Microsoft alarmed by secrecy provisions in CLOUD Act-readying bill

Microsoft has called on the federal government to remove secrecy provisions in its proposed reciprocal data access regime for law enforcement agencies that would prevent service providers from notifying their customers of data access requests.

The company also wants separate rules for service providers that serve business and government enterprises to ensure that investigators seek data directly from the customer.

In a submission [pdf] to the parliamentary joint committee reviewing the Telecommunications Legislation Amendment (International Production Orders) Bill, Microsoft said the complete ban on disclosure meant citizens would never know if a data request took place.

“The proposed bill imposes a blanket prohibition on service providers notifying their customers of an international production order (IPO) targeting their data and does not require the government to ever notify the target of surveillance that their data has been examined,” it said.

“Absent such protections, citizens will never know if the government has sought and reviewed their communications or sensitive data.”

The bill, which is currently before the Parliament, intends to establish a new framework under the Telecommunications (Interception and Access) Act to allow for “reciprocal cross-border access to communications data” for law enforcement purposes.

It is necessary for Australia to enter into future bilateral agreements with foreign governments, including the United States under the CLOUD Act.

Law enforcement and national security agencies, both in Australia and overseas, will be able to access data directly from service providers using international production orders, as long as international agreements are in place.

Microsoft said that while “investigations occasionally require secrecy”, this should be the “exception not the rule” and that “everyone has a fundamental right to know when they have been the target of a government investigation or surveillance request”.

“A data owner’s right and control over its data should not be fundamentally altered because it has chosen to move that data to a secure cloud rather than maintain it on-premises,” the submission states.

Microsoft said investigators should be “required to make their case for secrecy to an independent authority” and provide justification using “case-specific facts”.

“Any nondisclosure or secrecy order imposed on a cloud provider must be narrowly limited in duration and scope and must not constrain the provider’s right to speak any more than is necessary to serve law enforcement’s demonstrated need for secrecy,” it said.

“At its core, we believe that law enforcement’s need for secrecy cannot be indefinite.

“Notice and government transparency when the government has reviewed a particular person’s communications and sensitive data increases trust in government, in law enforcement, and in technology.”

Microsoft is also concerned that the “disclosure between related bodies corporate in the same group - such as between a Microsoft Australia employee … and an employee in the US … who may then use that information pursuant to US law” is not “readily cover[ed]” in the law.

Such concerns were similarly raised in another piece of controversial legislation, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, which prevents - or at the very least limits - internally communication about actions taken.

“This could unintentionally prevent a global company from communicating internally with its counsel and corporate leadership in relation to compliance with legitimate demands,” the submission states.

“We recommend the [parliamentary committee] consider stronger protections in the bill for the disclosure of IPOs to the target of the order, even if it was only after the investigation has concluded and the risk to the investigation has passed.

“We also recommend adding a provision that would permit the Australian Designated Authority to notify any third country whose citizens may be impacted by an order prior to execution, unless this would present a risk to the investigation.”

Accessing enterprise data

As the bill currently stands, law enforcement agencies will be able to seek data directly from service providers, including those that serve businesses and government enterprises.

But Microsoft, like Google, believes that given the increasing shift to the cloud, organisations should continue to have a “right to control their data and receive investigatory demands directly”.

“Absent extraordinary circumstances, seeking data directly from enterprises will not compromise a law enforcement investigation or result in a danger to public safety,” it said.

“We believe that Australia should formalise this approach by either excluding enterprise data from the scope of the IPO bill or by incorporating binding limitations into the IPO bill that codify these existing best practices.”

Microsoft said these best practices could be informed by the approach in the Assistance and Access Act, whereby a distinction between a cloud provider and enterprise customer was introduced on “how the term ‘proportionate’ should be interpreted”.

“At this stage the IPO bill does not have similar guidance, nor does it acknowledge the commercial relationship that exists between a designated communications provider such as a cloud service provider and an enterprise or government customer, where the cloud service provider does not control their end user’s data,” the submission states.

“Alternatively, rather than an absolute carve-out, there could be a requirement that the judicial officer not make an order unless satisfied that the requesting agency could not feasibly obtain the information directly from the customer of the designated communications provider.”

Microsoft also holds concerns with the limited ground for challenging orders made under the bill, despite the explanatory memorandum stating that “other review rights or remedies [are] available under Australian law”.

“The bill should explicitly provide a basis to challenge IPOs that are overbroad, abusive, violate the terms of an international agreement or are otherwise unlawful,” it said.

There is also “no clear legal basis for service providers to challenge IPOs that would force them to violate the laws of a third country”.

“Without such mechanisms, the IPO could lead to more conflicts of law and defeat the spirit and intent of intentional agreements envisioned by the CLOUD Act,” Microsoft said.