Hacker News new | comments | ask | show | jobs | submit login
Microsoft Sues Justice Department Over Secret Customer Data Searches (wsj.com)
399 points by phonyphonecall on Apr 14, 2016 | hide | past | web | favorite | 67 comments

'Microsoft’s filing zeroes in on a provision of the Electronic Communications Privacy Act, written in 1986. The company argues that indefinite gag orders violate the First Amendment right to inform customers about the search of their files “as soon as secrecy is no longer required.” Additionally, the suit claims that the law “flouts” Fourth Amendment requirements that the government give notice to people when their property is being searched or seized.'

This is pleasing news, but to be honest I am a little concerned about the fact the Amazon didn't attempt one of these lawsuit earlier. I am not sure how cooperative AWS is with the government but I would assume they are the largest target for these types of requests. In general I like Amazon as a company but this makes me question their respect for user privacy.

Amazon promised bi-annual transparency reports here:


However only one report (covering a 6-month period) has was issued and posted in the initial blog post on June 2015. None have followed:


Maybe they got served a letter and it's all dead canary.

(more likely the people who decided that all have new jobs now)

Bezos talks a good game. He's got a record of promising to work for things like patent reform without much follow-through.

I can speak personally to a warrant Amazon literally said "no thanks" to. It took a while for me discover (and Amazon never informed me it occurred) but later in court, officials released Amazon's denial of the warrant on grounds of being too wide sweeping and vague. I will upload it later and redact all the details...

The exact same verbiage was used for a few other companies including Comcast who bent over backwards to lower their dragnet.

This statement by Bezos rings really true to me and they will keep my business.

Maybe they meant biennial rather than biannual?

I always thought those two terms were equivalent, and that "semiannual" was the every-six-months one. Turns out I as wrong.[1]

[1] http://writersrelief.com/blog/2011/05/biannual-biennial-or-s...

Many (most?) sources define "biannual" only as "twice a year". Yet Merriam-Webster says: "Some people prefer to use semiannual to refer to something that occurs twice a year, reserving biannual for things that occur once every two years."

It's a good lesson for contract writers and anyone else that wants to be clear. Never use any of those terms. Instead, write, "Inspections will be done every 24 months", or, "The toner needs to be ordered every six months".

If something is supposed to occur every other Friday? Write it just like that, or "every 14 days". Don't say, "Paychecks are distributed bi-weekly"

Is it common to give out paychecks twice a week though? I feel like common sense could rule out one of those cases...

Say you've got a 10 new joiners per week at your high-turnover packing factory, and a sign outside the admin office that says "Paychecks are distributed bi-weekly".

Maybe typically 5 of them have had a job before in the area, 3 have had a job elsewhere and 2 have never had a job. Not all of them have the same level of education.

How many will misunderstand your sign? Might any of those misunderstandings about money cause problems for people?

Considering the comparitive cost of writing the sign as "every two weeks", and the reduction in potential confusion, it seems like a no-brainer to write it that way.

I mean are you talking about jobs meant for those with some kind of college education, or are you talking about jobs aimed at (say) middle-school drop-outs? For the latter, I can see it, but for the former it's almost insulting to try to simplify things too much just in case the employee doesn't have common sense that they will need on the job anyway...

I was using a low-income example to make the point clear, but the same principle applies to everyone.

By assuming a high-education environment you might nudge down the number of misunderstandings. You'll nudge it further if you assume English is everyone's first language. [Note that these assumptions are probably discriminatory]

You'll nudge it further if you assume that nobody in your working environment is dylsexic, or has any other linguistic impairment. [This assumption is certainly discriminatory]

You'll nudge it further if you assume that everyone is operating at 100% all the time... which is just plain untrue, as nicely summed up by this slide from Microsoft's Inclusive Design reference: https://marcysutton.github.io/mobile-a11y/img/injury.png

While you might be insulted by language that insufficiently feeds your desire to feel good about your intelligence, your right to not be insulted is a lower priority than communicating important information clearly.

Or Centennial? :)

My impression of Amazon is they care much more about selling product than the product itself, across all their lines of business. I see the complying without a fight because it would slow down the selling process and would prevent any hint of these searches from actually going on to the public if they did.

Well MSFT just out marketed them on this one :)

1) Well, I think Amazon doesn't really care and this shows its lack of care.

