
Microsoft Sues Justice Department Over Secret Customer Data Searches - phonyphonecall
http://www.wsj.com/articles/microsoft-sues-justice-department-over-secret-customer-data-searches-1460649720
======
dcgudeman
'Microsoft’s filing zeroes in on a provision of the Electronic Communications
Privacy Act, written in 1986. The company argues that indefinite gag orders
violate the First Amendment right to inform customers about the search of
their files “as soon as secrecy is no longer required.” Additionally, the suit
claims that the law “flouts” Fourth Amendment requirements that the government
give notice to people when their property is being searched or seized.'

This is pleasing news, but to be honest I am a little concerned about the fact
the Amazon didn't attempt one of these lawsuit earlier. I am not sure how
cooperative AWS is with the government but I would assume they are the largest
target for these types of requests. In general I like Amazon as a company but
this makes me question their respect for user privacy.

~~~
tshtf
Amazon promised bi-annual transparency reports here:

[https://blogs.aws.amazon.com/security/blog/tag/Transparency+...](https://blogs.aws.amazon.com/security/blog/tag/Transparency+report)

However only one report (covering a 6-month period) has was issued and posted
in the initial blog post on June 2015. None have followed:

[http://d0.awsstatic.com/certifications/Information_Request_R...](http://d0.awsstatic.com/certifications/Information_Request_Report.pdf)

~~~
wfunction
Maybe they meant biennial rather than biannual?

~~~
function_seven
I always thought those two terms were equivalent, and that "semiannual" was
the every-six-months one. Turns out I as wrong.[1]

[1] [http://writersrelief.com/blog/2011/05/biannual-biennial-
or-s...](http://writersrelief.com/blog/2011/05/biannual-biennial-or-
semiannual/)

~~~
comex
Many (most?) sources define "biannual" only as "twice a year". Yet Merriam-
Webster says: "Some people prefer to use semiannual to refer to something that
occurs twice a year, reserving biannual for things that occur once every two
years."

~~~
function_seven
It's a good lesson for contract writers and anyone else that wants to be
clear. Never use any of those terms. Instead, write, "Inspections will be done
every 24 months", or, "The toner needs to be ordered every six months".

If something is supposed to occur every other Friday? Write it just like that,
or "every 14 days". Don't say, "Paychecks are distributed bi-weekly"

~~~
wfunction
Is it common to give out paychecks twice a week though? I feel like common
sense could rule out one of those cases...

~~~
richmarr
Say you've got a 10 new joiners per week at your high-turnover packing
factory, and a sign outside the admin office that says "Paychecks are
distributed bi-weekly".

Maybe typically 5 of them have had a job before in the area, 3 have had a job
elsewhere and 2 have never had a job. Not all of them have the same level of
education.

How many will misunderstand your sign? Might any of those misunderstandings
about money cause problems for people?

Considering the comparitive cost of writing the sign as "every two weeks", and
the reduction in potential confusion, it seems like a no-brainer to write it
that way.

~~~
wfunction
I mean are you talking about jobs meant for those with some kind of college
education, or are you talking about jobs aimed at (say) middle-school drop-
outs? For the latter, I can see it, but for the former it's almost insulting
to try to simplify things too much just in case the employee doesn't have
common sense that they will need on the job anyway...

~~~
richmarr
I was using a low-income example to make the point clear, but the same
principle applies to everyone.

By assuming a high-education environment you might nudge down the number of
misunderstandings. You'll nudge it further if you assume English is everyone's
first language. [Note that these assumptions are probably discriminatory]

You'll nudge it further if you assume that nobody in your working environment
is dylsexic, or has any other linguistic impairment. [This assumption is
certainly discriminatory]

You'll nudge it further if you assume that everyone is operating at 100% all
the time... which is just plain untrue, as nicely summed up by this slide from
Microsoft's Inclusive Design reference:
[https://marcysutton.github.io/mobile-a11y/img/injury.png](https://marcysutton.github.io/mobile-a11y/img/injury.png)

While you might be insulted by language that insufficiently feeds your desire
to feel good about your intelligence, your right to not be insulted is a lower
priority than communicating important information clearly.

------
icloudsearch
Throwaway because I am currently under investigation. Apple inadvertently
notified me that <Agency> had subpoena'd my iCloud backups. I suspect that
they violated the gag order in error. As a result they expedited their
physical warrant and raided me 2 days later. As someone targeted by a federal
investigation, it is clear that the government will vacuum up as much
information as possible without my knowledge. Hopefully Microsoft succeeds in
this lawsuit.

