Tools and Weapons: The Promise and The Peril of the Digital Age

by Brad Smith

TOOLS AND WEAPONS The Promise and the Peril of the Digital Age BRAD SMITH and CAROL ANN BROWNE

Some say that data has become the oil of the twenty-first century. But that understates the reality. A century ago, automobiles, airplanes, and many trains ran on oil. Today, every aspect of human life is fueled by data. When it comes to modern civilization, data is more like the air we breathe than the oil we burn.

Finally, you enter a cavernous room, a temple to the information age and cornerstone of our digital lives. A hushed hum welcomes you into the nerve center containing floor-to-ceiling racks filled with computers, lined up in a formation that extends beyond your line of sight. This massive library of steel and circuits contains servers each identical in footprint but containing its own unique volume of data. It is the digital world’s filing cabinet. Somewhere in one of these rooms in one of these buildings, there are data files that belong to you. They have the email you wrote this morning, the document you worked on last night, and the photo you took yesterday afternoon. They also likely contain personal information from your bank, doctor, and employer. The files occupy just a tiny sliver of a hard drive on one of these thousands and thousands of computers. Each file is encrypted, meaning that the information is encoded so that only authorized users of that data can read it.

Today Microsoft owns, operates, and leases data centers of all sizes in more than 100 locations in more than 20 countries (and growing), delivering 200 online services and supporting more than a billion customers in more than 140 markets.

providing the platforms needed for cloud computing at a global scale? That’s a different story. As I walk among the thousands of blinking computers, racks of batteries, and enormous generators, it feels like more than a different era. It seems like a different planet. Data center campuses cost hundreds of millions of dollars to build. And once construction ends, the work to maintain and upgrade the facility begins. Sites are expanded, and servers, hard drives, and batteries are upgraded or swapped for newer and more efficient equipment. A data center is never done.

growth, and sometimes on disruption as an end in itself. In

For every current challenge that seems unprecedented, there is often a historical counterpart that, while distinct, has insights for our day.

As the afternoon passed, I mused to John and Dominic, “Perhaps we’re part of a secret club that is so secret we don’t even know we’re a member.”

Just as public officials concluded in the 1930s that banks had become too important to the economy to be left unregulated, tech companies have become too important to be left to a laissez-faire policy approach today. They need to be subject to the rule of law and more active regulation. But unlike the banks of the 1930s, tech companies today operate globally, making the whole question of regulation more complicated.

The Washington Post story indicated that the NSA, in collaboration with its British counterpart, was pulling data from the cables used by American technology companies, potentially without judicial review or oversight. We worried that this was happening where cables intersected in the United Kingdom. As lawyers across the industry compared notes, we theorized that the NSA persuaded itself that by working with or relying upon the British government and acting outside US borders, it was not subject to the Fourth Amendment to the US Constitution and its requirement that the NSA search and seize information only pursuant to due process and court orders. The reaction at Microsoft and across the industry was swift. In the weeks that followed, we and other companies announced that we would implement strong encryption for all the data we moved between our data centers on fiber-optic cables, as well as for data stored on servers in our data centers themselves.28 It was a fundamental step in protecting customers, because it meant that even if a government siphoned up customer data by tapping into a cable, it would almost certainly be unable to unlock and read what it had obtained.

it’s always harder to challenge someone when you’re visiting his or her house. Especially when it’s the White House.

Years later, people still debate whether Edward Snowden was a hero or traitor. In the eyes of some, he was both. But by early 2014, two things were clear: He had changed the world; and across the tech sector, he had changed us as well.

to turn on a dime

When email was still a rarity, these new warrants and gag orders were few and far between. But once the internet exploded and data center campuses emerged with hundreds of thousands of computers, life became far more complex. Today, twenty-five full-time employees—compliance experts, lawyers, engineers, and security professionals—make up our Law Enforcement and National Security team. They work with broad support provided by numerous law firms around the world, and they’re known across Microsoft as the LENS team. Their mission is straightforward: to review and respond globally to law enforcement requests under the laws of different countries and in accordance with our contractual obligations to our customers. This is no small task. The LENS team operates from seven locations in six countries on three continents. During a typical year, they address more than fifty thousand warrants and subpoenas from more than seventy-five countries.5 Only 3 percent of these demands are for content. In most cases, authorities are looking for IP addresses, contact lists, and user registration data.

