Brad Smith: ‘Privacy and Trust in the Cloud’

 

BRAD SMITH: (Applause.) Thank you. Well, we are now establishing that all of you speak English much better than I speak German. But a big thank you to Shelly. It’s terrific to have her here in Berlin and in Germany leading our team here.

Thank you all for coming this evening. I wanted to take some time this evening and talk to you about an issue that’s obviously of great importance to our industry, which is the issue of trust in computing. And, specifically, how we go about thinking about and, frankly, rebuilding trust when it comes to the computer industry?

It’s an important topic, not surprisingly, for those of us at Microsoft. If you think about Microsoft, we’re a company that next year will be 40 years old. That’s a bit of a challenge because we like to think of ourselves as a young company. But I think when you approach the age of 40, that gets increasingly difficult.

Now, in a sense, if you go back to the company’s founding, many people are aware of the fact that it was created by these two individuals, one of them graduated from college and the other dropped out. Bill Gates dropped out. He joined Paul Allen. And they went off to create this company they named Microsoft.

And they did it with a particular vision in mind. It was a vision that said that there would be an opportunity for somebody to create what people would think of as a genuinely personal computer.

This was actually a radical idea at its time in 1975. Because when Bill and Paul first had this notion, computers were about the size of this room. And, in fact, when they went out and they said that they were going to create a personal computer, their first vision statement was that they would make it possible, eventually, for there to be a computer on every desk and in every home. That was Microsoft’s first tagline, if you will.

Now, at the time, the CEO of the second largest computer company in the world said, and I quote, “There is absolutely no reason that anyone would ever want to have a computer in their home.” That company no longer exists, which is probably not a surprise.

And, yet, here we are 39 years later and certainly in countries like Germany and cities and capitals like Berlin, there are computers on most desks, and there are computers in most homes.

Not only that, there are computers in most pockets or most purses. It’s the computer that we call our smartphone.

So we’ve entered a world where these computing devices offer tremendous promise and power for people. And, yet, here we are in the year 2014 at precisely a moment when you might think we would stop and celebrate what computing can do for people as genuinely personal devices. And, instead, we’re confronting a moment of great questioning, of uncertainty, even of controversy for this technology.

And the issues that are raised are fundamentally about trust. Now, in many respects, these issues predate last June when Edward Snowden took four laptops and got on a plane from Honolulu to Hong Kong. But, of course, these issues have been changed perhaps forever by virtue of the disclosures of the last 11 months.

And what I want to do is offer a little bit of a personal reflection on what we’ve been working through at Microsoft as these issues have arisen. But more importantly, I’ll talk about the broader issues that are raised and what we need to think about as we move forward. I’ll talk a little bit about what we’re doing as a company to address them. And I’ll talk about our views about what the United States and other governments need to do, in our view, to address them.

I’ll talk about how they connect to broader issues of privacy. And I’ll talk about, finally, how, in a sense, this is a global issue that is going to require genuine international discussion if we’re going to make real progress.

Government Surveillance Issues

Like you, we at Microsoft first started reading about these stories in the news last June. And to be honest, when we first read about them, we frankly found them rather confusing. Because they started to talk about a program at the National Security Agency, the NSA, called PRISM. And one of the first stories that was written said that companies across the IT sector, including Microsoft, were part of this PRISM program.

We had no idea we were a member. We had never volunteered. No one had informed us that we were involved.

And it was, frankly, one of the more challenging issues we’ve had to deal with because, as you can imagine, you get a phone call from a journalist, the journalist has a document, the document has your company’s name on it, but you’ve never seen the document. You’ve never met the person who wrote it. You may not even know who wrote it and you’re left trying to decipher it.

Well, in order to decipher it, one actually needs to go, frankly, talk to the United States government in some instances. And it turns out that often times the information is classified. So it becomes a bit of a mysterious exercise even to sort it out.

One of the biggest challenges that we found ourselves facing as a company last June, July, and August — which I think we felt we were facing together with other companies in our industry — was trying to make sense of what was being reported. Because what was being reported was that the NSA had amassed a very large database of people’s information.

