Last week, a federal court in Seattle issued a ruling in Microsoft’s ongoing challenge to the law that lets courts impose indefinite gag orders on Internet companies when they receive requests for information about their customers. Judge James Robart—he of recent Washington v. Trump fame—allowed Microsoft’s claim that the gags violate the First Amendment to proceed, denying the government’s motion to dismiss that claim. It’s an important ruling, with implications for a range of government secrecy provisions, including national security letters (NSLs). Unfortunately, the court also dismissed Microsoft’s Fourth Amendment claim on behalf of its users.

When tech companies can’t tell users that the government is knocking

Before looking at the substance of Judge Robart’s ruling, it’s worth remembering why EFF thinks Microsoft’s lawsuit is important. In fact, we’d go so far as to say that challenging gag orders imposed alongside government data requests is one of the key digital civil liberties issues of our time. That’s true for at least two reasons:

First, there has been a sea change in where we keep our sensitive personal information— “papers and effects” protected by the Fourth Amendment and records of First Amendment-protected speech and association. Just twenty or thirty years ago, most or all of this information would have been found in people’s homes or offices. In order to get at your information—whether by breaking down your door or serving you with a grand jury subpoena—the government usually couldn’t help tipping you off. These days, private information is more likely to be stored in Microsoft Office 365 or with another third-party provider than a home office. In that case, you won’t know the government is interested in your information unless you hear from the government or the third-party provider. But the government isn’t always required to notify the targets of data requests, and it routinely gags providers from notifying their users. The long-standing default—notice that the government is after your information—has in just a short time effectively flipped to no notice.

Second, gags distort the public’s understanding of government surveillance and correspondingly place far more responsibility on providers. The statutory provision at issue in Microsoft’s lawsuit, 18 U.S.C. § 2705, applies in criminal cases. This statute allows the government to gag service providers if a court finds that informing the user will result in one of several enumerated harms—death or injury to a particular person, destruction of evidence, witness tampering, and so on. But as Microsoft’s complaint explains, Section 2705 gag orders accompany at least half of the data demands the company receives, and courts often grant them without explicit findings of potential harm. In many cases, they also do so without setting a date for the gag to dissolve. The result is a de facto permanent gag order. That’s an abuse of what is intended as a limited power, granted to the government to protect specific, sensitive investigations.

Unless a provider takes extraordinary steps—like filing a facial constitutional challenge as Microsoft did—it’s likely that the public won’t be aware of this abuse. This intensifies the role that providers play as trustees of our data. That’s why EFF tracks both transparency reports and user notification as part of our annual Who Has Your Back report. We don’t just rely on companies to keep our data secure, we also need them to stand up to the government on our behalf. It’s a point often missed by those who dismiss companies’ growing commitments to privacy as empty marketing. If not Microsoft, Apple, Google, Facebook and all the others, then who?

The ruling: first-party prior restraints and third-party Fourth Amendment rights

Despite the importance of these issues, the government argued that Microsoft’s challenge should be bounced out of court at the preliminary motion to dismiss stage. On the First Amendment claim, at least, the court disagreed. Microsoft’s basic argument will be familiar if you’ve followed EFF’s NSL cases: when the government prevents you from speaking in advance, it’s known as a prior restraint. Under the First Amendment, prior restraints must meet “exacting scrutiny” and are rarely constitutional. Here, the court found that Microsoft had more than adequately alleged that Section 2705 does not meet this exacting scrutiny because it does not require courts to time-limit gags to situations where they are actually necessary based on the facts of the case.

This is nearly identical to one of the issues in EFF’s NSL cases—NSLs similarly allow the FBI to gag service providers indefinitely. However, NSLs are even more egregious in several ways: the FBI can issue them without any involvement by a court at all, and it need not even claim that one of the specified harms will actually result without an NSL gag. We hope the Ninth Circuit will consider our NSL clients’ arguments about their First Amendment rights as thoroughly as Judge Robart did here.

Finally, the court reached an unsatisfying conclusion about Microsoft’s attempt to raise its users’ Fourth Amendment rights. As EFF explained in our amicus brief earlier in the case, notice of a search is a core part of the Fourth Amendment’s protections. When Microsoft is precluded from notifying users, it is the only party with knowledge of the search and therefore should be able to raise its users’ Fourth Amendment rights. Nevertheless, the court found that Fourth Amendment rights are inherently personal and cannot be raised by a third party, leading it to dismiss Microsoft’s claim. We think that’s wrong on the law, and we hope Microsoft will consider seeking leave to appeal. Meanwhile, we’ll watch as the case progresses on Microsoft’s First Amendment claim.