Microsoft's top legal gun decries privacy "arms race"

Brad Smith is ready for arms-control talks as tech companies and law enforcement fight a running battle on privacy

Microsoft General Counsel Brad Smith and Harvard Law School Professor Jonathan Zittrain

Microsoft General Counsel Brad Smith and Harvard Law School Professor Jonathan Zittrain

The conflict between snooping governments seeking to defeat encryption and users demanding ever more robust privacy tools has turned into an arms race -- and it's time for arms control talks, Microsoft's general counsel said on Tuesday.

Resolving that conflict requires a new consensus on how to balance public safety and personal privacy, Brad Smith said in a forum at Harvard Law School. "Ultimately there are only two ways to better protect peoples privacy: stronger technology or better laws," he said.

In an expansive conversation about privacy and rebuilding trust in technology after revelations of widespread government spying, Smith talked about Microsoft's first "sea-change" moment. It came in the year after the September 2001 terrorist attacks, when Microsoft, among other Internet companies and telcos, was asked to voluntarily share data with U.S. law enforcement.

In the heat of the moment, in 2002, "it was easy to do things that we wouldnt otherwise do," Smith told Jonathan Zittrain, a professor of law and computer science at Harvard who moderated the event.

The principle that Microsoft adopted at that point and has stayed with is that if it's legally obligated to do something, it will comply, but otherwise it will not. "Our basic message was, if the government didnt feel the law went far enough, it shouldnt ask us to go beyond the law. It should go to Congress and ask Congress to change the law," he said.

The second sea-change was driven by the revelations in mid-2013, by former NSA contractor Edward Snowden, of widespread surveillance and data collection by the U.S. government. One of the biggest impacts of that was a significant loss of trust in technology companies by enterprise customers, Smith said.

"The publics trust on a global basis was changed," he said. The level of concern varies, and is more pronounced in Germany, across Europe, Brazil, and even came up in conversations with large businesses in Japan. Surveys conducted by Microsoft found a ten to 15-point decline in trust among customers.

Besides strengthening encryption, as most tech companies have done, Microsoft is tackling the issue of trust by bringing its legal resources to bear and implementing changes in its enterprise contracts.

"We said, if the U.S. government came and served a subpoena on us, seeking the email or other records of an enterprise customer, we would resist that, we would go to court, we would argue to a federal judge that that subpoena ought to be served on the customer, not on us. Second, we said that if the data in question were stored exclusively outside the United States, we would go to court and challenge the extraterritorial reach," Smith said.

Asked by Zittrain whether Microsoft has had discussions about extending the same protections to "run of the mill" consumers, not just enterprises, Smith appeared to acknowledge that there are limits to the legal resources that the company is willing to commit on behalf of its customers.

Smith said he has filed three lawsuits against the government in the past year, including one asserting Microsoft's first amendment right to publish more information about so-called FISA letters (these are issued after secret hearings in the U.S. court where law enforcement seeks warrants under the Foreign Intelligence Surveillance Act). "Reform of the FISA court is so important," Smith said. "We should not allow that issue to get lost in the public discussion&Public safety is of course important, but secret courts with secret decisions are not part of the American legal tradition."

Microsoft's second lawsuit challenged an FBI subpoena that was issued late last year, for data on an enterprise customer. In the third lawsuit, where Microsoft is now appealing a judge's ruling against it, it is opposing a search warrant by U.S. law enforcement for emails stored in a data center in Ireland.

"When should the United States government be able to reach into another country, into a data center built in another country, to get the data stored inside?" Smith said. "One could understand a rule that would say, if you have an American citizen or resident, that is storing data in another place, one could imagine a public policy rationale that would enable the U.S. government to serve a warrant. That stands in sharp contrast to the current position that the Department of Justice is taking in the lawsuit. Theyre basically saying, if the data center was built or is operated by an American company then they can reach anything inside. That really goes to the heart of sovereignty."

It's quite likely that Chinese e-commerce giant Alibaba will build a data center in the U.S., Smith said. "How will the people in Washington, D.C., feel if the Chinese government, if the Russian government, the Iranian government, the North Korean government, or pick the government of your choice decides to simply follow the principal thats been advocated by the U.S. government? Suddenly the rights of Americans are not being protected by their own laws, they are subject a whole bunch of other laws."

The risk is of fostering chaos on the Internet, he said. "But more important is what it means for people. Are people going to be able to continue to have the confidence that their rights are going to be protected by their own constitution and by their own laws? Or is it going to be something that can be overridden by other governments and their laws?"

Smith said that he wants to see more government action and discussion of a way forward.

"There is no effective broad-based conversation today that is first of all even bringing together the different parts of the United States government. The U.S. government is overdue for an interagency effort" that would bring in the interests of law enforcement and intelligence agencies, the Commerce Department, State Department and others, he said. And he's still optimistic about the role President Obama can play: "The fact that we have a president right now who is a constitutional law professor is a great asset to the country."

"But in the absence of any real discussion were just going to have an arms race in perpetuity," Smith said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritylegislationgovernmentprivacy

More about Department of JusticeFBIMicrosoftNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Elizabeth Heichler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts