Tools and Weapons: The Promise and The Peril of the Digital Age

by Brad Smith

Centuries later, when Johannes Gutenberg invented the mechanical printing press, the flame became a fire that empowered writers and readers alike. That fire would sweep the world. The ensuing centuries produced an explosion in commerce that was both cause and consequence of increasing communication. By the early twentieth century, every office needed a facility to store documents. Rooms were filled with filing cabinets.

One of the best places to see the inner workings of the cloud is the world’s capital of apples. The tiny town of Quincy, Washington, sits roughly 150 miles east of Seattle off Interstate 90. Its location is no accident. Quincy is in the center of the state’s agricultural basin, perched near a steep gorge carved for millennia by the wide and rolling Columbia River, the largest waterway in the western United States. The town is powered by a network of hydroelectric plants, including the Grand Coulee Dam, the largest power station in the United States. It’s an ideal setting for what has become the world’s biggest consumer of electricity, the modern data center.

It’s thrilling—and a bit eerie—to take in the sheer size of a data center. Our facilities in Quincy are no longer just a single building. They fill two data center campuses with more than twenty buildings, totaling two million square feet. Each building is the size of two football fields and is big enough to house two large commercial airplanes. This collection of buildings is home to hundreds of thousands of server computers and millions of hard disks, each of which is replaced with faster, more efficient models every three years.

Today Microsoft owns, operates, and leases data centers of all sizes in more than 100 locations in more than 20 countries (and growing), delivering 200 online services and supporting more than a billion customers in more than 140 markets.

Two decades ago, we were thrust into the heart of what might be considered modern information technology’s first collision with the world. In the United States, the Department of Justice and twenty states brought an antitrust lawsuit and sought to break Microsoft into pieces. Governments in other countries followed with their own cases. Competition officials concluded that the Windows operating system was too important to be left unregulated. While we successfully defended against the breakup of the company, it was a difficult, bruising, and even painful experience. When I was appointed the company’s general counsel in 2002, it became my job to hammer out the equivalent of peace treaties with governments around the world and companies across the tech sector. It took almost a decade,6 and we made more than our share of mistakes.

The tech sector cannot address these challenges by itself. The world needs a mixture of self-regulation and government action.

The news struck a nerve with the public, and for good reason. The assertions flew in the face of the privacy protections that democratic societies had taken for granted for more than two centuries. These rights, which we rely on to protect your information in our Quincy data center today, were born in the eighteenth century during a boiling controversy in the streets of London. The man who ignited the political firestorm was a member of Parliament himself. His name was John Wilkes.

In 1942, shortly after the bombing of Pearl Harbor, President Franklin D. Roosevelt, swayed by the military and by public opinion, signed an executive order forcing 120,000 Americans of Japanese descent into remote camps, caged in by barbed wire and armed guards. Two-thirds of those imprisoned had been born in the United States. When the order was rescinded three years later, most had lost their homes, farms, businesses, and communities.

Just as public officials concluded in the 1930s that banks had become too important to the economy to be left unregulated, tech companies have become too important to be left to a laissez-faire policy approach today.

His article said that the NSA, with the help of the British government, was surreptitiously tapping into undersea fiber-optic cables to copy data from Yahoo and Google networks. While we could not verify whether the NSA was targeting our cables, some of Snowden’s documents also referred to our consumer email and messaging services.27 That made us suspect we had been tapped as well. To this day, the US and British governments have not spoken publicly to deny hacking into data cables.

In 1986, President Ronald Reagan signed the Electronic Communications Privacy Act, affectionately known by today’s privacy lawyers as ECPA. At the time, no one knew whether the Fourth Amendment would protect something like electronic mail, but Republicans and Democrats alike wanted to create this type of statutory protection. As sometimes happens in Washington, DC, in 1986 Congress acted with good intentions but in a way that was far from simple. Part of ECPA was the Stored Communications Act, which created what was basically a new form of search warrant. With probable cause, the government could go to a judge, secure a search warrant for your email, and serve the warrant not on you but on the tech company where your email and electronic documents were stored.

Today, twenty-five full-time employees—compliance experts, lawyers, engineers, and security professionals—make up our Law Enforcement and National Security team. They work with broad support provided by numerous law firms around the world, and they’re known across Microsoft as the LENS team. Their mission is straightforward: to review and respond globally to law enforcement requests under the laws of different countries and in accordance with our contractual obligations to our customers. This is no small task. The LENS team operates from seven locations in six countries on three continents. During a typical year, they address more than fifty thousand warrants and subpoenas from more than seventy-five countries.5 Only 3 percent of these demands are for content. In most cases, authorities are looking for IP addresses, contact lists, and user registration data.

