Microsoft’s Brad Smith talks privacy, Snowden and international law
‘People have important privacy rights in their personal information,’ says Smith
Microsoft general counsel and executive vice president Brad Smith. Photograph: by Stephen Brashear/Getty
Few people at Microsoft can have the detailed and nuanced understanding of the company’s friction points – exposed via its legal challenges and policy battles – as Microsoft’s number two in command, Brad Smith. Microsoft’s chief legal officer (and as of last year, president under chief executive officer Satya Nadella) has been 23 years with the Redmond, Washington technology giant. Thus, he’s been to the forefront of several of the defining international cases and the legal growing pains of technology’s post-1980s explosion, such as the huge US v Microsoft antirust case that convulsed the industry in the 1990s through early 2000s.
And – still unusual for US technology behemoths – he has increasingly shown he understands Europe at a pragmatic and policy-driven level. The company has pushed the US and Europe to find common ground on the controversial and pressing business and privacy issue of transatlantic data transfers. And, this summer, the company successfully mounted a legal challenge to US government demands that Microsoft hand over emails held in its Dublin data centre.
Smith’s first role with the company was as its Paris-based associate general counsel for Europe. Though Microsoft was initially combative with Europe during nearly two decades of threats and investigations, under former chief executive Steve Ballmer’s watch – and with Smith at the helm as general counsel – Microsoft moved to settle cases and ease tensions.
These days, and despite criticism of the security and privacy protections in its own products such as Windows and Skype, Microsoft has become the company to watch at the big-picture level of data protection and privacy. It has now taken four cases against the US government, including a recent challenge to gag orders on data warrants and advocated for Privacy Shield, the data transfer agreement to replace the discredited Safe Harbour.
All that is largely down to Smith. Even well-known privacy and security expert – and regular Microsoft critic – Bruce Schneier recently noted in a blogpost that an article by Smith suggesting the steps international policy and law makers needed to take to improve privacy and data protections were “a good place to start for this set of issues”.
On a visit to Dublin this week, Smith noted that those past tribulations (including the company being named by Edward Snowden as one of those whose data was tapped by authorities in the US; Microsoft has insisted without its complicity or knowledge) have definitely informed the active legal role the company is taking now.
“Like all things it’s a journey. Like all things, you hope to get smarter as you go farther and I think we have from our experiences. I would be the first to say we’ve made our share, and maybe more than our share, of mistakes over the years. But we have definitely learned from them and I think out of that learning there is a more proactive focus.
He says the company has learned “the importance of standing up for privacy rights. To some degree, I think our whole industry needed to react to what we learned in the wake of the Snowden disclosures. We learned things of which we were not aware. And we came away from that with a renewed determination to protect privacy and I think what we at Microsoft were able to do was harness all the learning we had gained through all the legal issues around the world, and really use that to be more proactive.”
Though the US government could request a rehearing of the internationally-watched email case, or ask that it be heard by the US Supreme Court, Smith says he’s optimistic the second Circuit Court decision will stand. The court agreed with Microsoft’s argument that an old 1980s law on telecommunications did not imply the US government could demand emails held outside the US, without a warrant and using the existing international treaty process.
“The reason I’m so optimistic is frankly, the logic that was adopted by the Second Circuit is clear, it is compelling, it’s very consistent with traditional American legal principles. The court of appeals basically adopted what we’d been saying from the outset, that US law doesn’t reach outside the United States unless Congress specifically says that it intended it to do so, and Congress never said it intended, or said it intended to do so, when it passed this law in 1986.”
He hopes governments will now “focus on what the law should be for the future, and what kind of new international treaties we need. I think that’s where the debate should go”.
Governments could streamline the creaky and slow treaty process, for one. “If people come together to figure out a way to move faster, I’m quite confident that some steps can be taken even under the laws that exist today, and the Irish government has made it very clear that it is committed to close collaboration in a proper way with law enforcement in the United States. But then the bigger question is, can we create new laws that meet the needs of the 21st century and I think we’re starting down the path to do that. There’s legislation in Congress that’s been endorsed by leaders in both parties and both houses, there’s a new international treaty that’s been negotiated between the United States and the United Kingdom, so new models are starting to emerge and that’s what we really need.”
We need, he says, “a new generation of international law that meets the needs of a new generation of global technology”. A new generation of law should embody that “first, people have important privacy rights in their personal information. When their data moves across borders, their privacy rights need to move with it. So we need to find ways for governments to recognise the continued application of privacy rights under people’s local laws.
“But then this needs to be combined with the second thing, which is a new process by which law enforcement can file a request to obtain the information that is relevant to public safety but do so in a way that honours people’s local privacy rights. That’s fundamentally what the US/UK treaty seeks to do. You know, this is not the easiest problem to solve but it’s not the most difficult, either. There are other more difficult problems in the world, frankly. So I’m a firm believer that if people put their minds to this with a sense of urgency, they can make substantial progress in a short period of time.”
The way to start is “with a couple of bilateral treaties to get the model right. Once one gets some bilateral treaties then it can become multilateral and the obvious place to have a multilateral is across the Atlantic.”
Having won three cases against the US, Microsoft opened another front last spring when it charged the US government with unlawfully using the 1986 Electronic Communications Privacy Act to breach the First and Fourth Amendments to the US Constitution – which protect basic right in the US – by forcing companies to comply with secret search warrants and gagging their ability to inform customers.
“What we saw when we really looked at all the search warrants that we were getting in the United States was that a distressingly high number had secrecy orders that literally last forever. So over 18 months we’ve received over 2,000 of these orders with these perpetual secrecy orders. And that struck us as disproportionate to the issues at hand, and the need for secrecy. We definitely appreciate that there are cases where there is a need for secrecy. I think we can question whether secrecy needs to last forever. Even military secrets are declassified eventually.”
He says “it’s unfortunate that there’s such a high number of search warrants where people will never know that the government accessed their emails. So we brought a lawsuit challenging the constitutionality of these kinds of increasingly routine and perpetual secrecy orders.”
The case is in an early stage of litigation, with the first briefing recently completed before the First District Court in Washington State.
More than 90 individuals and groups have joined the case on Microsoft’s side in amicus briefs – offering to provide informed advice to the court, among them many leading companies across the tech sector, as well as privacy advocates, and the broader business community.
“Interestingly, it includes a number of former US government officials, former US attorneys and the former head of the FBI. So there’s this very uniform view among all these people that affirm both the breadth of the government practice that we have experienced, and are attesting to the sense that we need a new balance. And that’s what I hope this case can bring; inject some new balance where it feels like we’ve lost that balance in recent years.”
Given that he credits Snowden’s disclosures as a significant driver for Microsoft’s resolve to back greater data privacy, does he believe the former CIA contractor should be pardoned by the US government?
“I think it’s hard for anyone to offer a clear point of view without knowing all the facts. He definitely informed all of us around the world of important issues and circumstances of which we were not completely aware, but there’s a lot more involved in that and I don’t have all the facts. So I think it’s a mistake to offer an opinion.”
Definitely spoken like a seasoned lawyer.