By Hugh Milward, senior director, Corporate, External and Legal Affairs, Microsoft UK
Recent events here in the UK, and elsewhere have sparked fresh interest in two related but distinct issues relative to privacy and safety.
The first is the issue of nation states reaching across borders to hack private companies and citizens in other countries either to advance their economic interests or simply harm other people and other countries.
The second is how governments get access to digital information belonging to citizens as part of their vital work to investigate crimes and keep people safe. I want to clearly explain Microsoft’s position on these two connected but separate issues.
Helping Governments Investigate Crimes and Tackle Terrorism
We recognize and appreciate the important work that the police and security services do to both investigate crimes and to keep people safe, including the important work to investigate and prevent terrorist attacks. To do this the police will sometimes need access to personal information belonging to their citizens that is stored on one of our services like Outlook.com. When governments, including the UK government, serve valid legal orders for this information, we provide it.
As Microsoft president Brad Smith said in talking with ITV News recently, “Law enforcement needs information. Sometimes it needs it very quickly to save lives. And when we get those kinds of requests or warrants, when they’re lawful, we act, we actually act quickly. We can do so in a matter of literally minutes.”
We have a global team available 24 hours a day, seven days a week to respond to these requests. We take our customers’ privacy seriously, so each request is carefully reviewed to ensure that it is a valid legal order. If we believe a government’s request goes beyond the law, we will ask a court to decide, which we’ve done several times in the United States.
Once we confirm a legal order is valid, we then move quickly to provide the information the police are seeking. In January 2015, in the immediate aftermath of the attack on the Charlie Hebdo newspaper, Microsoft responded to lawful requests from the US government, which was working on behalf of the French police. In this case, we responded within 45 minutes. And, when the UK authorities served on us legal orders for email information relating to the March 22 terrorist attack in London, we responded within 30 minutes.
In the broader debate about privacy and safety, some people make the argument that technology companies should do more to provide governments with customer data voluntarily and outside legal processes. As custodians of our customers’ personal information, we don’t think this is the right thing to do. We think it’s better for governments to use legal processes that have been set up to balance safety and privacy interests. When companies go beyond the law, they take upon themselves the consideration of what can sometimes be competing interests in a way that may conflict with the balance struck by Parliament. In democratic societies, we think that it is governments who should determine this balance, not private companies. And the right way for governments to do this is through the democratic process, which means through passing laws.
Protecting Civilians from Cyberattacks from Governments
The second issue is sometimes conflated with the first but it’s separate. We’ve seen a significant rise in nation states reaching across international borders completely outside all legal process to hack private companies and private citizens in another country, often looking to steal their email in order to harm them, or to damage their IT systems. We refer to this as nation state hacking. The hackers may target journalists, steal confidential business information or be preparing to attack civilian infrastructure such as healthcare systems, water supplies or the electrical grid. For decades, the Geneva Convention protected civilians in times of war, but today in the realm of cyberspace we see civilians being attacked in a time of peace.
We believe the world needs to come together to address this growing threat. That’s why Brad Smith recently called for a Digital Geneva Convention. Under new international rules, governments would commit to not hacking or attacking civilians, private companies, or civilian infrastructure including the infrastructure of our elections and democratic processes.
As part of this process, Brad called for major technology companies to sign a “tech accord” that would commit them to being 100 percent defence and zero percent offence. This already is Microsoft’s position. As Brad said in an interview with ITV News when talking about the need for a Digital Geneva Convention and a Tech Accord, “we will not help any government, including our own government, hack or attack any other customer anywhere”. We do not, and will not, help any government reaching across borders to target civilians in another country. We will not assist any government engage in nation state hacking.
We’re committed to playing our part in both protecting personal privacy and the public. Governments have a vital role to play too, whether in passing laws to define how and when they access personal information to investigate crimes, or coming together to craft new international agreements.
