The conflict between snooping governments seeking to defeat encryption and users demanding ever more robust privacy tools has turned into an arms race -- and it's time for arms control talks, Microsoft's general counsel said on Tuesday.
Resolving that conflict requires a new consensus on how to balance public safety and personal privacy, Brad Smith said in a forum at Harvard Law School. "Ultimately there are only two ways to better protect peoples privacy: stronger technology or better laws," he said.
In an expansive conversation about privacy and rebuilding trust in technology after revelations of widespread government spying, Smith talked about Microsoft's first "sea-change" moment. It came in the year after the September 2001 terrorist attacks, when Microsoft, among other Internet companies and telcos, was asked to voluntarily share data with U.S. law enforcement.
In the heat of the moment, in 2002, "it was easy to do things that we wouldnt otherwise do," Smith told Jonathan Zittrain, a professor of law and computer science at Harvard who moderated the event.
The principle that Microsoft adopted at that point and has stayed with is that if it's legally obligated to do something, it will comply, but otherwise it will not. "Our basic message was, if the government didnt feel the law went far enough, it shouldnt ask us to go beyond the law. It should go to Congress and ask Congress to change the law," he said.
The second sea-change was driven by the revelations in mid-2013, by former NSA contractor Edward Snowden, of widespread surveillance and data collection by the U.S. government. One of the biggest impacts of that was a significant loss of trust in technology companies by enterprise customers, Smith said.
"The publics trust on a global basis was changed," he said. The level of concern varies, and is more pronounced in Germany, across Europe, Brazil, and even came up in conversations with large businesses in Japan. Surveys conducted by Microsoft found a ten to 15-point decline in trust among customers.
Besides strengthening encryption, as most tech companies have done, Microsoft is tackling the issue of trust by bringing its legal resources to bear and implementing changes in its enterprise contracts.
"We said, if the U.S. government came and served a subpoena on us, seeking the email or other records of an enterprise customer, we would resist that, we would go to court, we would argue to a federal judge that that subpoena ought to be served on the customer, not on us. Second, we said that if the data in question were stored exclusively outside the United States, we would go to court and challenge the extraterritorial reach," Smith said.
Asked by Zittrain whether Microsoft has had discussions about extending the same protections to "run of the mill" consumers, not just enterprises, Smith appeared to acknowledge that there are limits to the legal resources that the company is willing to commit on behalf of its customers.
Smith said he has filed three lawsuits against the government in the past year, including one asserting Microsoft's first amendment right to publish more information about so-called FISA letters (these are issued after secret hearings in the U.S. court where law enforcement seeks warrants under the Foreign Intelligence Surveillance Act). "Reform of the FISA court is so important," Smith said. "We should not allow that issue to get lost in the public discussion&Public safety is of course important, but secret courts with secret decisions are not part of the American legal tradition."
Microsoft's second lawsuit challenged an FBI subpoena that was issued late last year, for data on an enterprise customer. In the third lawsuit, where Microsoft is now appealing a judge's ruling against it, it is opposing a search warrant by U.S. law enforcement for emails stored in a data center in Ireland.
"When should the United States government be able to reach into another country, into a data center built in another country, to get the data stored inside?" Smith said. "One could understand a rule that would say, if you have an American citizen or resident, that is storing data in another place, one could imagine a public policy rationale that would enable the U.S. government to serve a warrant. That stands in sharp contrast to the current position that the Department of Justice is taking in the lawsuit. Theyre basically saying, if the data center was built or is operated by an American company then they can reach anything inside. That really goes to the heart of sovereignty."
It's quite likely that Chinese e-commerce giant Alibaba will build a data center in the U.S., Smith said. "How will the people in Washington, D.C., feel if the Chinese government, if the Russian government, the Iranian government, the North Korean government, or pick the government of your choice decides to simply follow the principal thats been advocated by the U.S. government? Suddenly the rights of Americans are not being protected by their own laws, they are subject a whole bunch of other laws."
The risk is of fostering chaos on the Internet, he said. "But more important is what it means for people. Are people going to be able to continue to have the confidence that their rights are going to be protected by their own constitution and by their own laws? Or is it going to be something that can be overridden by other governments and their laws?"
Smith said that he wants to see more government action and discussion of a way forward.
"There is no effective broad-based conversation today that is first of all even bringing together the different parts of the United States government. The U.S. government is overdue for an interagency effort" that would bring in the interests of law enforcement and intelligence agencies, the Commerce Department, State Department and others, he said. And he's still optimistic about the role President Obama can play: "The fact that we have a president right now who is a constitutional law professor is a great asset to the country."
"But in the absence of any real discussion were just going to have an arms race in perpetuity," Smith said.