In 2013, we stated publicly that we would notify our business and government customers if we received legal orders for their data.13 If a gag order prohibited us from telling them, we’d challenge the order in court. We’d also direct government agencies to go straight to our customers for information or data about one of their employees—just as they did before these customers moved to the cloud. And we’d go to court to make it stick.

The Stasi served as East Germany’s “shield and sword,” ruling over the country with repressive surveillance and psychological manipulation. By the time the Berlin Wall fell, the Stasi employed almost ninety thousand operatives backed by a secret network of more than six hundred thousand “citizen watchdogs” who spied on their East German coworkers, neighbors, and sometimes their own family.1 The Stasi accumulated a staggering number of records, documents, images, and video and audio recordings that if lined up would stretch sixty-nine miles.2 Citizens who were considered flight risks, threats to the regime, or asocial were detained, intimidated, and interrogated at Hohenschönhausen from the end of World War II until the end of the Cold War.

And the Snowden revelations had only fed those suspicions. “If data is collected, it can always be abused,” he said. “It’s important that, as we operate around the world, we remember that governments can change over time. Look what happened here. Data collected about people—their political, religious, and social views—can fall into the wrong hands and cause all sorts of problems.”

Privacy wasn’t just a regulation that we had to abide by, but a fundamental human right that we had an obligation to protect.

As I commented to officials while visiting nations in the Middle East, “Ireland is to data what Switzerland is to money.” In other words, it is a place where people should want to store their most precious personal information. It feels like the last place that would produce a modern-day counterpart to the Stasi prison we had walked through in Berlin.

The pressure to put data centers in more countries is giving rise to what rapidly is becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillance can unleash draconian demands to monitor not only what people are communicating, but even what they’re reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats. This is a fundamental fact of life that everyone who works in the tech sector needs to remember every day. We’re fortunate to work in one of the most lucrative economic sectors of our lifetime. But the money at stake pales in comparison to the responsibility we have for people’s freedom and lives.

Use technology to improve what can be improved while respecting what works well already.

It was given a new name, the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act. The legislation had provisions that we cared about. It balanced the international reach for search warrants that the DOJ wanted with a recognition that tech companies could go to court to challenge warrants when there was a conflict of laws. This meant that if Ireland, Germany, or the entire European Union wanted to block unilateral foreign search warrants through their local laws and instead compel a more transparent or collaborative approach, they could do so and we could rely on this in a US courtroom.

Engineers in the Microsoft Threat Intelligence Center, which we call MSTIC (pronounced “mystic”), quickly matched the malware to code that a group called Zinc had experimented with two months earlier. MSTIC gives each nation-state hacking group a code name based on an element from the periodic table.

The New York Times soon reported that the most sophisticated piece of the WannaCry code was developed by the US National Security Agency to exploit a vulnerability in Windows.5 The NSA had likely created the code to infiltrate its adversaries’ computers.

On June 27, 2017, a cyberattack pummeled Ukraine, using the same software code stolen from the NSA, disabling an estimated 10 percent of all computers in that country.11 The attack was later attributed by the United States, the United Kingdom, and five other governments to Russia.12 Security experts dubbed it NotPetya because it shared code with a known ransomware named after the armed satellite Petya, which was part of the Soviet Union’s fictional GoldenEye weapon in the 1995 James Bond movie of the same name.13 That weapon could knock out electronic communications across a thirty-mile radius. In the nonfiction world of 2017, the NotPetya attack had a far broader reach. It rippled across Ukraine, crippling businesses, transit systems, and banks, then continued spreading outside the country’s border, infiltrating multinationals including FedEx, Merck, and Maersk. The Danish shipping giant saw its entire worldwide computer network grind to a halt.14

In conversations with diplomats around the world, we heard the same skepticism: “No one has been killed. These aren’t even attacks on people. They’re just machines attacking machines.” As we also found, perhaps more than any prior advance in weapons technology, views about cybersecurity fall along generational lines. Younger generations are digital natives. Their entire lives seem to be powered by technology, and an attack on their device is an attack on their home. It’s personal. But older generations don’t always see the impact of a cyberattack the same way. This leads to an even more sobering question. Can we wake up the world before a digital 9/11? Or will governments continue to hit the snooze button?

In 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was asked as he departed Independence Hall what type of government the delegates had created. He famously replied, “A republic, if you can keep it.”