When Microsoft receives a warrant, it typically comes through email. A compliance manager reviews the demand to ensure that it’s valid and signed by a judge, that the authorities have probable cause, and that the agency has jurisdiction over the information. If everything checks out, the compliance manager will pull the requested evidence from our data center. The data is reviewed for a second time to make certain that we are only producing exactly what’s specified in the warrant, and it’s then sent to the requesting authority. As one LENS employee explained to me, “It sounds simple, but it takes a lot of time to do a good job. You need to review the warrant itself, review the account information associated with it, pull the information, and then review it again to be certain that what you’re providing is appropriate.” When a compliance manager concludes that a warrant is too broad or the request exceeds an agency’s jurisdiction, the case is escalated to an attorney. Sometimes we ask for warrants to be narrowed. Other times we deem the warrant unlawful and refuse to comply.

“I’ve learned from David that good litigation results are not actually hard to achieve. You just have to fight the cases you deserve to win and settle the cases you deserve to lose.” The key was having someone like David who could discern the difference.

In 2012, Supreme Court justices declared in a 5–4 decision that the Fourth Amendment required that the police get a search warrant before putting a GPS locator on a suspect’s car.14 While the other justices found that the “physical intrusion” of attaching a device to someone’s car required a search warrant, Justice Sonia Sotomayor recognized that in the twenty-first century, law enforcement didn’t necessarily need to physically intrude to track someone’s location. GPS-enabled smartphones, which create remote records of someone’s location, were starting to spread. They revealed all sorts of personal information that the government could mine for years. As Sotomayor put it, unless this type of surveillance was safeguarded under the Fourth Amendment, it could “alter the relationship between citizen and government in a way that is inimical to democratic society.”

Justice Sotomayor captured something else that we thought was fundamental. For almost two centuries the Supreme Court had said the Fourth Amendment failed to protect information that was widely shared, on the theory that people no longer had a “reasonable expectation of privacy.” Now, however, Sotomayor noted, privacy meant the ability to share information but determine who can see this information and how it will be used. She was the first justice to articulate this shift, and the big question was whether the other justices would embrace

Two years later, an answer began to emerge. In the summer of 2014, Chief Justice John Roberts wrote an opinion for a unanimous Supreme Court.16 The justices decided that the police needed a warrant to search someone’s cell phone, even if the person was under arrest for committing a crime. As Roberts put it, “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans the privacies of life.”

While the Fourth Amendment was adopted to protect people in their homes, Roberts explained that modern phones “typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of priva...

We cheered when we read what Roberts wrote next. For the first time, the Supreme Court in effect addressed the files stored in our data centers, like the one in Quincy. “The data a user views on many modern cell phones may not in fact be stored on the device itself,” he wrote. “The same type of data may be stored locally on the device for one user and in the cloud for another.”18 For the first time, the Supreme Court recognized that a search of a phone reached far beyond what was in a per...

He was tough, but smart and fair. He kept our litigators on their toes, and from my vantage point, that was a good place for them to be.

As we filed our lawsuit, we shared our data from the preceding eighteen months, which showed that we had received more than twenty-five hundred gag orders applicable to individuals, effectively silencing us from speaking to customers about the legal process seeking their personal information.20 Notably and even surprisingly, 68 percent of the total contained no fixed end date at all. This meant that we effectively were prohibited forever from telling our customers that the government had obtained their data.