2) I'm only pleased if it works. I suspect in this environment it is going to flop and is largely for PR.

Amazon did build the government its own AWS cloud. Perhaps they don't want to bite the hand of such a large customer?

Eventually, if it isn't already, this will be one of those "you own the bank" situations. Too much government stuff relies on AWS to imagine AWS just getting cut out. If Obama decided today to fire AWS, how long would that take?

concerned about the fact the Amazon didn't attempt one of these lawsuit earlier.

I have no idea why you're bringing up Amazon since the article is about Microsoft.

That said, assuming you're asking the question about MSFT: Microsoft has always been a lapdog of the Feds, as evidenced by handing over hotmail data simply from a pleasant LEA request, to centralizing and backdooring skype, to removal of the elephant diffuser, to jumping at the chance to join PRISM, to any number of chunks of evidence.

But now that data security is a marketable good (per Apple's example), MSFT feels the fiduciary duty to pretend to fight the Feds for profit.

Whenever a fundamentally evil actor gives a show of doing good, always follow the money.

> I have no idea why you're bringing up Amazon since the article is about Microsoft.

I have no idea why you're bringing up that you have no idea why he's bringing up Amazon since the article is about Microsoft since the article is about Microsoft and the comment is about Amazon.

While I disagree with the tone of your comment, I would have to agree that Apple has made it a good and responsible action to oppose such open-ended Federal requests.

It was always morally good for the consumer.

Apple's stance may have tweaked the business incentives back in line with the moral good.

Apple has always been big on the idea that best way to alter behavior is to alter incentives.

while i'm decidedly unenthused by the amount of pro-MS dialog on HN, the premise of a business being "fundamentally evil" is rather dogmatic and not very conducive to discussion.

i'm not saying that microsoft is fundamentally evil, but don't you think it's problematic that the premise "business X is evil" is necessarily "dogmatic" or "not conducive to discussion"? i mean, specifically, what about the case where "business X is evil" happens to be true?

"what's evil? this is so subjective and [insert complaint]"

suppose an organization is committed to tricking the public, ripping off the government, committing crimes, gaining power at the expense of any idea of the public good... don't you think at least some people would be confident in thus concluding "business X is evil"?

again, regardless of microsoft's motives for litigation (which i'm going to go out on a limb and suggest are probably more nuanced and confidential than can be explained in a single article), shouldn't "business X is fundamentally evil; ie they are united in the pursuit of a criminal or publicly hazardous goal," be available for discussion? all the more if the speaker has evidence?

neutrality is great if you want to be level headed and find facts... but it can't be true by stipulation. that's just crazy, and truly "dogmatic and not very conducive to discussion". yeah, "x is evil" statements require more evidence, and more explanation of what you mean (because rando on the internet stating "x is evil" conveys pretty much no information at all), but they have to be admissable.

...unless you think it's somehow impossible for organizations to come together to pursue evil (by most standards) goals?

(and, again, not asserting that microsoft is evil myself, but didn't the karma-bombed author cite reasons that s/he found microsoft taking legal action to protect its customers dubious? if someone provides argument for a conclusion, and you--without even handwaving at a reason to dismiss their argument/evidence--dismiss her conclusion out of hand, aren't you doing some serious violence to intelligent discussion? you're expressly taking a discussion that had progressed to the point of thesis-with-argument back to bald-statements/opinions/theses... that's nothing to endorse)

Throwaway because I am currently under investigation. Apple inadvertently notified me that <Agency> had subpoena'd my iCloud backups. I suspect that they violated the gag order in error. As a result they expedited their physical warrant and raided me 2 days later. As someone targeted by a federal investigation, it is clear that the government will vacuum up as much information as possible without my knowledge. Hopefully Microsoft succeeds in this lawsuit.

Do you know why you are being investigated?

Are you a Fed? Why would you ask a question that could only hurt GP?

I'm not a Fed but I'm also interested.

It could be anything - from something insidiously evil or it could be something like they're a journalist.

Stay strong, Snookie.

(in seriousness - good luck)

Indefinite gag orders are definitely unconstitutional, and it has been proven before in Court. There should be an automatic limit as well for when the gag orders expire, like say 1-3 months, or whatever is considered "reasonable" for an investigation. After that, the government should have to get extensions every 3 months from a judge. After 2 or 3 years, the extension should be obtained only from a federal judge.