And, yet, what we knew was that we had responded to what we felt was a, relatively speaking, small number of legal orders to provide content and other data to the government.

And we had a hard time reconciling how there could be such a large database, on the one hand, when we had provided a relatively small amount of data on the other.

To this day, most of us in the industry feel that the key that unlocked that mystery was probably a story that was published in the Washington Post on the 30th of October last year. Because on that day, the Washington Post, a fellow named Bart Gellman, one of the individuals who just won a Pulitzer Prize, reported that the NSA either by itself or in collaboration with another government had tapped or hacked into the data of Yahoo and Google. Not with their permission. In fact, not even with their knowledge.

And while, of course, to this day we don’t know everything about what happened, we don’t have any evidence because no one has ever told us that any similar thing happened with Microsoft or other companies, we naturally have had to assume that that is likely to have been the case.

And if nothing else, it explains how we could provide relatively little information and the government could, nonetheless, end up with quite a bit.

And that has really led us as a company, sometimes on our own and sometimes in collaboration with others in our industry, to focus on what we felt we needed to do.

And the steps that we’ve taken have broadly fallen into a few different categories. The first category is steps we feel that we’ve been able to take as a single company. Now, some of these steps are actually similar to steps being taken by other companies, and that, broadly speaking, is a good thing. And in some areas, we’ve taken steps that others have not, or at least not yet.

Microsoft’s Steps to Protect against Government Snooping

You know, the first step we took was to announce in late November that we would strengthen the encryption protection for all of our services. We would double the encryption key length for our services, and we would implement this by the end of calendar year 2014, this year, and we would do it for what’s referred to as “data in transit” — data that’s moving along a cable, for example — and data at rest – data that is stored on a server computer in a datacenter, for example.

That seemed to be a right first step. If one is trying to protect against hacking of customer data, encryption is certainly one of the best steps that we can take to make that substantially more difficult. So we announced that step.

A second step that we announced at the same time is that we would open transparency centers around the world so that government officials who were concerned about our source code could come in and inspect the code.

Our policy is very simple and it’s clear: We have no back doors to our software. We do not provide governments with encryption keys to our software. We do not help governments break encryption for our software. But we understand that, especially in light of the disclosures of the last year, people have questions. They want to see for themselves.

And governments, of course, in the current day and age have very sophisticated tools that they can use. And we have tools that we can let them use as well to inspect our source code.

So we said we would open new transparency centers to permit them to do that. We are opening such a center in Brussels so that governments across Europe can come and take a look themselves.

In a sense, this fits, for us, in a broader array of steps we’re trying to take. And it’s reflected, frankly, even in where we’re sitting and meeting this evening. We are clearly in an era where it is more important that technology companies like Microsoft be more accessible to people, that we make it easier for people to come and interact with us. We need to create venues where we can have real conversations and share more information and let people see technology in new ways. What you see in Berlin here this evening is one vey concrete manifestation of this kind of step.

Now, so far, we’ve created this kind of center in Berlin and Brussels and Beijing and Washington, D.C. And we hope to do it in other places as well. And these transparency centers are one of the most concrete steps we can take to enable governments to inspect what we are doing.

We did a third thing in November as well. And it was interesting because when we announced it, almost no one paid attention at the time. And in hindsight, it’s a little bit surprising because by January, what we had started to do in November became front-page news in the Financial Times and around the world.

We announced in November that we would put contractual commitments behind the steps that we were taking to protect customers. And, specifically, we said that we would put two kinds of provisions in our contracts. The first is we would pledge to enterprise customers — which include governments, businesses, NGOs — that if the U.S. or other governments came to us in a national security investigation, for example, seeking their customer content, we would turn the government down.

And we would tell the government that instead of coming to us, they should go to the customer. And in a sense, the rationale for this is pretty straightforward. In a national security investigation, a government almost always is investigating not an organization, but individuals – individuals who are suspected of engaging in terrorist activity or threats to public safety or national security.

And if it happens to be the case that such an individual works for an employer, then our view is that the government should go to the employer and ask the employer for that information, not Microsoft, simply because we happen to have a datacenter where that content for that employer happens to be stored.