~~~
sandstrom
Do you know why you are being investigated?

~~~
jessaustin
Are you a Fed? Why would you ask a question that could only hurt GP?

~~~
sqldba
I'm not a Fed but I'm also interested.

It could be anything - from something insidiously evil or it could be
something like they're a journalist.

------
mtgx
Indefinite gag orders are definitely unconstitutional, and it has been proven
before in Court. There should be an _automatic_ limit as well for when the gag
orders expire, like say 1-3 months, or whatever is considered "reasonable" for
an investigation. After that, the government should have to get extensions
every 3 months from a judge. After 2 or 3 years, the extension should be
obtained only from a federal judge.

And it goes without saying that the gag orders should only be given in very
specific scenarios, not for _all data requests_ , or anytime the government
wants to give one.

~~~
rietta
It would be a pipe dream, but at the conclusion of the gag period there should
additionally be a disclosure requirement - like a data breach notification.
That would help balance out the desire to keep these things under wraps.

------
nkw
As much as it is generally reviled (especially by those who hang around the
Internet) I bet the _Citizens United_ decision will help Microsoft a bit in
this suit as it reaffirmed First Amendment speech protections do apply to
corporate speakers especially in the context of political speech.

[http://www.supremecourt.gov/opinions/09pdf/08-205.pdf](http://www.supremecourt.gov/opinions/09pdf/08-205.pdf)

~~~
bpodgursky
Most of those who are against Citizens United do not understand how chilling
to free speech the alternative would be.

Hint: there's a reason the ACLU believes Citizens United was the right
decision.

~~~
cmdrfred
So in a word where money != speech, speech is impacted negatively?

~~~
_delirium
There are a variety of anti-Citizens-United positions, but the strongest (and
most problematic) one is that corporations are not people, and the Bill of
Rights secures rights only to people, therefore the First Amendment is
inapplicable to corporations. That would, at the very least, require a
revision in important precedents like _New York Times Co. v. Sullivan_ [1],
which assume that the First Amendment is applicable to corporations'
publishing activities.

[1]
[https://en.wikipedia.org/wiki/New_York_Times_Co._v._Sullivan](https://en.wikipedia.org/wiki/New_York_Times_Co._v._Sullivan)

~~~
thegasman
Corporations are people. They are taxed like people, they break laws like
people, and they own property like people.

They just can't vote.

~~~
AlexandrB
In every other way they are not like people. They are neither mortal nor
corporeal (in the sense that a human body can be imprisoned or damaged). They
can feel no emotion and are not subject to disease. This is important because
humans are limited in myriad ways that corporations aren't and by giving
corporations human rights the balance of power between actual humans and
corporations tilts to the latter.

For example, while they can break the laws like people, corporations are not
punished the same. When was the last time a corporation was "executed" (e.g.
corporate charter revoked)?

~~~
voxic11
Last one I could find was in California in 1976.

~~~
jessaustin
This should certainly be a more common occurrence.

------
c3534l
It's nice to see when two big corporations compete over each other over who
fights harder for the civil liberties of it's users. You one-up those Apple
bastards, MS!

------
ChuckMcM
It is interesting that law enforcement doesn't draw the connection between the
abuse of a capability with the people making it harder to abuse. I don't think
there would be any outrage or pushback if such requests were in the 10's a
month rather in the 1000's a month.

------
3dk
Archive Link: [http://archive.is/L6fJf](http://archive.is/L6fJf)

If you want to skip logging in.

------
some1else
I thought I'd repost the lawful spying guides by the biggest cloud service
providers [1] (including Microsoft). There's a great one from the Hotmail era
I couldn't find on a whim though.

