Jan. 21, 2015, was an interesting day.
t was the day Microsoft invited a small group of tech journalists to its Redmond, Washington, headquarters for a big announcement. In the past, news this momentous might have been accompanied by a famous rock band or fireworks, but when Microsoft unveiled Windows 10 and HoloLens, they were in an intimate, coffeehouse-style room sipping coffee with house music playing in the background.
Elsewhere in the world, January twenty first was an altogether different kind of day. As the sun rose over São Paulo, it promised to be a beautiful day – a day like any other. And then the police arrived at the apartment of a Microsoft executive in Brazil, bursting past the gates to his door, demanding he be produced so he could appear before a court.
But Jan. 21 wasn’t the weightiest day that month – not by far. Two weeks earlier, on Jan. 7, the world was transfixed as a series of horrifying events unfolded in Paris. That is the day a pair of brothers launched an attack on Charlie Hebdo, a weekly French satirical magazine, that left 11 of its employees dead and as many others injured – all solely because they had expressed their views.
These two extraordinary days in January are connected by an increasingly crucial issue in our world: information security.
The Brazilian Microsoft executive was detained by police as part of an investigation; law enforcement officials demanded that Microsoft turn over the Skype data of a Brazilian customer. Problem was, the data they wanted was not being stored in Brazil, but in the United States, where it would be unlawful for Microsoft to provide it.
The attacks in Paris stirred the emotions of people around the world, and triggered France’s largest manhunt in two decades. At 5:42 the morning after the attack, the investigation came to Redmond. Before daybreak in Seattle, the FBI sent Microsoft an emergency request for information – the at-large terrorism suspects had Microsoft email accounts. The FBI served a lawful order. Microsoft reviewed it, and pulled the email. In precisely 45 minutes, the company sent the email data back to the FBI so U.S. investigators could, in turn, provide it to French authorities.
These two extraordinary days in January are connected by an increasingly crucial issue in our world: Information security.
But that wasn't the end of how technology intersected with the events in France. In the ensuing days, the people of France turned to technology. They used social media to organize themselves, and on Sunday, January 11, two million people took to the streets of Paris to show solidarity for Charlie Hebdo and to support freedom of expression. This was more people than the world had seen in the streets of Paris since Charles de Gaulle led the parade down the Champs-Élysées when the city was liberated from Nazi occupation in 1944.
Just a few days later, the events of January 7 moved across the English Channel to London, where Prime Minister David Cameron talked about what had happened in France. “This shows why we need to change the law and tighten restrictions on the use of encryption,” he said.
Two weeks after Cameron's remarks, the discussion moved back across the English Channel again when the French government started talking about the need to change the law as it applied to freedom of expression.
The events of January 2015 show it’s crucial to have a conversation about worldwide information security – to examine what the events of the last year mean, and most importantly, to explore what we can do to ensure the world can trust the technology we create.
If there was another extraordinary day in this extraordinary year worth discussing, it is November 24. That’s the day Sony Pictures Entertainment employees in Los Angeles got up and went to the office. When they arrived, some of their computers did not work. They could not access their email or retrieve their documents. Data, both personal and business-related, was being posted on the internet. It soon became clear Sony Pictures Entertainment was under attack.
The effects of these events and issues have rippled around the world.
As information security officials dug in to find out what had happened, the investigation led across the Pacific to North Korea. Though the government of North Korea denied all responsibility, one of the hackers’ demands was for the studio to cancel its upcoming movie, “The Interview,” a comedy about journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong-un. After the promise of further hacking and the threat of violence at cinemas, many major movie theaters opted not to show the film.
From there, the spotlight moved from North Korea to Washington, D.C., where on December 19, President Barack Obama addressed the situation before leaving on his annual holiday vacation to Hawaii. “Again, I'm sympathetic that Sony as a private company was worried about liabilities and this and that and the other,” he said. “I wish they had spoken to me first. I would have told them, ‘Do not get into a pattern in which you're intimidated by these kinds of criminal attacks.’”
Over the next five days, Microsoft and Google scrambled, and on December 24 – Christmas Eve – both companies announced they would be distributing the film “The Interview” to support the principles of free expression.
The effects of these events and issues have rippled around the world.
In February, the Chinese government introduced new proposals in Beijing, causing an uproar in the U.S. tech sector. In Moscow, the Russian government has proposed new laws relating to data. In Washington, D.C., the FBI director has echoed some of these same concerns, calling for controls on encryption in the United States.
