The Justice Department has issued new guidelines aimed at providing more transparency around prosecutors' secret demands for customer data stored on tech firms' servers.
The binding guidance, approved last week by Deputy Attorney General Rod J. Rosenstein, ends the routine imposition of gag orders barring companies from telling customers that their email or other records have been turned over in response to legal demands.
It also bans — in most cases — indefinite gag orders that forbid a company from ever telling users that their data has been searched.
The move comes 1 ½ years after Microsoft sued the department, asking a federal judge in Seattle to strike down portions of a major privacy law that govern the secrecy orders. The tech giant argued that the Electronic Communications Privacy Act violated customers' Fourth Amendment right that a search be reasonable because it did not require the government to notify them when their records were obtained. The company also argued that the law's gag-order provision violated the company's First Amendment right to talk to its customers.
The new guidance requires prosecutors to tailor their applications for secrecy orders to ensure that they are necessary, and to explain why. For instance, a prosecutor might fear that targets will destroy data if they learn of the probe. Or a target might try to flee. The assessment must be "individualized and meaningful."
And now there is a time limit: "Barring exceptional circumstances," a gag order may be sought for "one year or less."
The change is a recognition that privacy laws passed in the 1980s have not kept up with the advent of cloud computing in which people, at the press of a button, create and store data in servers that they do not control.
"This update further ensures that the department can protect the rights of citizens we serve, while allowing companies to maintain relationships with their customers by notifying those suspected of crimes, or believed to have information relevant to a crime, in a timely manner that information was obtained relating to their user accounts," Justice Department spokeswoman Lauren Ehrsam said Monday in a statement.
"This is an important step for both privacy and free expression," Microsoft's president and chief legal officer, Brad Smith, said Monday in a blog post. "It is an unequivocal win for our customers, and we're pleased the DOJ has taken these steps to protect the constitutional rights of all Americans."
As a result, Microsoft announced that it plans to drop its lawsuit. But it wants Congress to pass legislation to put a 90-day limit on nondisclosure orders unless the government asks for them to be renewed.
When Microsoft filed its case in April 2016, it noted that in the previous 18 months, it had received 5,600 federal demands for data and that almost 2,600 were accompanied by obligations of secrecy. Further, more than two-thirds of those — about 1,750 orders — had no fixed end date.
"In short, we were prevented from ever telling a large number of customers that the government had sought to access their data," Smith said.
The policy does not apply to orders under the Foreign Intelligence Surveillance Act or to "national security letters," a type of administrative subpoena used in national security cases.
Chris Calabrese, vice president of policy at the Center for Democracy and Technology, a privacy organization, applauded the move. But, he said, "it is no substitute for statutory reform."
The move matters for Americans whose data is secretly obtained in criminal probes that never lead to prosecution but who never find out because of indefinite gag orders. This has become much more of a problem as people store their emails and other sensitive data in the cloud. "They're not expecting that it's an all-you-can-eat buffet for the government," said John McKay, a former U.S. attorney in Seattle who is now a partner at Davis Wright Tremaine.