
Justice Department moves to end routine gag orders on tech firms - forapurpose
https://www.washingtonpost.com/world/national-security/justice-department-moves-to-end-routine-gag-orders-on-tech-firms/2017/10/23/df8300bc-b848-11e7-9e58-e6288544af98_story.html?utm_term=.4f3da68632f5
======
nerdponx
This is good news overall. Glad to see _some_ sanity coming out of the White
House.

I'm a little suspicious though. Why is Microsoft pushing so hard for this?
What's in it for them?

~~~
paxy
Microsoft has been battling the government over this and more for a long time.
They have another major ongoing case over US government rights to demand
customer data stored overseas.

> What's in it for them

The very lucrative European business market. If they can't be assured that
their data is safe with Microsoft (and out of US govt hands), they will
naturally move to using non-US based competitors.

~~~
the8472
At $employer we process lots of PII on behalf of customers which is covered by
additional domain-specific privacy laws on top of the general ones.

Compliance is important and because we occasionally have to handle production
data inhouse this has far-reaching consequences.

It's not just that we can't use US-based cloud services for production. We
can't use them for anything. Anything like slack, gsuite, jira cloud are not
suitable for handling the sensitive data. Even something as simple as using
recaptcha required vetting by our data protection officer.

~~~
jakevn
Out of curiosity, what doesn’t AWS comply with? I was under the impression
they were certified for almost every use case involving PII.

~~~
Tuna-Fish
Starting from May 2018, no US-based company can possibly comply under the
strict interpretation of EU data protection laws. If an US court can possibly
legally compel you to hand over the data, you cannot host any private data on
EU citizens on behalf of an EU company. Next year, I cannot even legally store
things like names and email addresses belonging to EU citizens on a server ran
by a US company, without exposing myself to major legal liability. Many
companies in the EU are now scrambling to get away from us service providers.

The text is very broad, and it has been argued that it's a stealth
protectionism measure. For me to be able to do business with US-based cloud
providers next year, the US law needs to change so that if an account has a
"this refers to an EU citizen" bit set, that completely prevents US courts and
law enforcement from acquiring any information about it without proving
probable cause at an EU court of a specific crime that is of sufficient
severity and criminal in both EU and the US. I don't believe that will happen.

------
forapurpose
And I'll append an analysis which says that much more is needed because the
new rule applies only to the Justice Dept, and the orders come from many
places, including state and local governments:

[https://www.justsecurity.org/46875/modernizing-ecpa-
congress...](https://www.justsecurity.org/46875/modernizing-ecpa-
congressional-action-dojs-gag-order-guidelines/)

I'll add that a rule changed by the Justice Dept can be changed again. A law
may be needed.

~~~
itchyjunk
Both good points. If I may ask, why is MS dropping the case if they had good
points to make something come of it?

~~~
bskap
Microsoft sued the Justice Department. I'm not a lawyer, but since the Justice
Department is no longer doing this thing, they may not have any standing for
the lawsuit. I don't think they can force the lawsuit through to get a
decision since they're no longer being harmed by it.

It wouldn't be the first time someone who thought they might lose backed down
to avoid setting a precedent. Police departments did it with cases where
people challenged the use of Stingrays, for example.

------
danjoc
I'm glad to see the Trump administration rolling back these Obama era privacy
violations.

~~~
wbhart
I think that the provisions of 18 U.S.C. § 3123(d)(2) were introduced by Bush
as part of the Patriot act, after September 11, not by Obama. One might argue
that Obama abused them, of course.

~~~
danjoc
It's pretty easy to argue abuse when the Obama administration was wiretapping
the opposition party just before a presidential election,

[http://www.cnn.com/2017/09/18/politics/paul-manafort-
governm...](http://www.cnn.com/2017/09/18/politics/paul-manafort-government-
wiretapped-fisa-russians/index.html)

In March the Obama administration denied it for months. Now it is a matter of
fact.

~~~
ouid
Criminal investigations are non-partisan. You don't get structural immunity
from espionage charges just because you are "of another political party" than
the current president. The wiretap was authorized by a judge. The Whitehouse
also never denied wiretapping Manafort, but if they HAD done so, it would have
been proper. Wiretaps are secret, by their nature. This also occurred _after_
Manafort had been removed from his position on the Trump campaign.

~~~
gozur88
>Criminal investigations are non-partisan.

Sniff. I remember when I was young and idealistic.

The Obama administration was clever enough to investigate people _around_
Trump such that they would have pretty much everything he said in the can.

What was highly irregular, and arguably illegal, was Susan Rice at the NSC
authorizing the "unmasking" of the people involved as well as a wide
intergovernmental distribution. She really had no business doing that, and it
effectively leaked every aspect of the investigation.

------
semperdark
For the record, this does not include National Security Letters.

~~~
gboudrias
I assume this is a step towards that. As a Canadian, I know for a fact we (as
in our tech industry) have a lot of business that would go to the US by
default if these letters stopped existing.

Well, maybe not now, the damage is done. But it would've, and in time US tech
companies' reputation will be repaired. As a foreigner, it doesn't seem like
the repair process has started yet. Hope I'm wrong.

------
ComodoHacker
That's the outcome Microsoft has deserved my sincere respect for.

------
solotronics
do these gag orders apply to foreign based subsidiaries of a company based in
the US?

------
baybal2
I'll try to say things in a less sarcastic form.

Americans, the argumentation for interception correspondence and private life
perlustration provided by your 3 letter services and whole executive branch in
general is laughable.

They talk about busting terror cells, then proceed to dig your personal data
on facebook or somebody's very very private Snapchat conversations, as if
Osama Bin Laden, with his alleged $ billions in the bank, has nothing else to
do than writing a web diary with all his plans exposed in plain sight or
sexting with his groupies.

The prime interest of this STASI style mass perlustration are not the so
called "terrorists," but your and other citizens private life, and it is
laughable for anybody to claim that this is anything other than that.

And it looks even more laughable when somebody goes beyond not only taking
that as given, but even tries to insinuate a posh opposition and say to US
government "you are not doing the mass domestic espionage in constitutionally
correct way, you should do mass surveillance differently" as if mass
surveillance can be ever become legal in USA.

Microsoft probably sees and routinely fulfills thousands of data perlustration
requests a months, but rather than saying "What you do is fucking illegal, you
will get that data only over my dead body," they say "Dear uncle Sam, we have
a lot of dirt on you, and in particular the request no. 9877989 with very weak
legal argumentation in it, play nicer with us in the future"

~~~
visarga
I hate to have to say it, but besides the 3-letter agencies, all countries and
many global companies are spying. Even if the US agencies fixed their
behavior, the is still the problem of the rest of the world.

~~~
gozur88
I laughed my ass off when, after all the complaining the Germans did about the
NSA collecting their PM's phone conversations, it turned out they did the very
same thing to Hillary Clinton when she was Secretary of State travelling in
Europe.

