Earlier this year, Microsoft ended its five-year overseas data privacy case as the government passed new legislation. The company praised the CLOUD Act as a good compromise but failed to address a number of loopholes in the law.
The legislation lets the US use internal warrants for overseas data, but lets companies flag them if such a request breaks that country's laws. As such, users privacy depends partially on international data sharing agreements.
In some cases, governments could gain customer data with no warrant or judicial review. Under the Cloud Act, UK investigators could request the messages their citizen by going directly to a US company. It wouldn't need probable cause, and information about U.S. citizens could be revealed in the process, which it can then share with U.S. law enforcement.
As a result, Microsoft announced a new set of advocacy principles to shape the way agreements are formed. Among other things, it's pushing for a universal right to notice.
“Absent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers must have a right to tell them,” said Brad Smith, Microsoft president and chief legal officer.
Transparency, Judicial Review, and Enterprise Rules
On top of this, Microsoft wants to address the loophole with judicial review. Smith says law enforcement requests should be reviewed by an independent body with a “minimum legal and factual showing”.
The company also wants grounds to challenge law enforcement requests. Importantly, it says this should be a clear and detailed process. Alongside this, it believes the public has a right to know how and when governments request digital evidence.
When international agreements are made, Microsoft says they “must avoid conflicts of law with third countries and include mechanisms to resolve conflicts in case they do arise.”
Finally, it says law enforcement should not be able to go above enterprise's heads to access data. Requests should go directly to the enterprise rather than Microsoft. This should increase efficiency and reduce the burden on cloud providers.
With its new stance, Microsoft has gone from being criticized by the EFF to lauded. It calls it “the clearest set of instructions by a company to oppose the many privacy invasions possible under the CLOUD Act”.
It makes the company one of the first to oppose the CLOUD Act as it stands, joining Dropbox, which made a similar commitment earlier in the year. Some of these aspects are out of Microsoft's control, but it certainly has enough power to influence agreements.