As we follow these issues around the world, a clear pattern emerges. You see in the map below countries around the world that are proposing new laws with respect to data residency. The countries in red have adopted these laws that basically say that data that is stored in a datacenter in their country needs to stay in their country. The countries in blue are considering new proposals to do the same thing.
But that's not the only issue. Governments are considering new laws around security requirements, around encryption requirements, around access to data in other countries, and even about the content that people are putting online.
Ultimately, this series of events should make us wonder why all of this is happening, and why it is happening now.
One reason is a fellow named Edward Snowden, a former U.S. government contractor who changed the world when he boarded a plane to Hong Kong with four laptops full of classified information. Snowden gave thousands of confidential documents to journalists that revealed the existence of global surveillance programs, many of which were being run by the National Security Agency with the cooperation of telecommunication companies. As the world learned more about what was going on, trust in technology was more at issue.
But that's not the only thing that's going on. This also reflects the role of the Internet in the world today. Think about what happened to Sony. Hackers used the Internet to attack the company and its freedom of expression. Yet Microsoft and Google used the same Internet to defend freedom of expression by making the film available online.
In Paris, terrorists used the Internet to help plan an attack, and also to claim credit for it afterwards. Yet law enforcement used the same Internet to investigate that crime, and the people of Paris used the Internet to organize themselves to stand together.
More than ever, the Internet is not some place in distant cyberspace, it is a place that defines what happens in the real world.
We all realize that while we're living in a world where the Internet is bringing us closer together, borders here on Earth still matter. Personal and business security matters. National security matters. If the Sony attack taught us nothing else, it was this: There is no national security without cybersecurity. That helps explain why so many governments are taking action.
Fundamentally this calls on all of us to ask ourselves one overarching question: What's to be done?
There are times when I listen to others in our industry talk about what's going on and complain about these new information security proposals. And to be honest, it sometimes feels like people are shouting into the wind. But one thing I think is clear: Success will not come to those who shout into the wind. Success will only come to those who figure out how to ride the wave. That is what we need to do.
And as we've thought about this inside Microsoft, as we've talked about it with CEO Satya Nadella and among our senior leadership team, we've concluded what we have to do is start with our values, think about how we translate those values to principles, then turn those principles to commitments.
In a sense, the definition of our values is the most important thing of all. I thought Satya put it very well a year ago when he sent a memo to all of our employees. What he said is basically this: We need to move technology forward, but we need to do so in a way that ensures timeless values will endure. These values are our North Star. They ask us to ask ourselves, “What is it that we can do?”
We need to move technology forward, but we need to do so in a way that ensures timeless values will endure.
Our mission as a company is to empower every person and every organization on the planet to achieve more. If we're going to empower every person, we need to protect every person. We need to ensure every individual and organization has the ability to use technology that they can trust.
We all want and need to live in a world where governments can keep the public safe, and yet privacy and free expression are among the timeless values that also need to endure. We all need to live in a world where governments respect each other's borders, but also a world with open markets and a global network. Certain principles span all of this, principles like transparency. The more that we can share, the more we can help advance all of these principles.
While technology is a wonderful thing, the Internet does need to be governed by laws – but they need to be good laws. That is where our principles turn to commitments we have to governments, businesses and individuals.
We want to provide digital security for countries all over the world, and respect each country's digital sovereignty. We are moving forward in a way that will help promote the local economy. That is a starting place, but it's just a start.
We’re also building on our commitments to enterprise customers. In April 2014, Microsoft became the first company in our industry to win regulatory approval for the so-called Model Clauses in Europe, contractual commitments to assure our customers we will protect their data so they can move it around appropriately. In February 2015 we built on that when Microsoft became the first company in our industry to win certification for the new ISO27018, a standard that similarly ensures we will treat people's data properly. These kinds of commitments are concrete, especially in terms of what they mean for customers in the enterprise.
Our four commitments: We will keep your data secure. We will keep your data private and under your control. We will manage data according to local laws. We will be transparent.
Microsoft needs to go beyond standing up for the rights of businesses and governments; we need to be a voice for people. Over the past 40 years there is arguably no company that has been more committed than Microsoft in making sure people can use technology to express their views, share them with the world, and communicate with each other. We need to stay focused on that cause, too.