The email was from Tom Burt, a deputy general counsel at Microsoft. The subject line read “Urgent DCU Issue.” DCU is Microsoft’s Digital Crimes Unit, one of the teams Tom managed. We created it fifteen years ago, and somewhat to my surprise it has remained unique in the tech sector. It comprises more than a hundred people around the world and includes former prosecutors and government investigators, as well as top-tier forensic, data, and business analysts. The DCU was born out of our anti-counterfeiting work in the 1990s but evolved into a digital swat team to work with law enforcement when we saw new forms of criminal activity begin to proliferate on the internet.2

We had recently watched Strontium as it had created six websites that clearly targeted American politicians. Three were focused on the US Senate, and two others were particularly noteworthy. One of these appeared to target the International Republican Institute, or IRI, which was a leading Republican organization that supported democratic principles around the world. The other appeared to target the Hudson Institute, a conservative think tank that had objected strongly to a variety of Russian policies and tactics. Put together, these provided a solid indication that Strontium was not targeting Democrats alone and instead was focusing on both sides of the American political aisle. The DCU secured a court order to transfer control of all six sites to our sinkhole. We concluded that we had acted before anyone had been hacked. Now the question was how public we should be about it. There was sure to be an active debate among the various groups within Microsoft. But it was a good time to encourage a more wide-ranging public discussion, especially now that the hacking was impacting both political parties.

Innovative efforts are starting to spread, including at Microsoft, where research led in May 2019 to the launch of ElectionGuard, an encrypted voting system that protects individual ballots and their collective tallies.12 It’s an open-source-based software system that uses inexpensive and off-the-shelf hardware and combines the best of old and new technology. A voter chooses candidates on an electronic screen, which then records these choices on a paper ballot that’s printed and the voter deposits, ensuring a paper record for any post-election audit that might be needed. The voter also receives a personal printout with an electronic tracking number that uses an encrypted algorithm to reflect his or her selections. This tracking record can be checked online later to confirm that an individual’s votes remain recorded accurately. The overall solution provides a trusted and secure count of every vote cast. It’s the type of approach that is vital to the security and functioning of a democracy.

Just as democratic governments and industry worked together to win a world war in the 1940s, today they must develop a unified response to protect the peace. And as authoritarian regimes experiment with disinformation campaigns, even more complex challenges lie ahead.

People seek out online groups of like-minded people that replicate communities that have always characterized human society. These groups in turn become more connected but less open, choosing their preferred channel and the people they want to interact with. They share information based only on a single vantage point. As in the real world, people can be quick to believe the worst about others, especially people they perceive as different from them. People’s defense mechanisms start to kick in. Idealism, in short, collides with human nature. Who figured this out and capitalized on it before anyone else? It was people who, like the Estonians, had lived their lives under a combination of repression and freedom, perhaps able to appreciate this dynamic more quickly than others—the Estonians’ neighbors across the Russian border. And who were the last to wake up? Idealistic Americans on the west coast of the United States who had lived their entire lives in freedom.

I was especially struck by the world’s focus on Facebook when we attended the Munich Security Conference in February 2018. Founded in 1963 and now led by respected former German diplomat Wolfgang Ischinger, the annual summit brings together defense ministers and other military and national leaders from around the world to discuss international security policy. In 2018, the attendee list included some of my peers from the information technology industry.

As radios became ubiquitous in the latter half of the 1930s, concerns about its societal impact spread. As noted in a 2010 article in Slate, “The wireless was accused of distracting children from reading and diminishing performance in school, both of which were now considered to be appropriate and wholesome. In 1936, the music magazine The Gramophone reported that children had ‘developed the habit of dividing attention between the humdrum preparation of their school assignments and the compelling excitement of the loudspeaker’ and described how the radio programs were disturbing the balance of their excitable minds.”

As these show, there is likely to be room for complementary regulatory approaches, combining a more narrow focus on specific categories of objectionable content with a broader effort to provide users with more information on its sources. One important feature of the latter approach is its emphasis on addressing the spread of disinformation not by assessing whether content itself is true or false but instead by providing social media users with accurate information on people’s identity. It’s a commonsense approach that’s been adopted in modern-day political advertising. Leave it to the public to decide what is true. But let them make that decision based on an accurate understanding of who is speaking. And in the twenty-first century, let the public know whether it’s a human being or an automated bot that’s doing the talking.

