Ever since former National Security Agency contractor Edward Snowden began leaking documents about U.S. government surveillance programs in 2013, U.S. high-tech companies have been feeling the heat from their customers.
The willingness of U.S. companies to comply with government demands for customer data prior to Snowden’s disclosures caused customers, particularly in Europe, to rethink their relationships with those companies.
U.S. cloud providers, in particular, experienced a backlash from European customers, prompting an initial drop off in European business for these firms.
In response, U.S. cloud providers began to issue regular “transparency reports” detailing government demands for their customer data as well as expanding their cloud infrastructure in Europe to keep European data outside the jurisdiction of the U.S. government.
According to recent stats by market research firm IDC, these steps have helped U.S. cloud vendors rebound from the “Snowden effect” by opening more data centers in Europe. In fact, cloud providers have upped their cloud infrastructure revenue by more than two times since 2013. Amazon, Microsoft, Google, and IBM have increased their combined Western European market share by one-third, reported CIO magazine.
Determined not to repeat the impact of the 2013 Snowden revelation on their European business, these same cloud providers are taking on the U.S. government over gag orders often issued along with customer information demands, preventing companies from informing customers about government snooping.
Microsoft files gag order lawsuit
Microsoft is leading the charge, having filed a lawsuit in April to stop the gag orders. The company said that it had received more 2,600 gag orders associated with customer data demands between September 2014 and March 2016.
In its suit, Microsoft argues that the Electronic Communications Privacy Act, which allows the U.S. government to issue a gag order “based solely on a ‘reason to believe’ that disclosure might hinder an investigation,” violates the U.S. Constitution. “Nothing in the statute requires that the ‘reason to believe’ be grounded in the facts of the particular investigation, and the statute contains no limit on the length of time such secrecy orders may be kept in place,” the lawsuit added.
Perhaps more important, Microsoft argues that the advent of cloud computing has provided the government an excuse to expand its power to conduct secret investigations and that the gag orders have an impact on its ability to provide cloud services to enterprises.
Amazon and Google agree, filing an amicus brief supporting Microsoft in its legal effort. “Microsoft’s lawsuit raises vitally important legal questions about the scope of the government’s power both to search the private information that internet users store in the cloud without notifying the target of the search,” the companies said in their brief, according to the New York Business Journal.
In another amicus brief supporting Microsoft, Apple and Mozilla, along with cloud-service providers Lithium Technologies and Twilio, argue that the gag orders “not only hampers users’ ability to assert their own rights but hinders [the companies’] ability to comply with contractual commitments, enterprise customer demands and compete with providers located outside the United States.”
The companies stressed that U.S. gag orders make it difficult for them to meet contractual requirements, particularly for European customers, as well as to comply with new data privacy requirements including in the recently negotiated U.S.-EU Privacy Shield, which governs transatlantic exchanges of personal data for commercial purposes.
The U.S. and EU negotiated the Privacy Shield because the European Court of Justice ruled last year that the existing Safe Harbor agreement did not provide adequate protections for European data, particularly in light of the scope of U.S. government surveillance disclosed by Snowden.
Gag orders and the Privacy Shield
The Privacy Shield, which imposes safeguards and transparency obligations on U.S. government access to personal data on countries in the European Union. “The U.S. has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards, and oversight mechanisms,” the EU explained in a press release about the agreement. Apparently, that assurance did not include ending the widespread use of gag orders related to demands for customer data.
Among many other provisions, the shield requires companies to disclose when third parties access personal data, the purpose of the disclosure, and the identity of the third party.
Apple, Mozilla, Lithium, and Twilio argue that U.S. gag orders “disadvantage American companies that do business globally by impairing their ability to provide required disclosures in Europe.”
These gag orders “are frequently unlimited in practice because their endpoint is unclear, and the practice is so common that it is impractical to challenge each of the orders, as it would result in a high volume of litigated proceedings each year,” the companies noted.
Apple gags on number of gag orders
Apple, for example, said that it had received more than 590 gag orders associated with government demands for customer data this year alone.
Denelle Dixon-Thayer, Mozilla’s chief legal and business officer, argues in a recent blog post: “When requesting user data, these gag orders are sometimes issued without the government demonstrating why the gag order is necessary. Worse yet, the government often issues indefinite orders that prevent companies from notifying users even years later, long after everyone would agree the gag order is no longer needed.”
Dixon-Thayer noted that Mozilla has not received a U.S. government gag order. “Nonetheless, we believe it is wrong for the government to indefinitely delay a company from providing user notice.”
No doubt, the EU is closely following Microsoft’s legal case since excessive use of unlimited gag orders would appear to violate the U.S. government’s commitment to provide “clear limitations, safeguards, and oversight mechanisms” for access to European personal data and U.S. companies’ requirement to disclose third-party access to customer data.
The broad scope of the gag order criteria in the Electronic Communications Privacy Act, which was enacted in 1986, needs to be curtailed, both from a U.S. legal perspective as well as a U.S. commercial perspective. As we’ve seen throughout history, the government will expand its power whenever it can unless it is constrained by the law and courts.