Inspired by the events of the past year, our cloud business will be grounded in four commitments to governments, enterprises, consumers, and people around the world. We will keep their data secure. We will ensure people's data is private and under their control. We will figure out the laws in each country and make sure data is managed accordingly. And we will be transparent so people know what we are doing.
For businesses, this actually translates into a number of very concrete and important messages.
We stand behind our technology with contracts to ensure we have strong and specific security safeguards. We process customers' information only as they instruct us, and we put in place strong regulatory compliance to meet their needs. We will tell them, whenever we're permitted, what the government is doing to access their data, and if we need to we'll go to court to vindicate those rights when that's the proper thing to do. Finally, we will continue to advance transparency.
It’s not enough to put these commitments on paper. We need to bring them into practice, and that requires three things:
First, we are backing our commitments with billions of dollars of technology investments each and every year. That is what has enabled us to build more than 100 datacenters in 24 regions and 40 countries around the world.
It's all of these datacenters that give Microsoft the ability to offer customers more choices than any other company in the industry. If people want to store their data in our datacenters, they can. If they want to store their data in datacenters operated by Microsoft partners, they can do that. And if they want to keep data on their own servers, servers operating on the edge of the Microsoft cloud, they can do that, too. This is all about creating options for our customers.
We are backing our commitments with billions of dollars in technology investments each year.
What’s more, Microsoft is prepared to back these cloud commitments with our legal resources as well. It's why we have sued our own government, the United States government, not just once but three times over the last two years.
The first lawsuit was brought in what's called the Foreign Intelligence Surveillance Court. As a lawyer I have to tell you -- this is an unusual court. For most courts, you look up the address on the Internet and can find exactly where the courthouse is. For most courts, you call on the phone and somebody answers. When you try to phone the Foreign Intelligence Surveillance Court, the call is answered, but by a no-nonsense machine: “You have reached the United States Foreign Intelligence Surveillance Court. Please leave a message. [Beep]”
Then, you wait for them to call you back. Or maybe tap you on the shoulder.
To be honest, litigating in this court is unlike any other court our lawyers have ever appeared before. You file a brief just like you do in other courts, but when you get the brief back from the government, it’s covered in thick, black marks, much of the content redacted like when a classified report is released to the public.
But we persisted. We persisted in court, and we persisted in public. We persisted, both alone and with the rest of the industry. And on Jan 17, 2014, President Obama went to the Department of Justice and gave a speech calling for surveillance reform. Afterward, the lawyers from the Department of Justice called us and said, "We will settle that case." And we won the right to share more information with the world.
That's not the only case we’ve brought. When the FBI and the Department of Justice served us with a subpoena seeking data from one of our enterprise customers, we brought a second case. "We're not the right one to respond,” we told a federal court. “You need to take that subpoena and serve it to the customer itself." As we litigated that case, and gained traction with the judge, the FBI and Department of Justice withdrew the subpoena and went to the customer instead.
There's a third case as well, one we're continuing to litigate, regarding data in our Ireland datacenter. The U.S. government is seeking to use a search warrant to get at email that belongs not to an American in Ireland, but to someone else. And we're saying, “If you want the data of people who are not U.S. residents, you need to go to the government when that data is stored outside the United States. You need to use the treaty that exists between the United States and Ireland.”
As this case moves forward, we've been building a community of supporters.
In December 2014, 28 different technology and media companies, 23 technology and advocacy groups, 35 leading computer scientists, and even the government of Ireland itself showed support for what we are doing. We hope the court will consider this.
This is important not just to Microsoft and its products, partners and customers, but to everyone who uses the Internet.
But we're not just leaving this to judicial deliberation: we’re going to Congress, where the Law Enforcement Access to Data Stored Abroad Act has now been endorsed by more than 80 members of the House of Representatives to make clear that the U.S. government, like every government, needs to think about borders and respect the rights people have to their privacy and the protection of their laws.
These are the kind of concrete steps Microsoft is taking to protect people’s security and respect their privacy. We want to put the right kind of steps in place to protect legal and regulatory compliance, and perhaps most of all to ensure that everyone knows what is happening with their own information.
Because this matters as much as it does, we urge others who are dedicated to advancing trust in technology to contact their country’s government to express their support for technology surveillance reform. One way to do that is through the Voices of Innovation website, a Microsoft-supported community of technology professionals and citizen advocates.
This is important not just to Microsoft and its products, partners and customers, but to everyone who uses the Internet. This is about the future of technology. With your help, we can create a world in which people can trust the technology they use – a world in which technology continues to empower.