Interestingly, foreign interference in democracy is almost as old as the United States itself. A democratic republic by its very nature is subject to disruption—both foreign and domestic—by efforts to disrupt confidence and sway public opinion. The first person to realize this was an early French ambassador to the United States named Edmond Charles Genêt. He arrived in America in early April 1793, just a few weeks before President George Washington officially declared the United States’ neutrality in the expanding war between France and the United Kingdom. Genêt was on a mission to tip the young republic toward supporting France, including by persuading the United States to accelerate the repayments of its debt to his country and by enabling attacks on British shipping by armed privateers operating from US ports. If required, he was prepared to spark an attempt to overthrow the country’s young government.

Casper is not your typical ambassador. And he doesn’t have a typical assignment. He is the first person to serve as Denmark’s tech ambassador, responsible for connecting the Danish government to tech companies around the world. His “embassy” has more than twenty employees working on three continents, with staff in the United States, China, and Denmark. When I had met with a group of European ambassadors in Copenhagen the preceding spring, Casper’s new job was on people’s minds. The Danish foreign minister, Anders Samuelsen, had proclaimed the position “a world first” and a necessity, stating that tech companies affect Denmark as much as countries do. “These companies have become a type of new nation and we need to confront that.”

These nuclear risks weighed heavily on President Reagan on June 4, 1983, as he helicoptered to Camp David in rural Maryland with a stack of classified arms control documents. As a storm rolled into the Appalachians that evening, Reagan, with his wife, Nancy, settled into the lodge for a movie—one of the 363 films the former movie star would watch during his two-term presidency.10 A writer for the new film, WarGames,11 had arranged a screening; it had premiered the day before. The thriller features a teenage hacker who goes from changing his grades in the high school’s computer to stumbling into a supercomputer at the North American Aerospace Defense Command, or NORAD, and nearly starting World War III. The Cold War tale spooked the commander in chief. Two days later during a high-level meeting at the White House, he asked whether anyone had seen the movie. Receiving blank looks, he described the plot in detail, before asking the chairman of his Joint Chiefs of Staff if the plot line was plausible.12 That conversation set off a chain of decisions that led to the first federal forays into cybersecurity. Life imitated art, leading in part to the passage of the Computer Fraud and Abuse Act to make the hacking portrayed in the movie illegal.13

Launched just a little more than six months apart, the Paris and Christchurch calls highlight the progress the world can make by advancing what Casper Klynge likes to call “techplomacy.” Instead of relying on governments alone, a new approach to multi-stakeholder diplomacy brings governments, civil society, and tech companies together.

Before the diplomatic conference convened in 1932, Albert Einstein, the greatest scientist of his age, proffered a warning that fell on deaf ears. Technology advances, he cautioned, “could have made human life carefree and happy if the development of the organizing power of man had been able to keep step with his technical advances.”35 Instead, “the hardly bought achievements of the machine age in the hands of our generation are as dangerous as a razor in the hands of a three-year-old child.” The conference in Geneva ended in failure, and before the end of the decade, that failure had translated into unimaginable global devastation.

One of the biggest features in the GDPR is in effect a privacy bill of rights. By giving consumers certain rights, it requires that companies not just avoid certain practices but create new business processes. For example, companies with personal information are required to enable consumers to access it. Customers have a right to know what information a company has about them. They have a right to change the information if it’s inaccurate. They have a right to delete it under a variety of circumstances. And they have a right to move their information to another provider if they prefer.

In early 2016, we assembled a team with some of our best software architects. They had two years before the GDPR would take effect on May 25, 2018, but they had no time to spare. The architects needed first to turn to lawyers, who defined what the GDPR required. With the lawyers, they then created a specification that listed all the technology features our services would need to enable. The architects then crafted a new blueprint for the processing and storage of information that would apply to all our services and make these features effective. By the last week of August, the plan was ready for review at a meeting with Satya and the company’s senior leadership team. Everyone knew that the blueprint called for a massive amount of engineering work. We’d need to move more than three hundred engineers to work full-time on the project for at least eighteen months. And in the final six months before the GDPR implementation date, the number would swell into the thousands. It represented a financial commitment in the hundreds of millions of dollars. It was not a meeting that anyone wanted to miss. Some cut short their vacation to be there. The engineering and legal teams walked through the blueprint, timelines, and resource allocations. It impressed everyone. And in some ways, it surprised everyone. As the meeting progressed, Satya suddenly exclaimed with a bit of a chuckle, “Isn’t this great?” He continued, “For years it has been next to impossible to get all the engineers acros...