So we said we would commit contractually that we would tell governments this, and if we needed to do so, we would go to court in the United States and litigate to uphold the right of the customer to be informed and make that decision.

Now, as you all well know, some of these issues are covered by national security classifications, so I can’t always talk about everything. But I can say this: We have never, not even once as a company, been obliged to turn over to the United States government in any kind of national security matter the content of such an enterprise customer without first notifying the customer and getting the customer’s consent. We have never been obligated to do that. And we’ll continue to take the position that we should not have to do so in the future.

Now, there was a second contractual promise that we said we would make in November as well. We said that we would take the position with the United States government that if it sought to serve a warrant on Microsoft, seeking data that was exclusively held in a datacenter outside the United States, that we would go to court to argue that U.S. warrants do not reach beyond U.S. territory.

And this was printed in the Washington Post, it devoted all of one paragraph to it. And interestingly enough, it wasn’t until I was in Brussels in January talking with the Financial Times when a reporter asked the obvious question, “Oh, does that mean you have the ability to keep this data in datacenters outside the United States?”

And I explained how we had made this promise to enterprise customers and for enterprise customers, we absolutely — in Europe — have this ability. We have a datacenter in Ireland, we have a datacenter in the Netherlands. We’re building other datacenters around Europe. And we can ensure that the content data, the e-mail for example, the Word documents, the Excel files, everybody’s PowerPoint slides in a service like Office 365, if you’re a European enterprise customer, actually remains in Europe.

And the next day or the day after, the front-page Financial Times headline was all about Microsoft protecting customers by shielding data from entering the United States. So that is the kind of step that we have felt it’s important to take.

And in other parts of the world, we will have to complete the construction of certain datacenters in order to ensure that on some other continents, we can offer to them what we’re already offering to enterprise customers in Europe. But we’re focused on moving down that path.

So you can see this combination of steps – stronger encryption, transparency centers, contractual promises, hosting and keeping content data outside the United States and in Europe. We’ve taken steps to offer customers the kind of steps, the kind of protection that we have heard loud and clear people are looking for.

So that’s the first area we’ve focused on. And, to be honest, this is not something where I think one can stand here in late May and say, “We’re done.” Because this issue is continuing to evolve. New questions may arise. And we recognize as a company that if customers have needs, we need to be prepared to meet them. And it’s, frankly, through the kinds of conversations that I have had in a place like Berlin today that we’re able to keep thinking about additional steps we might need to take. But that’s the first thing we’ve focused on.

The Need for Law and Policy Reform

The second thing that we have focused on is the reform of law and policy in the United States. Because we believe that law and policy have been in need of reform.

Now, this was really galvanized for our industry, the IT sector, by the Washington Post story at the end of October that I mentioned.

We had been talking with each other in the industry. I had been talking with my counterparts, the other general counsel in the industry. We felt that there was a common sense of concern at the same time that it was unclear to us what had really been happening.

And it was that Washington Post story that really, I think, was almost something of a political earthquake across the IT sector. It really galvanized companies to come together and advocate together for reform of government surveillance rules.

Basically, within a month of that story, eight companies came together. Companies like Microsoft, Apple, Google, Facebook, Yahoo, Twitter, LinkedIn and the like — AOL. And we announced a set of principles that we said we would advocate in Washington, D.C. together.

We said, for example, that there needed to be more transparency, that there needed to be greater controls put in place. There had to be better accountability. In short, there needed to be some broad reform of government surveillance laws in the United States.

And we have started to see some steps emerge. And in our view, more steps are needed. I think that is the right way to think about the state of this field in the United States when it comes to government policy and U.S. law. Steps have begun to emerge; more steps are needed.

President Obama met with technology executives at the White House in the middle of December. I was one of the individuals present for that meeting. He had a group of experts that he had arranged to advise him between September and December. He gave a speech in Washington, D.C. on the 17th of January. In that speech, I do believe that President Obama framed one aspect very well. He said that the country needed to think about a new balance – a balance between national security on the one hand and personal privacy on the other.