And it goes without saying that the gag orders should only be given in very specific scenarios, not for all data requests, or anytime the government wants to give one.

It would be a pipe dream, but at the conclusion of the gag period there should additionally be a disclosure requirement - like a data breach notification. That would help balance out the desire to keep these things under wraps.

Any gag order would be unconstitutional. One may explain their expected consequences of saying a particular thing, but another always has a right to speak whatever they want.

As much as it is generally reviled (especially by those who hang around the Internet) I bet the Citizens United decision will help Microsoft a bit in this suit as it reaffirmed First Amendment speech protections do apply to corporate speakers especially in the context of political speech.


Most of those who are against Citizens United do not understand how chilling to free speech the alternative would be.

Hint: there's a reason the ACLU believes Citizens United was the right decision.

Citizens United was about a small outfit making a Clinton doco, yes. But the trouble was the decision didn't have to be as broad as it was. They could have limited the scope and achieved a similar effect.

Political parties are very interesting in the sense that they are not public; not really at all. (but they should be). That's an argument for stricter laws when specifically dealing with speech and campaigns.

Keep in mind, free speech has limits. Obscenity, classified material, threats of harm ... Free speech in the US, although more complete than many other nations, is still restricted.

>Political parties are very interesting in the sense that they are not public; not really at all. (but they should be).

Please no. At its core, a political party is a group of people with common goals banding together to contest elections. Congress and the elections are the public institutions. How people choose to form alliances and contest those elections is a private matter. The only way to make political parties public is to ban private political parties, which should throw up all sorts of red flags in your head.

As for Citizens United, people forget that it's not just about big for-profit companies spending money. Any non-profit group is a corporation. If you and I share a set of political ideas and want to advocate for them, we'd form a non-profit, print pamphlets, run ads, court donors, rinse and repeat. That's freedom at work. It's totally impractical to run such an operation as a single human being. It's totally irresponsible to set up such a group and then legally run it as a single human being. Incorporation is the legal means for people to embark on common projects.

How do you think the court could have limited the scope while also staying within the confines of not making things up (the court does not legislate).

So in a word where money != speech, speech is impacted negatively?

Citizens United did not say "money == speech." It said that peoples' right to make and distribute movies with core political speech does not disappear just because corporate money is used to do it. If Citizens United had gone the other way, e.g. the government could have banned the Google and Reddit protests against SOPA/PIPA.

There are a variety of anti-Citizens-United positions, but the strongest (and most problematic) one is that corporations are not people, and the Bill of Rights secures rights only to people, therefore the First Amendment is inapplicable to corporations. That would, at the very least, require a revision in important precedents like New York Times Co. v. Sullivan [1], which assume that the First Amendment is applicable to corporations' publishing activities.

[1] https://en.wikipedia.org/wiki/New_York_Times_Co._v._Sullivan

Corporations are people. They are taxed like people, they break laws like people, and they own property like people.

They just can't vote.

In every other way they are not like people. They are neither mortal nor corporeal (in the sense that a human body can be imprisoned or damaged). They can feel no emotion and are not subject to disease. This is important because humans are limited in myriad ways that corporations aren't and by giving corporations human rights the balance of power between actual humans and corporations tilts to the latter.

For example, while they can break the laws like people, corporations are not punished the same. When was the last time a corporation was "executed" (e.g. corporate charter revoked)?

Last one I could find was in California in 1976.

This should certainly be a more common occurrence.

Corporations are shells for human people (!!) to commit criminal acts, but shelter these human people from the legal consequences of these acts.

Very true.

But, in all fairness, that's not their primary purpose, it's merely a side effect of their overall utility. Most people in most corporations are decidedly not criminal, and they don't behave as criminals.

In that world, any publication making or costing money can be considered political speech and censored. The Sierra club newsletter could be considered politically motivated and prevented from publishing articles unless the donors stay within donation caps

Once you give the government a tool to restrict speech / spending, it will be used to cut both ways.

Put it this way, I wouldn't want my donations to <rebellious political candidate du jour> to land me in jail because it wasn't protected speech.

Although donations to the wrong political group can certainly get you in big trouble today (if you're willing to stretch the definition of 'political group'), so...hm.

It's nice to see when two big corporations compete over each other over who fights harder for the civil liberties of it's users. You one-up those Apple bastards, MS!

