How Tech Companies Can Fight for Their Users in the Courts
There are a lot of political uncertainties around the incoming Trump administration, but the threats to civil liberties are potentially greater than ever. President Obama failed to rein in the surveillance state, and Mr. Trump has nominated cabinet members like Mike Pompeo who are big fans of bulk surveillance. Now, given Mr. Trump’s campaign posture of being a “law and order” candidate who has openly criticized Apple for standing up for strong encryption, tech companies need to be even more vigilant in fighting for their users in the courts.
EFF stands ready to support those who will be pioneers in these efforts. Below, we highlight a few ways companies can stand up for their users, along with some prominent examples of from the past. In addition, for the last six years EFF has produced an annual “Who Has Your Back?” report evaluating the practices of technology companies in categories such as insisting on a warrant for user content and issuing transparency reports. Companies can look at these reports to get a sense of best practices in the industry.
Pushing Back Against Overbroad and Unlawful Requests for User Information
Because they tend to hold lots of user data, tech companies get a lot of requests for this information from the government—warrants, subpoenas and other court orders—and not all of them are valid. These requests can have many deficiencies, ranging from being overly broad to downright getting the law wrong. Companies should publicly push back against these deficient requests in favor of proper legal processes rooted in well-established law.
Perhaps most famously, Yahoo challenged a secret order the company received in 2007 to produce user data in bulk under a just-passed law giving the NSA warrantless surveillance authority. Instead of blindly accepting the government’s constitutionally questionable order, Yahoo fought back and challenged the legality of the order in the Foreign Intelligence Surveillance Court (FISC), the secretive court that routinely grants expansive government applications for surveillance. Though Yahoo ultimately lost the battle, we applauded the company for silently fighting for its users because it was right thing to do.
Other prominent examples of this in recent years include Microsoft’s successful challenge of a search warrant that required the company to produce email content stored in Ireland. Microsoft fought to establish the precedent that warrant issued by a U.S. federal court under the Stored Communications Act (SCA) does not allow law enforcement to get user data no matter where it’s located in the world.
Beyond the context of government data requests, CloudFlare has pushed back against court orders that are aimed at pressuring Internet intermediaries into becoming Internet censors on behalf of rightsholders. Taking action against these potentially dangerous legal instruments also deserves recognition.
Fighting Against National Security Letters and Unconstitutional Gag Orders
In addition to fighting improper requests for information, companies can play an important role by publicizing these requests as part of regular transparency reports. But one thing that often stands in the way of publishing a fully honest transparency report is a gag order, particularly in the national security context. Companies may receive government data requests that come with mandatory gags, preventing them from notifying their users of the request and in some cases even forcing them not to acknowledge they have received a request at all. While there may be circumstances where the government has good reason to prevent a company from informing the target of a data request—if it would truly compromise a sensitive investigation or endanger someone’s life, for example—the Constitution requires that these gag orders be very tightly controlled.
Perhaps the most egregious example of unconstitutional gag orders are national security letters (NSLs), which allow the FBI to request user information from communication service providers and force the providers to stay completely silent about the request for a potentially unlimited time, just on the FBI’s say-so. With help from courageous NSL recipient companies, EFF has been fighting to get the NSL statute struck down and establish the principle that the First Amendment requires a court to promptly assess the true need for a gag order in every case. Recently, we were able to reveal that one of our clients is CREDO Mobile, which has been fighting NSLs for years, and we also successfully pushed back against an NSL on behalf of the Internet Archive. Other companies such as Google and Yahoo have been publishing NSLs when allowed to do so by the FBI.
Outside of NSLs, Microsoft recently went above and beyond by filing a straight-up challenge to another law that allows the government to get indefinite gag orders when seeking access to its customers’ stored email and other content. As Microsoft pointed out, an astoundingly high percentage of these gag orders last indefinitely, even though the First Amendment requires they be limited in time and scope and the Fourth Amendment requires that users get notified at some point about these searches. EFF filed an amicus brief in support of Microsoft’s lawsuit, and we commend the company’s efforts to set an important and far-ranging legal precedent.
Resisting Demands for Encryption Backdoors
Anyone familiar with EFF’s work knows that we are big supporters of strong encryption because it is crucial for our collective security, privacy, and free expression. Government officials may renew their calls for encryption “backdoors”, where an encryption system is intentionally weakened so that government can access data with a court order. But this is a nonstarter. Encryption is fundamentally math, and you can’t manipulate math problems to be solved only by one particular group of people, i.e. the government. Additionally, designing secure systems is already hard enough, and intentionally introducing vulnerabilities is a recipe for disaster.
Apple recognizes this and bravely resisted the government’s demand for it to intentionally weaken the security of its mobile operating system, iOS. Despite immense pressure from some public figures including Mr. Trump himself, who called for a boycott of Apple products, the company did the right thing and stood up for its users’ privacy and security. Similarly, other tech companies have taken strong stances in support of encryption and should resist and fight back against future government demands for encryption backdoors, or pressure to redesign their systems for ease of government surveillance.
We hope that companies will severely limit what information they collect and keep on their users in the first place. Regardless, there is a strong possibility that the incoming administration will be more aggressive in its desire to get whatever information companies have, and companies should be prepared for that scenario.
When we launched our inaugural Who Has Your Back Report? in 2011, tech companies largely weren’t fighting for their users in courts. Out of 13 major companies of the time, only 3 were meaningfully engaged in the practice. Thankfully, by 2014, things were a lot different. Out of the 26 companies we surveyed, 13 were standing up for their users in courts in some manner. The industry has made significant progress, but more can be done, by more companies and in more areas.
The political climate may present tech companies with plenty of opportunities to fight for their users in the courts, and we hope they’ll be ready. We will be here to support them.