If you think about American history, it has certain similarities to history in Europe and elsewhere. It is not unusual in a time of war or national emergency for the pendulum to swing towards stronger protection of national security. And then, inevitably, invariably, the pendulum swings back.

In the United States, this first happened in the Napoleonic War when the nation was only on its second president. It happened in the Civil War in the 1860s. It happened in World War II when President Roosevelt took the extraordinary step of interning Japanese Americans solely because they were Japanese American.

And yet, after each of those episodes ended, people stepped back. The moment of crisis passed, and there was a broader debate. People asked themselves: What was the right balance for the future between national security and personal privacy?

In the same way, I think President Obama was right to say in January that the moment for such a debate had arrived. In fact, one might well suggest that the moment arrived a few years ago and that this debate was overdue. But it is an important debate, it is a healthy debate, and it is a debate that needs to take place.

Now, President Obama’s speech in January was long on principle, but a bit short in terms of concrete steps. And I think what’s interesting for all of us to think about is the concrete steps that have been taken since his speech, and the concrete steps that, in my opinion, still need to be taken.

One of the issues that had galvanized our industry was the need, in our opinion, for greater transparency. When these issues first arose last June, Microsoft and other companies called for the ability to publish what we had been doing in terms of complying with government national security orders. The government said no.

We sued the United States government last July. That’s not something we did lightly. You’re always reluctant, to be honest, to sue a government, any government, especially a government of a big country. And so we were very thoughtful about doing it. But we felt that we had a right under the First Amendment to the Constitution to publish information about the national security orders that we were receiving. Google filed a lawsuit as well.

We had negotiations with the Department of Justice last summer. Those negotiations collapsed in August. But, interestingly, the night before the President’s speech, on the 16th of January, we got a phone call from the Department of Justice. The Department of Justice said that it wanted to settle the case. That was not a coincidence, obviously. This was coming from the White House putting the on a different path.

And so by the 3rd of February, we had that settlement in place and we were able to publish more information. Under the terms of that settlement, we can publish information about the number of orders that we receive and the number of accounts that are affected. And we can do it for periods of six months. And we can do it in what are called buckets of 1,000. So I can tell you we either got zero to 1,000, or 1,000 to 2,000, or 2,000 to 3,000, et cetera. And we have to wait six months until the period ends, but then we can get this information out in public.

So on the 3rd of February, we filed our first public report. It was for the first half of calendar year 2013. What it showed, for example, is that we had received fewer than 1,000 orders from the FISA court, the Foreign Intelligence Surveillance Activity ourt. And those orders affected between 15,000 and 16,000 accounts.

Now, that may be fewer than 15- to 16,000 people because one individual can have more than one account. But it started, for the first time, to give the public real information and insight at least into the magnitude of the number of orders we were receiving and accounts that were being affected. It was, in our opinion, a first step.

Now, a second step that was clearly of substantial importance related to the government’s program with telephone companies in the United States, the bulk collection of metadata. And as you may recall, on the 17th of January, President Obama said that the government would review that program. He made no promises or commitments as to what that review would conclude.

Since January, the government has concluded that it wants to end that bulk collection program. I think that’s a positive step. It is a second step that the U.S. government needs to take.

In my opinion, in our view as a company, there are at least four additional steps the U.S. government needs to take. One is to expand transparency further. You know, the current regime, arguably, works reasonably well for larger companies, but is not as well suited for smaller companies or startups. That’s why our group of companies and the industry more generally has been united in encouraging Congress to amend the law to permit greater transparency. So that work is continuing.

A second step that is needed, in our view, is reform of the FISA court. This court may have been the right court in 2002 or 2003. We do not believe it provides the right recipe for 2014 or 2015 or beyond.

Why? Well, there are several aspects of the way the FISA court works that, frankly, are just out of the mainstream for the judicial process in the United States, in Western Europe, or in a number of other countries.

It’s a court that meets in secret. It is not our legal tradition to have courts that meet in secret. It’s part of our legal tradition to have documents that are confidential filed under seal, but that’s very different from an entire court that meets in secret.

