Microsoft calls for international convention on govt data access

Microsoft calls for international convention on govt data access

Summary: Microsoft has spoken out about the NSA reforms, stating that they do not go far enough and should be complemented by an international framework on data privacy and government surveillance.


In a blog post on Monday by Brad Smith, Microsoft's general counsel and executive vice president for Legal and Corporate Affairs, the tech giant has advocated international collaboration on government access to data after the extent of the National Security Agency's (NSA) program was revealed last year.

Microsoft said on Monday that the changes to government surveillance announced by US President Barack Obama last week mark "positive progress on key issues, including privacy protections for non-US citizens".

"I maintained a healthy scepticism toward our surveillance programs after I became president," Obama said in a speech at the Justice Department last Friday.

"What I did not do is stop these programs wholesale."

Rather, Obama's administration has made five material changes to the NSA program: Intelligence agencies will not store American citizens' phone call records anymore; phone records will remain available when deemed necessary; the heads of state of "close friends and allies" will no longer have their communications monitored; an overseeing panel for the secretive Foreign Intelligence Surveillance Act court will be formed; and privacy protection will be extended to non-US citizens — save for the presence of a "compelling national security purpose".

Microsoft has come out and stated that it is willing to work alongside the US government and Congress in order to come up with more suitable changes.

Promoting human rights and individual privacy alongside "timely access to data" where it is necessary for governments to prevent terrorism-related threats, the tech giant pointed towards the World Economic Forum's annual meeting being held in Switzerland later this week as a prime opportunity for an international agreement on data privacy and government surveillance to be outlined.

"The time has come for a broader international discussion. We need an international legal framework — an international convention — to create surveillance and data-access rules across borders," Smith wrote.

"We've all been reminded that surveillance takes place by governments internationally. And as industry reports make clear, governments around the world demand access to customer data. As a result, we need to broaden the topic and bring together governments to create a new international legal framework.

"Such an approach would enhance transparency and reduce the legal uncertainty that currently risks slowing new cloud-based technology services internationally. Clearer rules for access to data internationally would help open borders and enable companies to host services and data in one country for citizens in another."

In June 2013, former US government contractor Edward Snowden began leaking documents to the press about the metadata-collecting activities of the NSA. Microsoft quickly announced that it only provides customer data when it is given a legal order to do so, and in the same month joined Google and Facebook in calling for transparency.

"Our recent report went as far as we legally could, and the government should take action to allow companies to provide additional transparency," Microsoft said in a statement at the time.

In November, the tech giant followed the examples of Google and Yahoo in encrypting its worldwide datacentre traffic in order to prevent the US government from surveilling and wiretapping the cables.

In December, Microsoft's Smith called the US government an "advanced persistent threat" in another company blog post.

"Recent press stories have reported allegations of governmental interception and collection without search warrants or legal subpoenas of customer data as it travels between customers and servers or between company datacentres in our industry," Smith wrote.

"If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat', alongside sophisticated malware and cyberattacks."

Smith ended Monday's missive by stating, "The best way to launch such an [international] effort is for the United States to take the lead."

Updated January 22, 2014, at 8.50am AEDST: A quote on the president's NSA reforms was misattributed to Microsoft and has been removed.

Topics: Microsoft, Government US, Security


Corinne is sub-editor across all CBS Interactive sites, and joined the company after completing her degrees in Communications and Law, and undertaking a string of internships in law and journalism. Corinne is also a journalist for ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's a nice idea, but...

    ...I predict it will go nowhere and maybe it should, as I doubt that diplomats and international bureaucrats (many of whom are appointed by authoritarian states) are better guardians of civil liberties than are elected officials.
    John L. Ries
  • If these corporations are really so concerned

    about our personal data, how about THEY stop collecting and storing it too? I can see some of for some period of time, but some, google, microsoft for example, get ahold of it, get all they can and never let any of it go, using for their own purposes, and nevermind that they did not ask the people if they could. So how are the governments any worse? Want them to stop raiding your cookie jar? Stop filling it up with cookies you probably should not have either.
  • MS has made a good suggestion here

    If there was an international convention, or at least if the 5 eyes adjusted the current security one to at least recognise each other's security agencies & key security & privacy laws as 'OK', then that'd go a long way to helping organisations & vendors based in those countries overcome 1 major road block to taking up public cloud instead of private cloud.

    Mind you, there are other road blocks stopping organisations going cloud. But the FISA type legislation all countries have is the thing that puts organisations and vendors like MS into a no win legal situation, and so is probably the most serious road block stopping public cloud.

    I'm not sure it'll be likely to happen. I know here in Aus they tried last year to fix legislation to be consistent with an 2010? agreement between the 5 eye AGs, but it didn't get up. It isn't likely to get up during this term of government either. Logistical issues for ISPs, and took away some rights to privacy, so didn't really please civil liberty lefties or small government righties.

    They have to sort out privacy obligations because it is a big piece of the puzzle (security being the other big piece). This means MS risks replacing one threat to its business with another e.g. stopping gov. collecting the data may also mean stopping them collecting & selling the data too. Perhaps that won't be as bad as some might think, as instead of selling raw blacked out data, they could instead sell demographic reports, or provide online demographic reporting tools to the advertisers.
    • Would a treaty really help?

      Who would adjudicate disputes?
      John L. Ries
      • Yes it would

        So who would adjudicate disputes? It depends.

        When it comes to international treaties, local law courts are fine in most cases because the legislation in both countries recognise each other's courts, and the legislation is consistent in both countries. So one country's entity can litigate against the other & have the court's decision enforced.

        But worst case, it'd be the international court. Usually that'll be when one country is in dispute with another, such as the Australia v Japan whaling case last year, or the one that is on right now between Australia and East Timor.

        5 eye countries usually enforce decisions handed down by the international court, be they favourable or otherwise to thier interests, including the USA.

        But the likelihood of a treaty is a bit iffy. I think the US & others would have to make more concessions than what they would like for a treaty to get traction. The concesions would probably be greater if they wanted to include European countries and Brazil. Australia for example does not have a Bill of Rights. I understand our privacy Act is weaker than many countries in Europe.

        Everyone would be winners if the treaty happened and it addressed the secret court orders (absolving data owner obligations to report access by signatory AGs foriegn or domestic), and upheld Euopean style privacy rights (which would control AGs foriegn or domestic's access to the data, and allow vendors to report statistics on court orders).
  • Microsoft and Privacy?

    Get real. When you "register" and installation of a recent Windows OS, that really long number that is generated manages to contain an excellent description of the hardware in your system -- that's how they detect that you're trying to install the same licence on a different machine, because of the hardware profile.

    While Microsoft still has not properly addressed the "anti-trust" issue, I don't think it's an organization in a position to preach "transparency".