Microsoft's lawsuit, and retail's data-disclosure secrecy problem

Microsoft doesn't want government seizures of its data, done in secrecy, to jeopardize the trust its customers must hold toward it. Retailers have the same problem.

online security hacker
Credit: Thinkstock

When Microsoft on Thursday (April 14) sued the U.S. Justice Department demanding more openness about data seizures, it made the case that its customers have the right to know when their data in the cloud is being examined. Retail IT execs need to watch this case very closely, since the massive data stores of merchants are a popular place for law enforcement to snoop. Just like Microsoft, retailers have much to fear from their customers seeing them as government agents.

For the government, finding out about every inquiry or purchase that was made by a consumer with a wide range of retailers is an effective way to establish intent.

Microsoft's argument is simple: The government can have the data, but insisting that Microsoft keep the request from its customers — potentially forever — is not necessary, as well as contrary to the U.S. Constitution.

"Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails and because Microsoft has a right to tell them," Microsoft says in the lawsuit. "Yet the Electronic Communications Privacy Act ('ECPA') allows courts to order Microsoft to keep its customers in the dark when the government seeks their email content or other private information, based solely on a 'reason to believe' that disclosure might hinder an investigation. Nothing in the statute requires that the 'reason to believe' be grounded in the facts of the particular investigation and the statute contains no limit on the length of time such secrecy orders may be kept in place."

In other words, Microsoft is arguing that government agents are using the "hinder an investigation" line as an excuse and that there is no meaningful limit. Investigators must use that excuse sparingly so that it doesn't lose its meaning. We have already seen this happen in retail with breach disclosure. Almost all state breach-disclosure rules offer an exemption if law enforcement thinks disclosure may possibly at some point impede their investigation. What investigator wouldn't say yes to that?

Microsoft concedes that there might be some cases where secrecy is needed, but it needs sharp limits, in terms of both use and length of time the secret must be maintained.

"There may be exceptional circumstances when the government’s interest in investigating criminal conduct justifies an order temporarily barring a provider from notifying a customer that the government has obtained the customer’s private communications and data. But Section 2705(b) sweeps too broadly," Microsoft says in its filing. "That antiquated law (passed decades before cloud computing existed) allows courts to impose prior restraints on speech about government conduct — the very core of expressive activity the First Amendment is intended to protect — even if other approaches could achieve the government’s objectives without burdening the right to speak freely."

Here's what this is really all about, and it's a critical retail issue: privacy. The U.S. Constitution makes no direct reference to privacy, which is why Microsoft is having to dance around its real point. (OK, its real point is that it wants to make more money from cloud services. I meant its pretend real point.) It wants the courts to recognize an implied privacy element to the Constitution. It wants the courts to place severe hurdles that law enforcement must clear before it uses subpoenas to access any private information on any resident it wants to investigate.

The point of disclosure is not a free speech issue per se for Microsoft. The point is that if consumers and business know that such data has been accessed — or, even better, that such access has been requested — then they have the ability to go to court and object. Today, there are, as a practical matter, no such hurdles. That has led to petabytes of data being examined with unlimited secrecy requirements.

For Microsoft, and many retailers, keeping silent about data exposures threatens to obliterate the trust that must exist between company and customer.

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.