Satya signed off on the plan. Then he turned to everyone and added a new requirement. “As long as we’re going to spend all the time and money to make these changes, I want to do this for more than ourselves,” he said. “I want every new feature that’s available for our use as a first party to be available for our customers to use as a third party.” In other words, create technology that could be used by every customer to comply with the GDPR. Especially in a data-dominant world, it made complete sense. But it also added more work. All the engineers in the room gulped. They left the meeting knowing they’d need to put even more people on the project.

At the last possible minute, the legislature adopted the California Consumer Privacy Act of 2018, and Governor Jerry Brown quickly signed the measure. It was the strongest privacy law in the history of the United States. Like the GDPR, it gives the Golden State’s residents the right to know what data companies are collecting on them, to say no to its sale, and to hold firms accountable if they don’t protect personal data.

When we sat down with Mactaggart in San Francisco, it was impossible not to be impressed. It would have been easy to see him as a threat—an activist looking to rein in an industry that had become too powerful. Instead, we found a likable pragmatist who was thinking broadly about the future. “This isn’t over,” he said. “We’ll be talking about technology and privacy for the next hundred years. Just like we do with antitrust law more than a century after the Standard Oil case.”

According to the FCC’s 2018 broadband report, more than twenty-four million Americans, more than nineteen million of whom live in rural communities, lacked access to fixed high-speed broadband.2 That’s roughly the population of New York state.

If we can find new ways to combine doing good with doing well, we open the door to even more investments that can reignite economic growth in rural areas.

The implications are multifaceted and even profound. To succeed in the digital era, companies need to recruit world-class talent, both homegrown and from elsewhere. Local communities need to ensure their citizens are equipped with new technology skills. Countries need immigration policies that give them access to the world’s top talent. Employers need to develop a workforce that reflects and understands the diversity of the customers and citizens they serve. This requires not only bringing more diverse people together but also creating a culture and the processes that will enable employees constantly to learn from each other. Finally, as technology accelerates growth in key urban centers, these regions need to manage the challenges this growth is creating, not just for individual institutions, but for the entire community.

MSR has more than twelve hundred PhDs, eight hundred of whom have computer science degrees.

One exhibit that was at the top of our must-see list was Private AI, a recent breakthrough that better protects people’s privacy by creating the technical capability to train AI algorithms on data sets that remained encrypted. The Private AI team crowded around their exhibit and enthusiastically answered our questions. These men and women were clearly a close-knit group and knew each other well. But as the conversation wrapped up, we realized something else remarkable. This team of eight came from seven countries. There were two Americans and one person each from Finland, Israel, Armenia, India, Iran, and China. All eight now lived in the Seattle area and worked together on our Redmond campus.

Away from the public glare of politics, we sometimes encounter a similar situation. A tug-of-war emerges over a single issue in the world of business or regulation. It becomes a contest that inevitably will produce one winner and one loser. It’s a recipe for a sustained impasse, for getting nothing done. Ironically, the answer to such problems is sometimes to broaden the challenge. One tenet I always employed in negotiations was a simple one: Never let a negotiation narrow to a single issue that can produce only one winner, even if it means holding open some other topics on which agreement might seem in reach. Instead, broaden the discussion so that more issues are on the table. Create the opportunity for more give-and-take and a round of compromises that can produce a scenario that enables everyone to claim victory in the final stage. It was an approach that had proven indispensable to our ability to work through difficult antitrust and intellectual property disputes with governments and companies around the world. It led us to believe that it could play a role in addressing immigration issues as well. After all, there needed to be a real and fair balance between filling new tech jobs in the United States with immigrants and creating even more jobs that would be filled by American citizens.

I mentioned that I had sat down for a cup of coffee on a recent Saturday morning with Steve Mylett, the police chief of Bellevue, the largest city outside Seattle. I had asked to meet to share concerns raised by some of our employees about racial challenges they sometimes face in the community, including their perceptions of local police. He was open and receptive to hearing my views, and he shared a fact that was new to me: The increase in housing prices meant that new Bellevue police officers could no longer afford to buy a home in the city they patrolled. Even the chief of police endured a commute of an hour each way to work. There was an important connection between our two points: It’s difficult to build a stronger connection between a community and its police force when local officers can’t afford to live close by. I shared the story with the group from Challenge Seattle and mentioned that I had asked our team at Microsoft to develop ideas for a new initiative. As Satya and I walked out of the breakfast together, I described them in more detail. By the time we reached the elevator, we had decided to make the initiative a priority. Back in Redmond, we put a data science team to work so we could better understand the problem. The team collaborated with Zillow to include real estate data, creating a bigger data set than had been available before. The insights were eye-opening, not only for us but ultimately for the entire region. The data showed that we had not just a h...