It’s no secret online service providers hold tons of sensitive data about their customers, which is why EFF calls on companies to stand up to abusive or overbroad government demands for this data. It’s especially important for providers to play this role when the government forces them to stay silent and not notify their users about the government’s demands. In those cases, the service provider is simply the only party able to challenge the government. Unfortunately, companies are too often met with hurdles to vindicating their users’ rights. Two recent cases illustrate some of the problems they face.

Microsoft sued the government last year, challenging portions of the Electronic Communications Privacy Act (ECPA) that allow the government to serve a warrant on the company to get access to customers’ emails and other information stored on remote servers—all without telling users their data is being searched or seized. Microsoft argues that precluding notice to its users violates both its First Amendment rights and its customers’ rights under the Fourth Amendment to be notified of the search. (EFF filed an amicus brief in support of Microsoft.)

Today, Microsoft is facing a hearing on the government’s motion to dismiss the lawsuit. Troublingly, the court has asked the parties to address whether Microsoft should be allowed to assert its customers’ Fourth Amendment rights at all, because in the words of the Supreme Court, Fourth Amendment rights are “personal” and “may not be vicariously asserted.” However, there are well-established precedents allowing third parties to “stand in the shoes” of others and bring a lawsuit. In these cases, standing requires a close relationship between the third party and the individual whose rights are being asserted and a demonstration of circumstances preventing the individual from personally bringing the lawsuit. That’s what allows doctors to sue behalf of patients for the right to an abortion and liquor vendors to challenge unequal, gender-based treatment of their customers, to give just a few examples. Microsoft’s lawsuit fits this model: Microsoft has a close business relationship with its customers, and it is suing for the very reason that the government’s secrecy in demanding data held by Microsoft prevents its customers from asserting their own rights. Even the Foreign Intelligence Surveillance Court of Review, not known for its friendliness to the Fourth Amendment, found in 2008 that Yahoo could sue to protect its customers’ data against warrantless collection by the NSA. Given that the “papers and effects” protected by the Fourth Amendment are increasingly stored not in the home but by companies like Microsoft, barring these companies from suing to protect Fourth Amendment rights would be a great setback for privacy. We’ll be watching closely to see what the court in Microsoft’s case decides.

A closely related issue surfaced in a case involving Facebook, which has spent years trying to quash 381 “bulk warrants” issued by New York State for the contents of users accounts. Back in 2013, a trial court determined that Facebook couldn’t stand in the shoes of its users, and Facebook appealed. Rather than simply relying on the question of “vicarious” standing, however, the intermediate court questioned how and whether the Fourth Amendment even protects the information Facebook was being asked to provide, namely the entire contents of accounts. What’s more, the court determined that even though Facebook’s assistance was required to produce the information, it need not be given a chance to object to the search warrants in advance.

The case has now reached New York’s highest court, and earlier this month, EFF joined an amicus brief written by the law firm of O’Melveny & Myers along with the Brennan Center for Justice, the Center for Democracy & Technology, Access Now, and TechFreedom to highlight the important Fourth Amendment issues at stake. As the brief explains:

Courts should apply the Fourth Amendment with full force to protect against improper government access to personal data that is stored with Internet Service Providers (“ISPs”). This data often includes both “sensitive records previously found in the home” and highly personal information “never found in a home in any form.” . . . The fact that such data is held by a third-party ISP like Facebook should not diminish Fourth Amendment protections. If anything, searches and seizures of data held by ISPs deserve heightened Fourth Amendment scrutiny because the aggregation and remote storage of private data greatly reduces resource constraints on law enforcement and allows for the bulk warrant tactics employed here.

We’re hopeful that the New York court will recognize the importance of allowing third parties to vindicate Fourth Amendment rights of their users and to apply these rights robustly.