image courtesy Perspecsys Photos/perspecsys.com
Suppose you are sitting at your kitchen table one day and you suddenly have a brilliant business idea.
Not wanting this eureka moment to slip from memory’s grasp, you email it to yourself, or save it as a note in your phone, or enter it in a Google Document or a service like Evernote. Whatever system you use, if you are like most people these days, your data will be stored or backed up on a cloud server someplace. About the only exception would be writing your idea on paper – and depending on the paper, even that may not be immune to cloud storage.
Weeks pass, then months. You plug away at refining and implementing your idea, but before you can bring it to market, somebody beats you to the punch. A bad break – maybe even a life-altering one, if your idea proves to be a major success for someone else.
With nothing to be done about it, you go back to your day job. Maybe you work in the legal department of a small company that becomes an acquisition target for an industry leader. Your boss emails you, telling you to open your files to the acquirer’s due diligence team. Almost as soon as you do as instructed, there is unusual trading in your company’s stock, driving the price higher and triggering rumors that the business is in play. The entire acquisition is jeopardized. You have nothing to do with the mysterious trades; in fact, you are just as perplexed and upset as everyone else. Although suspicious glances are cast your way up in the C-suite, you are never accused.
Unbeknownst to you, government investigators have obtained a secret order requiring your cloud hosting service to turn over all your information – and prohibiting the company that hosts your data from telling you that the order exists.
You may not have done anything wrong, or even especially suspicious. But because your spouse’s second cousin in Amsterdam, who likes to email you about European soccer leagues, has made a few trips to Turkey and Pakistan, the government believes there is reason to make sure you are not involved in anything nefarious. Government agents tend find judges pretty pliable about issuing orders in these circumstances, especially when they remark that it will be too bad if they only learn of your evil plots after the fact.
We did not have electronic communications when the Constitution was framed. Back then, if you were the target of a search warrant, you knew what was searched. Moreover, the warrant only authorized the government to take certain specified items. When wiretaps and bugs came along in the 20th century, law enforcement mainly used them to target mobsters talking about smuggling, extortion and murder – and the devices’ use did not involve mass seizures of extraneous data. The warrants authorizing those taps and bugs also had time limits. In the case of the bugs, nobody outside law enforcement usually even knew they existed, and thus there was no need to issue gag orders against third parties to keep their use discreet.
Today, however, the government wants to make data providers its agents in gathering intelligence and cloaking its activities. It attacks companies like Microsoft and Apple for having business motives for imposing encryption and resisting sweeping demands for data and secrecy – as though the business motive of protecting customers’ privacy is somehow suspect.
As for accountability after the fact, there is virtually none whatsoever. If someone hopes to find out exactly what information was received, who was granted access or how it was used, that person will have little chance of success, even if the investigation is over. Attempting to fight back against unauthorized use or disclosure of information would be even more of a struggle. If an investigator gets wind of a pending corporate deal and tells his brother-in-law to buy stock options, how will the Securities and Exchange Commission track down this case of insider trading? Neither the SEC nor the parties to the communication will know it has been intercepted, and the party who intercepted it on investigators’ behalf will be legally prohibited from talking about it.
In the latest private sector attempt to push back against such overreach, Microsoft is suing the Justice Department. The lawsuit is the most recent step in Microsoft’s ongoing feud with the government over customer privacy. According to the company, not only is the government rifling through customer files stored in the cloud, but agencies are enforcing secrecy orders with no end date. This means that even after an investigation is closed, Microsoft is prohibited from alerting its customers that the government has had access to their files.
Microsoft has pushed back against government data collection since Edward Snowden’s disclosures several years ago. In addition to taking to the courts, the company has said it intends to work with congressional lawmakers to develop legislation that reflects the modern state of cloud computing. In 2014, Microsoft challenged a gag order from the FBI, but the FBI obtained the information “through lawful means from a third party, the Customer, instead,” according to court documents.
This “if you can’t go through, go around” mentality was echoed in Justice’s recent decision to back off its legal dispute with Apple in New York. After someone – according to people familiar with the case, the suspect himself – provided investigators with the passcode to unlock the iPhone at issue, authorities dropped their efforts to force Apple to help them break into the device. This decision follows prosecutors dropping similar efforts in March to force Apple to break into the phone of one the shooters in the San Bernardino killings.
So much for the argument that forcing tech companies to help spy on their customers is an essential component of pursuing justice, let alone vital to national security.
Under our current rules, courts can issue a gag order whenever judges have reason to believe that notification could jeopardize an investigation. This bar is incredibly low, as evidenced by the thousands of orders Microsoft alone has faced. But the Justice Department has argued that if targets know they are being investigated, they might tamper with evidence or flee. And law enforcement officials too often seem incredulous that companies who are in the business of convincing users to trust them with sensitive personal information have a vested interest in their customers’ privacy.
Terry Cunningham, president of the International Association of Chiefs of Police, told The Wall Street Journal, “it became a business decision to be less friendly to law enforcement.” This decision is, of course, unrelated to revelations about government agencies’ overreach or increasingly strident demands that privacy always take a back seat to law enforcement concerns in every possible scenario.
Law enforcement officials who cannot understand why anyone would object to their efforts to thwart terrorism and fight crime ought to read a little history. They could start with the Stasi or the FBI’s files under J. Edgar Hoover. Or they could start with the British abuses in the 18th century that led the framers to enact the Fourth Amendment in the first place.
Or they can start – and I will end – with the text of the Fourth Amendment itself: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
An open-ended, indefinitely secret search of our cloud-stored files – our 21st century “papers and effects” – is not reasonable, and investigators who either don’t know or falsely claim to know exactly what they expect to find have no constitutional basis to demand anything.