Apple's legal battle over encryption dominated headlines earlier this year, but another tech giant is fighting a quieter legal war over user privacy: Microsoft. It won a major victory last week, when the U.S. Court of Appeals for the 2nd Circuit sided with the company, ruling that a U.S. warrant could not be used to force Microsoft to turn over email data stored in an Irish data center. The decision, which the Justice Department is considering appealing to the Supreme Court, could have major implications for tech companies who routinely move data around the world so it can be backed up or quickly accessed by users.
The Washington Post talked with Microsoft president and chief legal officer Brad Smith about the case and the company's other privacy efforts. This interview has been edited for length and clarity.
Andrea Peterson: Tell me about the case and what it means for the average user?
Brad Smith: The case started when Microsoft received a search warrant three years ago and we found that the email the warrant was seeking what was stored on our server computers at our data center in Ireland. We store email in a data center that is close to our customers.
We contested the search warrant because we believe that U.S. search warrants don't reach beyond U.S. territory -- that's the traditional legal rule for search warrants, and that's what the 2nd Circuit Court of Appeals concluded.
It matters greatly to customers who don't live in the United States. One of the things that we've found as a company is that our customers not only care about their privacy rights, but they also want their privacy rights to be protected by their own privacy laws. That won't happen if a foreign government unilaterally can reach across a border and simply obtain email and demand that it be brought back.
A.P.: Can we talk more about the other lawsuits that Microsoft has brought against the government on privacy issues?
B.S.: The first was in 2013, when Microsoft brought a lawsuit -- as did Google -- arguing we had a right under the First Amendment to publish more information about how many U.S. national security letters and orders we were receiving and how many user accounts were affected. President Obama gave a speech at the Justice Department in 2014 that really put the country on the path to some important surveillance reforms. One of those reforms led to the settlement of our case and paved the way for us across our industry to publish transparency reports.
The second case we brought came to the surface in 2014 when we received a subpoena from the FBI seeking emails from an enterprise customer. We took the position that the FBI ought to serve the subpoena not on Microsoft, but on the customer. Ultimately, the FBI withdrew that subpoena, which we found encouraging.
The third case we filed just a couple of months ago. We looked at all the U.S. search warrants we received over the previous 18 months and found 2,000 warrants that imposed gag orders with no time limit. We concluded that these violate both Microsoft's First Amendment rights and customers' Fourth Amendment rights.
A.P.: If the Irish case is not appealed, what will it mean for competitors that don't do as much data localization, i.e. bounce data around the world, as Microsoft does?
B.S.: We're not fans of data localization -- the last thing the world needs is 193 members of the United Nations demanding that data only be stored within their own borders. This is really a set of issues where the tech sector tends to be pretty united.
What we really therefore need is new regulation. We think there is a good bipartisan bill now pending in both houses of Congress called the International Communications Privacy Act or ICPA.
A.P.: But ICPA includes exceptions where U.S. warrants could apply internationally, such as if the nationality of a person is unknown or the person is a U.S. citizen. Do you think that runs counter to your recent court victory?
B.S.: I don't think it necessarily runs counter to the court victory. I think the court made clear that search warrants today, under existing law, do not reach outside the United States. But Judge Lynch, in his concurring opinion, mentioned his view that there might be better ways to fashion laws in the future, including by focusing on someone's nationality. That's what ICPA does.
There are treaties that exist today designed to help governments work quickly across borders to obtain evidence for criminal investigations. But I think most people have concluded these treaties need to be modernized. A good way to think about where the law should go, I believe, is to focus on someone's nationality and their rights under their own laws.
A.P.: How do you think reforms should handle when countries have different legal standards to obtain warrants -- for instance, not requiring probable cause?
B.S:. We need to ensure a minimum level of appropriate privacy protection among countries that share similar values. I think it makes sense to develop new treaties on a bilateral basis between like-minded governments.
People in the United States are very focused on the probable cause requirement. But we also need to listen to people in the United Kingdom and across Europe. I don't know that it's constructive for any one country to think they have the single answer that should apply to all people without regard for their own values and cultural traditions.