Setting the record straight on Microsoft and subpoenas

This week I had the opportunity to present a session called “Cloud Best Practices” at the Alabama Digital Government Summit. I had a great time— it was fascinating to see how many different agencies in our state are putting advanced IT to work to save money and get more done for the taxpayer. However, there was one blemish on the experience that I wanted to polish away, so to speak.

Part of my talk concerned the fact that no matter where you live, your local government has lawful means to get your data: they can subpoena you, or your cloud provider, to get it. There’s nothing that you can do about it. It’s a feature, not a bug, of modern legal systems. I often talk about this in the context of people’s fears that the NSA, GCHQ, or whomever will snag their data, by lawful or unlawful means. Here’s the slide I put up:

I don’t think these are controversial assertions. However, at this point in my talk, Stuart McKee (chief technical officer for state and local government at Microsoft) flatly asserted that Microsoft does not comply with government subpoenas for customer data; I believe he used the word “never”. He went on to say that Microsoft has a pattern of resisting subpoena requests and that this “has gotten [them] into some trouble.” He concluded by saying that Microsoft’s standard action is to tell governments that they must subpoena the data owner, not the service provider.

I believe these assertions to be largely untrue, and certainly misleading. (I’ll leave aside the insulting manner in which Stuart asserted that I was wrong— after all, I am certainly wrong sometimes and generally appreciate when people point it out.) I want to set the record straight to the extent that I can.

First, Microsoft absolutely does comply with lawful subpoenas for customer data. This page at Microsoft’s web site summarizes their responses to lawful legal demands for customer information (both information about customers and information belonging to customers) across a broad variety of jurisdictions, from Argentina to Venezuela. To assert otherwise is ludicrous.

Second, Microsoft has a pattern of complying with these lawful subpoenas, not refusing them. When Stuart said that Microsoft is “in trouble” for refusing a subpoena, I suspect that he’s referring to Microsoft vs United States, where the issue at hand is that Microsoft was served a search warrant for data stored in a Microsoft data center hosted in Ireland. The data are stored there because the customer is located outside the US. Microsoft moved to have the warrant vacated, and when that failed, asked the cognizant district court to vacate it. The district court upheld the original warrant; Microsoft refused to comply and was held in contempt. Now this particular case is working its way through the US federal court system.

Let me be clear: I applaud Microsoft for standing up and resisting the overreach in the original warrant— there doesn’t seem to be (at least not to my layman’s understanding) a right of the US government, at any level, to subpoena data belonging to a non-US person or organization if it’s stored outside the US, even if it’s held in a cloud service operated by a US person or organization. The brief Microsoft filed likens this to a German court ordering seizure of letters stored in a safe deposit box in a US branch of a German bank. Having said all that, claiming that this kind of resistance is routine is overblown. It isn’t. If Microsoft were refusing subpoenas left and right, the numbers I mentioned above would look very much different.

Third, Microsoft’s policy is indeed to try to redirect access requests whenever possible. The Office 365 privacy page has this to say:

We will not disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law. Should a third party contact Microsoft with a request for Customer Data, we will attempt to redirect the third party to request the data directly from you. As part of that process, we may provide your contact information to the third party. If compelled to disclose Customer Data to a third party, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.

In other words, Microsoft will try to redirect subpoenas from themselves to the data owner, where they are allowed by law to do so, and if they can’t, they will notify you, if allowed by law to do so. This is the only one of Stuart’s claims that I think is inarguable.

Finally, Microsoft proactively cooperates with law enforcement. The Microsoft Digital Crimes Unit newsroom contains press releases touting Microsoft’s cooperation with law enforcement agencies around the world (here’s just one example). This cooperation and disclosure extends to Microsoft proactively notifying law enforcement agencies when their PhotoDNA service identifies child porn images in customer’s private OneDrive data. I support their right to do this (it’s covered very clearly in the terms of service for Microsoft cloud services), and I believe it’s the right thing to do— but to claim that Microsoft never discloses customer data to law enforcement agencies while they are voluntarily doing so is both untrue and misleading.

Everyone’s interests are best served when everyone understands the specifics of the legal interaction between local and national governments and cloud service providers in various jurisdictions. This is a really new area of law in many respects, so it’s understandable that some things may not be clear, or even defined yet, but I wanted to correct what I view as dangerously misleading misinformation in this specific instance.

The bottom line: no matter what cloud service you choose, be sure you understand the policies that your cloud provider uses to determine the conditions under which they’ll cough up your data.