Lawsuits typically are blunt instruments. By themselves, they can only determine if current processes are lawful. They can’t craft a new proposal that addresses how technology should be governed. That requires real conversation and sometimes negotiation and even new legislation. In this case, the lawsuit had done what was needed, bringing everyone to the table to talk about the future. But getting everyone to sit down together on other issues remained an ongoing challenge, one that would become even more difficult and important.

The once top-secret military compound had been part of the headquarters of the Stasi, short for State Security Service. The Stasi served as East Germany’s “shield and sword,” ruling over the country with repressive surveillance and psychological manipulation. By the time the Berlin Wall fell, the Stasi employed almost ninety thousand operatives backed by a secret network of more than six hundred thousand “citizen watchdogs” who spied on their East German coworkers, neighbors, and sometimes their own family.1 The Stasi accumulated a staggering number of records, documents, images, and video and audio recordings that if lined up would stretch sixty-nine miles.2 Citizens who were considered flight risks, threats to the regime, or asocial were detained, intimidated, and interrogated at Hohenschönhausen from the end of World War II until the end of the Cold War.

The experiences under the Nazis and Stasi, he explained, had made modern-day Germans wary of electronic surveillance. And the Snowden revelations had only fed those suspicions. “If data is collected, it can always be abused,” he said. “It’s important that, as we operate around the world, we remember that governments can change over time. Look what happened here. Data collected about people—their political, religious, and social views—can fall into the wrong hands and cause all sorts of problems.”

Snowden revelations had only fed those suspicions. “If data is collected, it can always be abused,” he said. “It’s important that, as we operate around the world, we remember that governments can change over time. Look what happened here. Data collected about people—their political, religious, and social views—can fall into the wrong hands and cause all sorts of problems.”

Privacy wasn’t just a regulation that we had to abide by, but a fundamental human right that we had an obligation to protect.

A decade ago, some in the tech sector thought they could serve the customers of the world solely from data centers in the United States. But soon real-world experience dispelled this notion. People expected web pages, emails, and documents with photos or graphics to load on their phones and computers instantaneously. Consumer tests showed that a delay of just a half second would get under people’s skin.4 The laws of physics required building data centers in more countries, so this content wouldn’t have to travel on cables halfway around the world. This geographic proximity is key to reducing what we call data latency, or the lag in transmission.

As I commented to officials while visiting nations in the Middle East, “Ireland is to data what Switzerland is to money.” In other words, it is a place where people should want to store their most precious personal information. It feels like the last place that would produce a modern-day counterpart to the Stasi prison we had walked through in Berlin.

The pressure to put data centers in more countries is giving rise to what rapidly is becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillance can unleash draconian demands to monitor not only what people are communicating, but even what they’re reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats.

There are days and nights that test the moral courage of those responsible for the cloud.

Use technology to improve what can be improved while respecting what works well already.

It was the fourth time Microsoft had argued a case before the Supreme Court. I’ve always found it a striking experience. We bring the issues created by the world’s most modern technology into a courtroom that looks the way it did almost a century ago. No phones and no laptops are permitted. Each time, after I leave my devices behind, I take my seat in the massive red chamber that resembles a curtained stage. I then gaze up at the courtroom’s lone piece of technology: a clock.

At one level, asking for an act of Congress felt like asking for an act of God.

One thing we had learned long ago was that it was more fun to fight a battle but typically more rewarding to strike a deal. It usually was the only way to make progress. And deals required some give-and-take.

Before it ran its course, the world would remember it by the name WannaCry, a malicious string of software code that not only made IT administrators want to cry but served as a disturbing wake-up call for the world.

As one of our security leaders put it, “The NSA developed a rocket and the North Koreans turned it into a missile, the difference being the thing at the tip.” Essentially the United States had developed a sophisticated cyberweapon, lost control of it, and North Korea had used it to launch an attack against the entire world.

Expecting sixteen-year-old software to defend against today’s military-grade attacks was like digging trenches to defend against missiles.