Second, this court has only 15 judges, all of whom are picked by one person, the Chief Justice of the United States. Now, all of these individuals are judges who have been previously confirmed as district judges, but that is not the way our judicial system is designed to work. It’s designed to enable a broader array of judges to deal with issues.

Third, this is not a court that is based on what we in the United States would call the “adversary process.” In the United States, the fundamental underpinning of our judiciary is that you let a lawyer for each side stand up before a judge and articulate their point of view. In the FISA court, there’s only one lawyer representing one party, and that’s the United States government. That is not good enough. We need a genuine adversary process.

Fourth, in the United States, as in Europe, there’s a tradition: hen a court makes a decision, it publishes it. This is important. It’s healthy for the development of the law. Lawyers, professors, jurists all get to read the decisions. They get to comment on it. The legislature is able to see what the courts are deciding. That has not been true for the FISA court. And, in fact, as a couple of the court’s decisions have been published over the last year, it has become more apparent to the legal community in the United States that some of the decisions, perhaps, were not as well reasoned as they might have been – as they would have been if more people had had an opportunity to offer a point of view.

So this is a second area where we think the law of the United States continues to need to be reformed.

Third, we believe that the United States government needs to recognize that United States law ends at United States borders. And in one particular context, we’re quite concerned that the U.S. government is going to magistrates in the context of national security cases and seeking warrants that are then, in effect, applied to data — content data — that reside in other countries.

For that reason, we brought a second lawsuit against the United States government. This one is in federal court in New York. After a magistrate approved a warrant seeking customer data for an Outlook.com account that is in Ireland, we contested it. And we said we did not believe that the magistrate acted properly.

Well, the magistrate, who is the first person in the process, decided that he had acted properly, it was his warrant, after all. But that’s just step one. You know, we’ve now appealed that decision, sought a stay of it, and are now taking it to the district judge. And we will, I am certain, take that decision to the court of appeals in New York if we need to do so.

And that is exactly the kind of case that might eventually find its way to the Supreme Court. It is a case that I believe we can and should and will win at the end of the day.

Why do I think that? I think that for a number of reasons. First, under U.S. law, warrants are typically, in fact always, interpreted as being applicable only to execution within United States territory. So this is an extraordinary situation when a warrant is being served on Microsoft and we’re being told to go look in a datacenter somewhere outside the United States.

Second, courts in the United States follow a principle that says that they assume that Congress intends laws to apply only within the territory of the United States, unless Congress quite explicitly and quite directly says that it intends to apply a law more broadly. There is no language in this statute nor in the legislative history that suggests that Congress for a moment contemplated in 1986 that it wanted to apply this warrant provision around the world rather than just in the United States.

Third, we believe we have an argument, indeed a strong argument, under the Fourth Amendment to the Constitution. The Fourth Amendment is something that’s been on the books since 1790 and it gets discussed in various times. And suddenly we find ourselves addressing it as I think one of the very important issues for the 21st century.

What the Fourth Amendment does is it guarantees to the people the right to be secure in their persons, houses, papers, and effects from unreasonable search and seizure. And it further says that when the government issues a warrant, it must specify with particularity the place to be searched and the things to be seized. And we believe that a warrant that is served on a company that says, “Look everywhere on the planet if you must,” is the opposite of a particular warrant specifying the place to be searched. So we will argue this on Constitutional grounds as well.

And, finally, there are important public policy considerations. Considerations that go to the comity between nations that the federal courts have typically considered as well.

So we will go forward and we will fight that fight and we will take it to the Supreme Court if we need to, to ensure that we can offer our customers around the world the kind of legal rights that we believe they need and deserve.

Finally, there’s one other thing that we continue to look for from the United States government. We want a commitment. We want a statement from the United States government that it is not going to seek to hack its way into the datacenters or cables of American companies or other legitimate IT providers.

