Microsoft's Top Lawyer Discusses Public Trust In Technology In Wake Of Year's Historic Terror Attacks
Microsoft partners got a unique inside look Wednesday at the legal wrangling behind a number of high-profile events that, over the past year, have framed the debate over the boundaries of the surveillance state in an age of global terrorism.
Brad Smith, Microsoft's general counsel and executive vice president of legal affairs, recounted Microsoft's role in negotiating the legal fallout from the Sony hack, the Charlie Hebdo terrorist attack and the Snowden scandal.
Delivering his first-ever keynote at Microsoft's Worldwide Partner Conference in Orlando, Fla., Smith said those cases, and the responses they provoked from national governments, all challenged the tech industry's efforts to earn the trust of the global public.
[Related: 9 Ways Microsoft Is Transforming Its Channel]
"What can we do together to make sure the world can trust the technology we've created?" he asked partners.
Smith's fascinating, globe-hopping account began in January with police showing up at the home of a Microsoft executive in Sao Paolo, Brazil -- the Brazilian authorities demanded Microsoft turn over Skype data on a Brazilian customer.
"And yet the problem was, the data was not in Brazil, but in the United States," Smith said, illustrating the confusions stemming from data residency policies. Complying with the Brazilian request might have been illegal under U.S. law, so Microsoft refused.
"That was an interesting day," Smith said.
On a tragic day weeks earlier, the world was stunned when two terrorists murdered journalists at the Charlie Hebdo offices in Paris to silence their satirical speech. What followed was the largest manhunt France had seen in two decades.
Before the sun even rose thousands of miles away in Seattle, Microsoft was fielding an emergency request from the FBI to provide access to the email accounts the terrorist had used to organize the attacks. Within 45 minutes, the FBI had those emails to share with French authorities.
Smith's story then shifted to Los Angeles, and another effort to stifle speech that came to light when entertainment execs arriving at their Sony Entertainment offices discovered they couldn't access email and documents on their computers.
The facts quickly pointed authorities to North Korea, "where it began to be clear that an attack had been staged," he said.
To counteract the attempt to silence filmmakers, Microsoft and Google helped distribute online "The Interview" -- the film that provoked North Korea.
Those events all illustrated how the Internet can be used as a tool to stifle speech and dissent, or to promote it, Smith said.
The Sony hackers used technology to attack expression, yet Microsoft and Google employed it for the opposite purpose. The Paris terrorists used the Internet to organize their attack, as did millions of people who came out into the streets to protest their form of intimidation.
Those attacks also prompted legislative reactions from governments, from the English prime minister calling for amending laws governing the use of encryption, to the French government considering making social media sites responsible for hate speech.
The Sony attack especially "taught people there is no national security without cybersecurity," he said. "That helps explain why so many governments are taking action."
All the incidents Smith recounted inform a larger debate on questions of limiting encryption, data residency and sovereignty, surveillance, access and content controls.
"Why is this happening now?" Smith asked.
Part of the reason is Edward Snowden, "who changed the world when he got on a plane and took four laptops with him."
The more the world learned from Snowden's revelations of sweeping NSA surveillance, "trust in technology became more of an issue," Smith said. That's important because "more than ever, the Internet is not some other place in cyberspace. It is the place where people go to organize themselves and define what will happen in the real world."
Even before this year's historic events, CEO Satya Nadella and Microsoft's senior leadership had done some soul searching, Smith said, figuring out how Microsoft's values would lead the company to approach the challenges of balancing the needs of national security with their commitment to preserving the trust of their customers.
They concluded that the Internet needs to be governed by law. "But it needs to be good law," Smith said.
That process, and those commitments, motivated Microsoft to file three lawsuits against the federal government over the past two years.
The first was in a Foreign Intelligence Surveillance Act (FISA) court -- the shadowy stage meant for deliberating in secret cases with national security implications.
"This is an unusual court I have to tell you, as a lawyer," Smith said.
When you call most courts on the phone, somebody answers, he said, and you can look up their addresses on the Internet. Not so with FISA.
Smith played for the audience the voicemail heard when calling the FISA court -- a very brief message and no useful information.
"To be honest, litigating in this court is unlike any other that lawyers have ever appeared before," he said.
He displayed a legal brief returned to him after being filed with the court -- the majority of it was redacted with blackout lines.
But Microsoft's actions in that case informed President Barack Obama's speech last January at the Department of Justice, in which he called for surveillance reform. Soon after, lawyers from the Justice Department called Microsoft and said they wanted to settle the case, Smith said.
Another case resulted from a subpoena request targeting a Microsoft enterprise customer, Smith said.
"We went to court and said, 'We're not the right one to respond. You need to take that subpoena and serve it on the customer itself.' " And that's what the Justice Department ended up doing.
The third case had an international bent -- federal authorities tried to subpoena a non-U.S. resident's data that resided in a Microsoft data center in Ireland. Microsoft's response was that the U.S. government needed to work through the foreign government and appeal to relevant treaties.
Microsoft, in its advocacy for restrictions on federal intrusion, also is a vocal supporter of the Leads Act, which limits the government's ability to seize data housed in foreign data centers.
But the world's largest software company can't do it alone, Smith said.
"We need commitments that are backed by you, our partners, as well."
That means taking the data privacy message to customers, explaining how Microsoft, as their cloud provider, is committed to being transparent, protecting their privacy, providing security for their data, and always being compliant with the laws of all jurisdictions in which it operates.
Microsoft also promises governments it will work to protect digital security and their national sovereignty, and to promote the local economy, Smith said.
"Microsoft is certainly being transparent with their approach and actions," said Allen Falcon, CEO of Cumulus Global, a born-in-the-cloud solution provider that recently launched a Microsoft practice.
Falcon told CRN that as far as the issues of trust and privacy go, Microsoft is leading an industry that often sees security and privacy certifications as merely "check box items on RFPs."
Ric Opal, vice president at Peters & Associates, a Microsoft partner in Oakbrook Terrace, Ill., said the security issues create vast opportunities that the channel should leverage.
"I'm doing hard-core security, because the more data there is, the more the security problem is going to be out there," Opal told CRN.
Partners looking for a place to add value should recognize that security is a safe harbor as they evolve their businesses with cloud practices.
"They're only going to be growing more and more, and anything you're doing to help customers visualize data on devices or secure those devices is a good place to be," Opal told CRN.
PUBLISHED JULY 15, 2015