Court has hinted that it wants to look closely at this question.
Smith says he can swing the pendulum back using lawsuits to set new precedents, alongside less-visible efforts to push the White House and Congress to update the rules and legislation governing data access. (The company spent $8.5 million lobbying in D.C. last year.)
Critics say Microsoft is more concerned about protecting its public image than protecting the public. The American Civil Liberties Union filed briefs in support of Microsoft’s cases on the data held in Ireland and on gag orders. But Christopher Soghoian, a principal technologist with the organization, says the company does less than others to offer security features that could “deliver the kind of protections that the law doesn’t provide.”
Soghoian says that Skype doesn't guard all messages between users with end-to-end encryption that prevents Microsoft from being able to decode them, a feature Apple and WhatsApp have added to their equivalent services. And he notes that the data encryption built into Windows defaults to giving Microsoft a copy of the key needed to unlock the data, whereas the iPhone’s disk encryption makes it essentially impossible for Apple to know the key. (You can delete the backup held by Microsoft.) Smith counters that Microsoft has to balance encryption with ease of use. Backing up an encryption key reduces the chance a person will lock up personal or company data by forgetting the password, he says.
Smith also argues that having business reasons to sound off about civil rights and launch court cases is less problematic than some may think. But Microsoft’s Irish e-mail case shows that the results can be complicated.
The company’s victory certainly provides a valuable talking point next time an overseas Microsoft customer frets about U.S. law enforcement; Smith says corporate customers in Europe have followed the case closely since it began in 2014. But Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, warns that the precedent set may not be good for privacy or the Internet. She says it may encourage other countries to pass laws requiring tech companies keep data within their borders as a way to lock out U.S. authorities. Data localization laws—Russia and Brazil already have them—are seen as enabling local spy agencies and disrupting the international competition that makes the Internet what it is.
Smith doesn’t much like data localization either, and he says the Ireland case is just a step on a longer journey. He says it helps make the argument that the U.S. should sign a wave of new international treaties that would give U.S. citizens’ data overseas some of the protections of U.S. law even when authorities in those countries seek to access it. In return, other countries would get reciprocal rights for their citizens’ data in the U.S. What would be the first such agreement is already being discussed by the U.S. and U.K.
Negotiating agreements with many different countries would take years. In the meantime, Microsoft’s victory in court stands as both legal precedent and an example of how one technology executive’s self-interested idealism could affect the basic rights of people around the world. Daskal, of American University, says we have to get used to the idea that our lives, and our freedom of expression, are so entangled with the products of giant tech companies. “As the holders of so much of the world’s private communications, they have enormous power in what they lobby for, the design of their systems, and when they choose to turn over data,” she says. “All the choices that these corporations make have enormous implications for our rights.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today