It is interesting that law enforcement doesn't draw the connection between the abuse of a capability with the people making it harder to abuse. I don't think there would be any outrage or pushback if such requests were in the 10's a month rather in the 1000's a month.

Archive Link: http://archive.is/L6fJf

If you want to skip logging in.

I thought I'd repost the lawful spying guides by the biggest cloud service providers [1] (including Microsoft). There's a great one from the Hotmail era I couldn't find on a whim though.

1: https://news.ycombinator.com/item?id=11504068

You can also just click through the |web| link at the top of this page.

How nice of Microsoft, that they want to use the data all for themselves... and how nice for them that almost nobody even thinks that "not harvesting every bit of data you get your hands on just because you can" is also a possible scenario.

What I want to know is - why now and not years ago?

Does this imply that the Justice department can search your computer if Windows 10 is installed? Or does this just apply to data MS has on you at MS? (OneDrive, use telemetry, etc)?

So... there's no evidence the "Justice Department can search your computer if Win10 is installed" assuming your device is actually secure. Bad passwords, no supported integrated TPM or other issues (common to custom built machines) will comprimise your local device security and thusly make them the easiest method of attack.

If served a lawful subpoena, ANY cloud service provider may be required to hand over your data if they have that power. If you've got something truly critical (e.g., evidence you're transsexual in NC and use the "illegal"/correct bathroom) you should encrypt it even on top of what your CSP does. Windows, OSX and Linux all offer methods for doing this effectively.

I've used OneDrive with encrypted VHDs. It works fine, so long as you don't access the VHD from multiple places at once. I do this more because my OneDrive syncs to a surfacebook than because I am concerned about subpoenas.

As for the telemetry collected, it's probably not of any use to them. It's the same sort of stuff every app on your phone sends up to mixpanel. I wouldn't worry about that, as it's not a substantially greater privacy violation than the natural telemetry collected by the cell network and local ISPs. The only way it might be used against you is in proving a certain access pattern to the device at a certain time.

Oh I expect telemetry would be of great use to them. What you have installed, what your using and when. Log information would be extremely useful toward matching a person up with a crime. I doubt it is just OneDrive data they are providing.

> Log information would be extremely useful toward matching a person up with a crime.

As opposed to the information that the ISPs are already offering? Sorry, but your underlying networks are already in collusion with the feds.

Were they not, the telemetry might provide signals that wouldn't be more easily obtained elsewhere.

But it's also worth noting that the telemetry for 'apps installed' is just your license list from the store. We don't have a ton of evidence that MS is combing your computer for random executables and reporting that back on a signal, or passing up full untrimmed process lists.

>As opposed to the information that the ISPs are already offering?

Log information can be much more revealing if you are communicating only via encrypted protocols or Tor. We don't know for sure what exactly MS is transmitting in their logs but we do know quite well what traces we leave (or leave not) behind via our ISP. And that's definitely much less than what our machine can reveal via (encrypted) telemetry.

Three thoughts here.

1. We really don't know the extent of telemetry collected via our ISPs, do we? Unless application authors go to the trouble of specific certificate or signatory cert pinning, it's not terribly challenging for certain classes of attackera to enter that connection.

2. Wouldn't substantial data in Tor logs be a bug with your Tor client anyways? I've never seen a Tor client ship in a logging debug mode. But I haven't taken Tor terribly seriously for years. Did they start doing it wrong?

3. The contents of the data that is being sent to Microsoft is entirely knowable. I'm waiting for a security researcher to just do it. I suspect most of what we see is something along the lines of standard app telemetry for core apps.

The amount of FUD that has been brought to bear against MS for this practice is pretty unsurprising given the scroogled campaigns, but it's funny to see a bunch of 3rd parties buy into it while posting from Macs that do the same thing.

Good points about the ISP. But don't we have pretty good evidence for apps installed being tracked? Installed apps are certainly recorded with the windows install system. Login and app use are both recorded in logs -- I'm pretty sure when they say they are collecting general use information to improve the windows experience it means they are sending those logs back to MS.

Edits: clarity

As a note "no integrated TPM" is common among retail machines too. TPMs are generally shipping with business line PCs just as Dell OptiPlexs and Latitudes, but not with consumer PCs like Dell Inspirons and Vostros.

Dell Vostro is a business line, but it's the cheapest one and doesn't always have "pro" features like TPM and vPro.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact