Microsoft Asks for Electronic Privacy Act Reform

Microsoft indicates to a Congressional subcommittee that it will ask for reforms to the Electronic Communications Privacy Act of 1986, particularly taking into account the evolution of the cloud and the increasing ability of users to store personal data both on the Web and in localized storage devices. Microsoft acknowledges the tightrope of sorts that exists between its users' need to protect their data and requests by law enforcement to have access to that data under certain circumstances. In February, Microsoft tried to shut down Cryptome, which published an internal document delineating many of Microsoft's policies in this particular area.

Microsoft indicated its opinions on the Electronic Communications Privacy Act of 1986 during Congressional testimony on May 5, arguing that the legislation must be revised to more effectively guard users' privacy in the era of cloud computing.

"From our vantage point, we have seen the full arc of how online services have evolved over the time since EPCA was passed in 1986," Annmarie Levins, Microsoft's associate general counsel and overseer of the Microsoft Digital Crimes Unit, said in remarks before the U.S. House of Representatives Subcommittee on the Constitution, Civil Rights and Civil Liberties. "It is our experience that the state of the law has not kept pace with developments in technology."

Specifically, Levins said, the law has not kept pace with the cloud and the increased ability to store personal data on the Web as well as local storage devices. Microsoft apparently sees the growth of the cloud as being ultimately dependent on whether users' "reasonable expectations" of privacy are met by current regulations.

"Quite simply, the basic technological assumptions upon which the Act was based and the nature of the protection afforded to stored electronic communications have not kept pace with the many innovations in online computing over the last 25 years," Levins said. "For example, ECPA extends greater privacy protections to e-mails stored for less than 180 days than e-mails stored for more than 180 days."

But Microsoft also has a tightrope to walk between user privacy and the government's need to conduct investigations, as demonstrated by Levins' assurances to the committee that Microsoft "in no way seeks to undermine the legitimate interests of law enforcement in obtaining access to electronic data in third-party hands."

In particular, "Microsoft supports changes that will ensure that individuals and businesses do not suffer a decrease in their level of privacy protection when they move data from on-premises computers to the cloud," Levins added. However, she said, "Microsoft also recognizes the legitimate needs of government investigators in obtaining access to data in the cloud."

More specific proposals for reform will presumably be offered at a later date.

In February, Microsoft attempted to use legal means to shut down Cryptome, a watchdog site, which published a leaked document entitled, "Microsoft Online Services Global Criminal Compliance Handbook." Among other things, the document broke down how long Microsoft retains IP connection history records, user-provided registration data, IP addresses and dates of uploaded content, and other transactional records for a variety of its services, including Microsoft Office Live, Xbox Live, Windows Live, Windows Live Messenger, Hotmail, MSN Groups, Windows Live ID and Windows Live Spaces.

Microsoft, however, subsequently changed its mind. "While Microsoft has a good faith belief that the distribution of the file that was made available ... infringes on Microsoft's copyrights, it was not Microsoft's intention that the takedown request result in the disablement of Web access to the entire Website," Evan Cox, outside counsel to Microsoft, wrote in a Feb. 25 e-mail to the administrators of Cryptome's host. "Accordingly, on behalf of Microsoft, I am hereby withdrawing the takedown request."

The document, which delineates Microsoft's policy on the user information it can provide to law enforcement, can be found here.