The US House Committee on the Judiciary met on Wednesday to hear testimony on the government's practice of secretly subpoenaing cloud service providers, and Microsoft was happy to oblige.
Tom Burt, Microsoft's veep of customer security & trust, testified as a representative of cloud service providers. He revealed that Microsoft is presented with 7–10 secrecy orders per day from federal law enforcement. These comprise a quarter to a third of all legal demands Microsoft receives, he said.
Burt referred to law enforcement's court-mandated secret targeting of Americans' emails, text messages, and other sensitive data stored in the cloud as shocking in how routine it had become.
"The fact that law enforcement requested, and courts approved, clandestine surveillance of so many Americans represents a sea-change from historical norms," said Burt. He clarified that the practice wasn't exclusive to one party or the other, but rather "an ongoing problem since the ascendancy of cloud computing."
Hearst Corp's Chief Legal Officer, Eve Burton, also told the committee that "the same protections must apply whether the information is sought in an office file or on a cloud server across the country or across the world."
Nadler said that "technology has vastly outpaced the law when it comes to the government demanding your data from a third-party provider," and "the gag orders accompanying those demands have become standard practice in cases where timely notice would make far more sense."
Who's watching who?
The hearing, titled "Secrecy Orders and Prosecuting Leaks: Potential Legislative Responses to Deter Prosecutorial Abuse of Power", was inspired by revelations that the Department of Justice during Donald Trump's presidency secretly sought phone records of political opponents, their families, and journalists for investigations. If you've got three hours or so free, you can view it here:
"In the 21st century, federal prosecutors no longer need to show up to your office. They just need to raid your virtual office. They do not have to subpoena journalists directly. They just need to go to the cloud," said House Judiciary Committee Chairman Jerrold Nadler (D-NY) in his opening statement. He later added that unlike hardware, the cloud subpoenas could be done in secret, essentially "[denying] American citizens, companies, and institutions their basic day in court."
- Microsoft received almost 25,000 requests for consumer data from law enforcement over the past six months
- FBI drops subpoena to identify readers of USA Today article about shootout with agents
- US House Rep on cyber committees tweets Gmail password, PIN in Capitol riot lawsuit outrage
George Washington University Professor and legal scholar Jonathan Turley clarified in testimony that to seize content on a computer or the cloud, law enforcement needs a warrant. However, to gather metadata only a subpoena is necessary. The metadata contains vital indicators such as senders, IP addresses, subject headers, and more.
Turley further explained to Representative Ted Lieu (D-CA) that grand juries can issue a subpoena for the cloud metadata at a "standard lower than probable cause." While judges are supervising the procedure, in most cases they are given with very little review.
Turley called the belief that the cloud has adequate data protection in this capacity "a myth". ®