Microsoft indicates to a Congressional subcommittee that it will ask for reforms to the Electronic Communications Privacy Act of 1986, particularly taking into account the evolution of the cloud and the increasing ability of users to store personal data both on the Web and in localized storage devices. Microsoft acknowledges the tightrope of sorts that exists between its users' need to protect their data and requests by law enforcement to have access to that data under certain circumstances. In February, Microsoft tried to shut down Cryptome, which published an internal document delineating many of Microsoft's policies in this particular area.
Microsoft indicated its opinions on the Electronic Communications Privacy
Act of 1986 during Congressional testimony on May 5, arguing that the
legislation must be revised to more effectively guard users' privacy in the era
of cloud computing.
"From our vantage point, we have seen the full arc of how online
services have evolved over the time since EPCA was passed in 1986,"
Annmarie Levins, Microsoft's associate general counsel and overseer of the
Microsoft Digital Crimes Unit, said in remarks before the U.S. House of
Representatives Subcommittee on the Constitution, Civil Rights and Civil
Liberties. "It is our experience that the state of the law has not kept
pace with developments in technology."
Specifically, Levins said, the law has not kept pace with the cloud and the
increased ability to store personal data on the Web as well as local storage
devices. Microsoft apparently sees the growth of the cloud as being ultimately
dependent on whether users' "reasonable expectations" of privacy are
met by current regulations.
"Quite simply, the basic technological assumptions upon which the Act
was based and the nature of the protection afforded to stored electronic
communications have not kept pace with the many innovations in online computing
over the last 25 years," Levins said. "For example, ECPA extends
greater privacy protections to e-mails stored for less than 180 days than e-mails
stored for more than 180 days."
But Microsoft also has a tightrope to walk between user privacy and the government's
need to conduct investigations, as demonstrated by Levins' assurances to the
committee that Microsoft "in no way seeks to undermine the legitimate
interests of law enforcement in obtaining access to electronic data in third-party
In particular, "Microsoft supports changes that will ensure that
individuals and businesses do not suffer a decrease in their level of privacy
protection when they move data from on-premises computers to the cloud,"
Levins added. However, she said, "Microsoft also recognizes the legitimate
needs of government investigators in obtaining access to data in the
More specific proposals for reform will presumably be offered at a later
Microsoft attempted to use legal means to shut down Cryptome,
watchdog site, which published a leaked document entitled, "Microsoft
Online Services Global Criminal Compliance Handbook." Among other things,
the document broke down how long Microsoft retains IP connection history
records, user-provided registration data, IP addresses and dates of uploaded
content, and other transactional records for a variety of its services,
including Microsoft Office Live, Xbox Live, Windows Live, Windows Live
Messenger, Hotmail, MSN Groups, Windows Live
ID and Windows Live Spaces.
Microsoft, however, subsequently changed its mind. "While Microsoft has
a good faith belief that the distribution of the file that was made available ...
infringes on Microsoft's copyrights, it was not Microsoft's intention that the
takedown request result in the disablement of Web access to the entire
cryptome.org Website," Evan Cox, outside counsel to Microsoft, wrote in a
Feb. 25 e-mail to the administrators of Cryptome's host. "Accordingly, on
behalf of Microsoft, I am hereby withdrawing the takedown request."
The document, which delineates Microsoft's policy on the user information it
can provide to law enforcement, can be found