As they noted in the Times, it was impossible to know what caused any specific missile failure, but Defense Secretary James Mattis had been cryptic in commenting on this one, saying only that “The president and his military team are aware of North Korea’s most recent unsuccessful missile launch. The president has no further comment.” This from a president who is seldom known for having no further comment.

As our security experts noted, North Korea had used ransomware before, but their tradecraft had been different. They had selected high-value targets such as banks and demanded large sums of money in a discreet way. Indiscriminate demands to pay three hundred dollars to unlock a machine represented a departure, to say the least. What if the whole ransomware approach was just a cover to throw the press and public off the real message, which was intended to be more discreetly understood by US and allied officials? If North Korea was responding with its own cyberattack to a US cyberattack, then the whole episode was even more significant than people have appreciated. It was the closest thing the world has experienced to a global “hot” cyberwar. It would mean that this was an attack in which the impact on civilians represented more than collateral damage. It was the intended effect.

In a world where everything is connected, anything can be disrupted.

Diplomats across Europe agreed. “We know there’s more to be done, but we don’t yet know what we should do,” one European ambassador said to me at the United Nations in Geneva. “And even if we did, it’s not easy to get governments to agree on anything at the moment. This is an issue where tech companies will need to lead. That’s

In 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was asked as he departed Independence Hall what type of government the delegates had created. He famously replied, “A republic, if you can keep it.”1 That statement would echo across the country and through the ages. It underscored that a democratic republic was not just a new form of government, but one that would require vigilance and at times action to protect and maintain it.

Many Republicans were reluctant to take on the Russians because they thought it implicitly meant undercutting a Republican president. And some Democrats seemed to find more joy in criticizing Donald Trump than in taking effective action to address the Russian government.

Just two weeks later we were in Wellington, New Zealand’s capital, on a trip that had been months in the making. New Zealand’s Prime Minister, Jacinda Ardern, who had handled the shock and crisis with extraordinary judgment and grace, had given a speech that captured a marked shift toward social media. “We cannot simply sit back and accept that these platforms just exist and that what is said on them is not the responsibility of the place where they are published,” she said.19 She then referred to social media sites even more emphatically, “They are the publisher, not just the postman. It cannot be a case of all profit, no responsibility.”

Working through a free internet browser plug-in, NewsGuard displays green or red icons next to links on search engines and social media feeds, including Facebook, Twitter, Google, and Bing, indicating whether a site is “trying to get it right or instead has a hidden agenda or knowingly publishes falsehoods or propaganda.”33 In addition to rating news and information websites, NewsGuard applies a blue icon for platform sites that host user-generated content and an orange icon for humor or satire sites designed to look like legitimate news. There are gray icons for websites that haven’t yet been reviewed and rated.

Ultimately, there are two broader lessons that emerge. First, initiatives from the public and private sectors will likely need to move forward together and complement each other. And, second, despite the novelty of current technology, there is a lot to learn from the challenges of the past.

Interestingly, foreign interference in democracy is almost as old as the United States itself. A democratic republic by its very nature is subject to disruption—both foreign and domestic—by efforts to disrupt confidence and sway public opinion. The first person to realize this was an early French ambassador to the United States named Edmond Charles Genêt. He arrived in America in early April 1793, just a few weeks before President George Washington officially declared the United States’ neutrality in the expanding war between France and the United Kingdom. Genêt was on a mission to tip the young republic toward supporting France, including by persuading the United States to accelerate the repayments of its debt to his country and by enabling attacks on British shipping by armed privateers operating from US ports. If required, he was prepared to spark an attempt to overthrow the country’s young government.

Genêt’s arrival sparked increasing tension within Washington’s cabinet, with Thomas Jefferson sympathetic to the French and Alexander Hamilton sympathetic to the British. Genêt sought to appeal directly to the American public for his cause, a move that, in the words of one historian, did more than spark the origins of our two-party system. “Political dialogue was impassioned, street brawls were not uncommon, and old friendships were severed.”35 In 1793, W...