A small step forward for US cloud and email privacy

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

The US Justice Department (DoJ) has stepped back a little in their legal battle with Microsoft over government access to cloud data, including email.

Microsoft had sued the US government over orders which compelled the company to hand over customers cloud stored files and emails.  This could be done without notice to the customer, which meant they had no chance to object.  Microsoft had to keep the intrusion secret and the access could continue forever.

The suit has been dropped because the DoJ has now promised to change their policy.

From now on, companies can notify customers of government intrusion, unless the warrant specifically forbids that notification.

In addition, the warrant should only apply for a limited time, not indefinitely.

Not the end of the story

It sounds like a good move and a win by Microsoft for their customers.

Some, more wary, commentators aren’t so sure.

The US government can still access your cloud stored files without a warrant because of the Patriot Act.

New warrants issued according to the fresh DoJ policy can still forbid Microsoft, Google or others from notifying customers.  The warrant needs to specifically tell the cloud provider not to tell the customer.

Similarly, plausible reasons can be given for long-term warrants for access or simply renewing a time-limited warrant.

The DoJ could change their policy again, at any time.

No overseas protection

None of this applies to Microsoft’s long-standing case against the US government about access to data stored outside the USA.

The US government says it can demand data stored anywhere in the world where the servers are owned or managed by a US company.  The specific case is about data stored at Microsoft’s Ireland data center.

That case is to be heard by the US Supreme Court.