The conflict between snooping governments seeking to defeat encryption and users demanding ever more robust privacy tools has turned into an arms race -- and it's time for arms control talks, Microsoft's general counsel said on Tuesday.
Resolving that conflict requires a new consensus on how to balance public safety and personal privacy, Brad Smith said in a forum at Harvard Law School. "Ultimately there are only two ways to better protect peoples privacy: stronger technology or better laws," he said.
In an expansive conversation about privacy and rebuilding trust in technology after revelations of widespread government spying, Smith talked about Microsoft's first "sea-change" moment. It came in the year after the September 2001 terrorist attacks, when Microsoft, among other Internet companies and telcos, was asked to voluntarily share data with U.S. law enforcement.
In the heat of the moment, in 2002, "it was easy to do things that we wouldnt otherwise do," Smith told Jonathan Zittrain, a professor of law and computer science at Harvard who moderated the event.
The principle that Microsoft adopted at that point and has stayed with is that if it's legally obligated to do something, it will comply, but otherwise it will not. "Our basic message was, if the government didnt feel the law went far enough, it shouldnt ask us to go beyond the law. It should go to Congress and ask Congress to change the law," he said.
The second sea-change was driven by the revelations in mid-2013, by former NSA contractor Edward Snowden, of widespread surveillance and data collection by the U.S. government. One of the biggest impacts of that was a significant loss of trust in technology companies by enterprise customers, Smith said.
"The publics trust on a global basis was changed," he said. The level of concern varies, and is more pronounced in Germany, across Europe, Brazil, and even came up in conversations with large businesses in Japan. Surveys conducted by Microsoft found a ten to 15-point decline in trust among customers.
Besides strengthening encryption, as most tech companies have done, Microsoft is tackling the issue of trust by bringing its legal resources to bear and implementing changes in its enterprise contracts.
"We said, if the U.S. government came and served a subpoena on us, seeking the email or other records of an enterprise customer, we would resist that, we would go to court, we would argue to a federal judge that that subpoena ought to be served on the customer, not on us. Second, we said that if the data in question were stored exclusively outside the United States, we would go to court and challenge the extraterritorial reach," Smith said.
Sign up for CIO Asia eNewsletters.