1:
[https://news.ycombinator.com/item?id=11504068](https://news.ycombinator.com/item?id=11504068)

------
dmoy
AP link in case you don't subscribe:
[http://hosted.ap.org/dynamic/stories/U/US_MICROSOFT_SECRET_S...](http://hosted.ap.org/dynamic/stories/U/US_MICROSOFT_SECRET_SEARCHES_WAOL-?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2016-04-14-18-06-40)

~~~
caf
You can also just click through the |web| link at the top of this page.

------
ikeboy
[https://archive.is/L6fJf](https://archive.is/L6fJf)

------
Aoyagi
How nice of Microsoft, that they want to use the data all for themselves...
and how nice for them that almost nobody even thinks that "not harvesting
every bit of data you get your hands on just because you can" is also a
possible scenario.

------
sqldba
What I want to know is - why now and not years ago?

------
daveguy
Does this imply that the Justice department can search your computer if
Windows 10 is installed? Or does this just apply to data MS has on you at MS?
(OneDrive, use telemetry, etc)?

~~~
KirinDave
So... there's no evidence the "Justice Department can search your computer if
Win10 is installed" assuming your device is actually secure. Bad passwords, no
supported integrated TPM or other issues (common to custom built machines)
will comprimise your local device security and thusly make them the easiest
method of attack.

If served a lawful subpoena, ANY cloud service provider may be required to
hand over your data if they have that power. If you've got something truly
critical (e.g., evidence you're transsexual in NC and use the
"illegal"/correct bathroom) you should encrypt it even on top of what your CSP
does. Windows, OSX and Linux all offer methods for doing this effectively.

I've used OneDrive with encrypted VHDs. It works fine, so long as you don't
access the VHD from multiple places at once. I do this more because my
OneDrive syncs to a surfacebook than because I am concerned about subpoenas.

As for the telemetry collected, it's probably not of any use to them. It's the
same sort of stuff every app on your phone sends up to mixpanel. I wouldn't
worry about that, as it's not a substantially greater privacy violation than
the natural telemetry collected by the cell network and local ISPs. The only
way it might be used against you is in proving a certain access pattern to the
device at a certain time.

~~~
daveguy
Oh I expect telemetry would be of great use to them. What you have installed,
what your using and when. Log information would be extremely useful toward
matching a person up with a crime. I doubt it is just OneDrive data they are
providing.

~~~
KirinDave
> Log information would be extremely useful toward matching a person up with a
> crime.

As opposed to the information that the ISPs are already offering? Sorry, but
your underlying networks are already in collusion with the feds.

Were they not, the telemetry might provide signals that wouldn't be more
easily obtained elsewhere.

But it's also worth noting that the telemetry for 'apps installed' is just
your license list from the store. We don't have a ton of evidence that MS is
combing your computer for random executables and reporting that back on a
signal, or passing up full untrimmed process lists.

~~~
chopin
>As opposed to the information that the ISPs are already offering?

Log information _can_ be much more revealing if you are communicating only via
encrypted protocols or Tor. We don't know for sure what exactly MS is
transmitting in their logs but we do know quite well what traces we leave (or
leave not) behind via our ISP. And that's definitely much less than what our
machine can reveal via (encrypted) telemetry.

~~~
KirinDave
Three thoughts here.

1\. We really don't know the extent of telemetry collected via our ISPs, do
we? Unless application authors go to the trouble of specific certificate or
signatory cert pinning, it's not terribly challenging for certain classes of
attackera to enter that connection.

2\. Wouldn't substantial data in Tor logs be a bug with your Tor client
anyways? I've never seen a Tor client ship in a logging debug mode. But I
haven't taken Tor terribly seriously for years. Did they start doing it wrong?

3\. The contents of the data that is being sent to Microsoft is entirely
knowable. I'm waiting for a security researcher to just do it. I suspect most
of what we see is something along the lines of standard app telemetry for core
apps.

The amount of FUD that has been brought to bear against MS for this practice
is pretty unsurprising given the scroogled campaigns, but it's funny to see a
bunch of 3rd parties buy into it while posting from Macs that do the same
thing.