There may have been a moment in time, perhaps, that someone thought that that was necessary shortly after 9/11. We actually would not have signed on for that proposition even then. Because if there’s one thing that we’ve believed throughout it is that national security is of great importance, but it needs to be addressed pursuant to the rule of law and legal process. And this aspect of what appears to have been governmental activity needs, in our view, to be brought back within a proper legal framework. So we’re looking for that as well.

So when I look at the journey — and it is a journey, in my opinion — for reforming policy and law in the United States, I am encouraged that the government has started to move. I’m pleased that President Obama has started to put the nation on a better path. But this is not a journey that we can declare to be complete until important additional steps are taken.

Use of Personal Data by Companies

Now, I’d also like to talk about a third aspect of this, which I also think is important. And that’s the data that is held not by the government but by companies. In a sense, I think we’re at a moment in time when we need to recognize that when we talk about privacy, we’re talking about issues that may appear distinct, but in fact they are two halves of a common whole.

One half is fundamentally the relationship between the government and citizens in the context of surveillance. The other issue is the relationship between companies and consumers in the context of individual data, personal information that companies may have.

One involves government, the other involves companies. One you might say involves citizens, the other involves consumers. But I think it’s important to reflect on the fact that there is a common label, a common word that is applicable to both citizens and consumers. It’s called “people.”

And in an era where technology is so important, where people entrust so much of their sensitive information with their devices and in the cloud, it is perfectly reasonable to think about both of these issues together.

Now, I often find myself in the United States answering the skeptical questions of others in our industry who challenge me and say, “You don’t get it, people don’t care about privacy anymore.”

Well, sometimes I encourage them to come to Berlin (laughter) or Paris or Brussels or other places where it is absolutely clear after even a few moments of conversation that privacy is alive and well.

But I actually believe that privacy is far more alive and well in the minds of consumers in the United States than many people in our industry recognize. It is alive and well. But its meaning has changed.

Traditionally, in the United States at least, when someone said, “I want to keep my information private,” what they really meant, in all likelihood, was that they wanted to keep their information secret.

And, in fact, that’s how U.S. law evolved over the centuries. You had a reasonable expectation of privacy that entitled you to Constitutional protection under the Fourth Amendment if you had a reasonable expectation that your information was going to remain secret.

So, of course, with the invention of services such as Facebook, it was easy for people to say privacy must be dead, people must no longer care about it, because these people are not keeping their information secret. They’re sharing it. That part is true.

But I don’t believe that this means that privacy died. I believe that a new generation of people and, increasingly, an older generation of people adopted a new definition of privacy. For them, keeping information private did not mean keeping it secret. But it meant that people wanted to control who they shared information with and they wanted to control how those people would use the information that was shared.

Think about Facebook. Yes, people are comfortable sharing information with their friends. But it doesn’t mean they’re comfortable sharing it with the world. That’s clear every day. And anybody who has ever thought that teenagers don’t care about privacy has never had to have the hard-fought negotiation with their own teenager about whether their teenager will allow their parents to be their friends on Facebook. (Laughter.)

My first privacy negotiation was in 2002 with the Federal Trade Commission in the United States. It was a far-easier negotiation than the one I had with my daughter in 2009. (Laughter.) And I think people have found this to be the case around the world.

And if you don’t recognize this in Facebook alone, it’s fascinating to see other things that are changing across our industry. It’s fascinating to see a new service like Snapchat that was created by a 23-year-old. It exploded, and it had a principal value proposition that someone could share a photograph with friends, but the photograph would disappear. If that’s not a new standard, a new form of privacy, I don’t know what is.

And I, therefore, think we have to recognize that privacy has an important future. I also think we need to recognize that privacy may have slightly — or more than slightly — different future in different countries or on different continents. Because different places have different histories, they have different traditions, they have different cultural values. And, personally, I believe that it is our job as a company and as an industry to serve the people of the world by recognizing their diverse needs, rather than expecting the diverse people of the world to all conform to a single technology standard.

That’s why we as a company have been more supportive than some others in our industry of having a European Union privacy or data protection regulation. We do need a healthy future for privacy law.

