Digital dilemma

An expert in security and current President of Microsoft, Brad Smith discusses the importance of privacy in a digital age

Published 5 years ago on Oct 19, 2019 5 minutes Read

We decided to do something that we had never done before: sue the United States government. For a company that had fended off a decade of government antitrust litigation and then spent another decade working to make peace, it felt like we were crossing a new Rubicon. We moved forward with a motion that initially was kept secret in the Foreign Intelligence Surveillance Court, or FISC.

The FISC is a special court established to review the government's surveillance orders. It was created during the Cold War to approve wiretaps, electronic data collection, and the monitoring of suspected terrorists and spies. It is shrouded in secrecy to protect intelligence efforts to monitor and thwart security threats. Each warrant issued under the Foreign Intelligence Surveillance Act comes with a gag order that prohibits us from telling our customer that we've received a warrant for their data. While this was understandable, our legal case asserted that we had a right to share broader information with the public under the Constitution's First Amendment and its commitment to freedom of expression. At a minimum, we argued, this gave us the right to talk generally about the number and types of orders we received.

Soon we learned that Google had done the same thing. This led to a second watershed moment. For five years our two companies had battled our differences before regulators around the world. Google argued for restrictions on Windows. Microsoft argued for restrictions on Google searches. We knew each other well. I had a lot of respect for Kent Walker, Google's general counsel. But no one would have accused us of being best friends.

Suddenly we were on the same side in a new and common battle with our own government. I decided to reach out to Kent, at first without luck as we traded messages. As I left an employee town hall on a July morning in one of the buildings where our Xbox team worked, I pulled out my cell phone to try again. I looked for a quiet corner and found myself standing next to a life-size cardboard cutout of Master Chief, the soldier who leads the troops in our Halo game into war against an alien enemy. I liked that Master Chief had my back.

Kent answered the phone. While we had talked many times before, it was almost always to discuss the complaints our companies had with each other. Now I proposed something different. "Let's join forces and see if we can negotiate with the DOJ together."

I would not have blamed Kent if he suspected a Trojan horse. But he listened and came back to me a day later saying he wanted to work together.

We held a joint call with the government to try to negotiate common terms. It seemed as if we were getting close to a settlement, when suddenly in late August the negotiations ended in failure. From our vantage point, it seemed as if the NSA and FBI were not on the same page. As summer faded into fall in 2013, Snowden's continued disclosures drove a deeper wedge between the US government and the tech sector. And then things went from bad to worse.

On October 30, the Washington Post published a story that set the industry's hair on fire: "NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say." The story was coauthored by Bart Gellman, a journalist I had known and respected since he wrote for the Daily Princetonian at Princeton University, where we were undergraduates together. His article said that the NSA, with the help of the British government, was surreptitiously tapping into undersea fiber optic cables to copy data from Yahoo and Google networks. While we could not verify whether the NSA was targeting our cables, some of Snowden's documents also referred to our consumer email and messaging services. That made us suspect we had been tapped as well. To this day, the US and British governments have not spoken publicly to deny hacking into data cables.

The tech sector responded with a combination of astonishment and anger. At one level, the story provided a missing link in our understanding of the Snowden documents. It suggested that the NSA had much more of our data than we had lawfully provided through national security orders and search warrants. If this was true, the government in effect was conducting a search and seizure of people's private information on a massive scale.

The Washington Post story indicated that the NSA, in collaboration with its British counterpart, was pulling data from the cables used by American technology companies, potentially without judicial review or oversight. We worried that this was happening where cables intersected in the United Kingdom. As lawyers across the industry compared notes, we theorized that the NSA persuaded itself that by working with or relying upon the British government and acting outside US borders, it was not subject to the Fourth Amendment to the US Constitution and its requirement that the NSA search and seize information only pursuant to due process and court orders.

The reaction at Microsoft and across the industry was swift. In the weeks that followed, we and other companies announced that we would implement strong encryption for all the data we moved between our data centers on fiber optic cables, as well as for data stored on servers in our data centers themselves. It was a fundamental step in protecting customers, because it meant that even if a government siphoned up customer data by tapping into a cable, it would almost certainly be unable to unlock and read what it had obtained.

These types of encryption advances were easier said than done. They would involve large computational workloads for our data centers and require substantial engineering work. Some of our engineering leaders were less than enthusiastic. Their concerns were understandable. Software development inherently involves choices between features, given the finite availability of engineering resources that can be applied on a feasible timeline. This encryption work required them to delay the development of other product features that customers were asking us to add. After some animated discussion, CEO Steve Ballmer and our senior leadership team made the decision to press forward quickly on the encryption front. Every other tech company did the same thing.

That November, as these events were unfolding, President Barack Obama visited Seattle. He was attending a political fund-raiser, and the White House had invited a small group of area leaders and supporters to have a cocktail in a private suite at the Westin Seattle hotel after the formal event. I was invited to represent Microsoft.

This is an extract from Tools and Weapons published by Penguin Press