Common Questions for Governments and Companies

Now, that leaves many questions unanswered. And I won’t try to give you all of the possible answers this evening. But I have, as we’ve thought more about this, increasingly concluded that there is a set of common questions that really applies on both sides of the ledger: government surveillance on the one hand, and company conduct on the other.

And there are three especially. The first is what level of transparency will people have? Will people be allowed to know what governments are doing with respect to surveillance and what companies are doing with their information?

We’ve been fighting the fight to open up transparency on the surveillance front. And I think, increasingly, companies including our own are going to need to take steps to ensure that information that we have about individual consumers is more readily accessible to them. So I think that’s the first question. What level of transparency will there be?

I think there’s a second question, which is whether individuals in some appropriate way will be able to control how information is used. In the context of government surveillance, I believe that that control needs to be applied pursuant to the rule of law. It’s not as if individuals get to choose whether they’re investigated for violating the law. But as democratic societies, we should be able to choose and decide through our elected legislatures what our governments do. And we should rightly expect them to follow the law.

Now, in the company context, there’s a different mechanism for control, it’s called a contract. And I believe that one of the important questions we’ll have to work through in the coming years is how to make systems like notice and consent more effective than they are today — or couple them with other regimes that will effectively give people more control over the use of their information.

Finally, there clearly needs, in my opinion, to be accountability by people who are using the information of others. In the government surveillance context, the government needs to be accountable to the courts. That’s why, in our opinion, the reform of the FISA court is so important.

And in the company context, there needs to be accountability to the law in the form of regulation. And that’s why these discussions about regulation, in fact, are so important. And, increasingly, I believe, we have the opportunity to pursue this discussion in a way that takes stock of what we’re learning on each side of the ledger and apply it to the other.

The Need for Better International Collaboration

There is, then, a fourth and final thing that I believe will become an increasingly important part of this conversation as we move forward. That is the need for international collaboration. Ultimately, we need to respect the fact that there are different parts of the world that may make different decisions, at least when it comes to how they think about a fundamental value like privacy and how they implement that in their own law.

But all of this needs to be pursued pursuant to a rule of law. And, increasingly, we need to have more legal processes that enable countries and governments to come to an understanding together.

One of the arguments that the government’s lawyers made in the New York case about the warrant is that they should be able to use a warrant because the existing legal process that applies internationally, the so-called mutual legal assistance treaties, or MLATs, are outdated. They’re difficult. They’re cumbersome.

There’s a lot of truth to the point that the MLAT process needs to be improved. But the right answer is not for the government to take the law into its own hands and seek to apply its law in other countries’ borders. The right answer is to improve the MLAT process. The right solution is for allies to come together and put in place new agreements if necessary to ensure that when investigators need information in another country, there is a legal process that satisfies the rights of individuals and enables governments to consult with each other.

If one wants to avoid friends spying on friends, and I believe that’s an important goal, then part of the answer is for friends to come together to put in place a better process to address these kinds of issues.

And in the same vein, we’re going to need new international forms of collaboration when it comes to cross-border data flows, when it comes to company use as well. You know, we’ve had the EU safe harbor agreement with the United States. That’s been a good step forward.

But as we’ve found as a company, we can go farther. You know, that’s why Microsoft became the first, and today remains the only, company to have obtained from the Article 29 working group the approval of the data protection authorities across Europe for our so-called model clauses.

It is an example that it is, indeed, possible for people to take new steps, for companies to push themselves, and for countries to work across borders in a more effective way. That, too, is an important part of the solution.

Conclusion

Finally, in conclusion, I would say this: I can’t help but think about this issue without thinking back to our roots.

If you ask anybody who has been at Microsoft for a long time, somebody like me who has been there for 21 years, a big part of the reason we came to the company, a big part of the reason we’ve stayed at the company, is we’re genuinely excited about what the personal computer did for people and what technology advances have continued to do.

But there’s a fundamental principle that we all need to continue to keep in mind. Technology is a tool. Technology is a tool that exists to serve people. It needs to meet the needs of people. It needs to recognize the diverse needs of people in different parts of the world. Technology is here to serve people. It’s not the other way around. And we need to ensure that it stays that way. Thank you very much. (Applause.)

END