Category Archives: eDiscovery

Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’

FederalJudge_Hacking
Courts across the country can’t seem to agree on whether the FBI’s recent hacking activities ran afoul of the law—and the confusion has led to some fairly alarming theories about law enforcement’s ability to remotely compromise computers.

In numerous cases spawned from the FBI takeover of a darkweb site that hosted child abuse images, courts have been split on the legality of an FBI campaign that used a single warrant to hack thousands of computers accessing the site from unknown locations, using malware called a Network Investigative Technique, or NIT.  Some have gone even further, arguing that hacking a computer doesn’t constitute a “search,” and therefore doesn’t require a warrant at all.

But a federal judge in Texas ruled this week that actually, yes, sending malware to someone’s computer to secretly retrieve information from it—as the FBI did with the NIT—is a “search” under the Fourth Amendment.

“[T]he NIT placed code on Mr. Torres’ computer without his permission, causing it to transmit his IP address and other identifying data to the government,” Judge David Alan Ezra of wrote Friday, in a ruling for one of the NIT cases, in San Antonio, Texas.  “That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import.  This was unquestionably a “search” for Fourth Amendment purposes.”

As obvious as that sounds, not everyone agrees.  Previously, another judge in Virginia stunningly ruled that a warrant for hacking isn’t required at all,because a defendant infected with government malware “has no reasonable expectation of privacy in his computer.”

That judgment was a leap from several other rulings, in which judges claimed that users of the Tor anonymity network, where the illegal site was hidden, have  no expectation of privacy in their IP address—even though hiding your IP is the entire point of using Tor. The argument—which the Department of Justice apparently agrees with—states this is because Tor users technically “reveal” their true IP address to another computer when they first enter the Tor network, through an entry point called a “guard node.” (That computer can not determine what sites the user visits, however)

But while the FBI’s use of malware was definitely a search, Judge Ezra of Texas nevertheless denied the defendant’s motion to suppress evidence obtained by the NIT.

That’s because it can’t be proven that the FBI “willfully” violated Rule 41(b), a procedural rule that’s meant to stop judges from authorizing searches outside of their districts. The FBI is now controversially seeking to expand that rule, which would grant them the power to hack computers anywhere—not just within the jurisdictions where the hacking was authorized.

Instead, Judge Ezra wrote that the NIT warrant “has brought to light the need for Congressional clarification regarding a magistrate’s authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user’s identity.”

Do you connect your mobile phones to rental cars?

One huge mistake people make when renting cars
Rental_Bluetooth

There are plenty of reasons to rent a car, from leaving a less reliable or gas-guzzling car behind on a long trip to getting around a city on a business trip or while your car is being repaired. It’s not necessarily cheap, but if you need to move around a lot, or go any substantial distance, it isn’t any worse than taking a cab or calling for an Uber, and it might be more convenient.

Is your company leadership connecting to rental cars with company phones and leaving text messages, contacts, call logs? Is there deal information or IP in those text messages?

There is a hidden danger, though, that not a lot of people realize. Rental companies upgrade their fleets regularly with newer-model cars, which means your rental has new technology, including a high-tech infotainment system. That’s not the bad part.

Newer infotainment systems let you pair up your smartphone via Bluetooth so you can take calls over the car’s audio system, dial from the center console or stream your music. Others include USB so you can get everything I just mentioned and charge your phone at the same time.

That’s also not the bad part, as long as you own the car. When you’re renting, however, it can be a danger.

When you connect up to a car with Bluetooth, the car stores your phone number to make it easier to connect later. It also stores your call logs, and possibly even your contacts. This isn’t something you want sitting around for the next renter.

Go into the settings (it will vary for every car model) and delete your smartphone from the list of previously paired Bluetooth gadgets. That should wipe your call log and contacts as well. If it doesn’t, look for an option to clear user data or do a factory reset. Talk to the employees at the car rental place if you can’t find these options.  Like any hard drive, you can possibly still recover data after it is wiped.

If you used the car’s navigation system to get around, be sure to go in and clear your location history. You don’t want the next person knowing where you’ve gone, or where you live. If you own the car and are selling it, you’ll want to do this kind of wiping as well.

Aside from privacy concerns, there’s a security concern, too. We now know that cars can be hacked, and as they get more advanced the chance that a car can get infected with a virus increases. If the car’s system was compromised by a hacker or previous renter, hooking up your phone would give a hacker access to everything on it.

The obvious solution is to not pair your phone with the car’s systems at all. If you want to listen to music, use an auxiliary cable to connect the headphone port on your phone to the audio system directly.  For charging, use the cigarette lighter instead of the USB port.

If you want to do hands-free calling, you can purchase a third-party Bluetooth audio kit that does the job.  It’s also great for adding this feature to an older car with a less advanced infotainment system.

Hopefully, the privacy concern with car infotainment systems should be going away in the future as Android Auto, Apple CarPlay and similar systems become standard on more cars. These systems don’t store any information, they just read it off your smartphone. So when you take your smartphone out of the car, none of your information stays.

Of course, it will be years or even decades until cars with less secure infotainment systems are off the market or no longer in used car lots. And you never know what other systems will come out in the future and how secure they’ll be.

Please share this information with everyone.

 

8 Ways to Avoid Being “Extremely Careless” with Data

Clinton_Security

On July 5th, FBI Director James Comey made a statement that the FBI would not recommend criminal charges against Democratic Party presidential nominee, Hillary Clinton. The announcement was the result of an investigation into the fact that, while serving as secretary of state, Clinton relied exclusively on a personal email account housed by her own personal server rather than using an official, protected state.gov email address. She also communicated from her private email across several electronic devices. Amongst emails about yoga appointments and family outings, Clinton exchanged highly classified information – including Benghazi communications – leading the FBI to question possible breaches of the account from foreign governments and hackers. After months of exhaustive investigation and countless hours of media coverage, the FBI did not uncover sufficient evidence to recommend criminal charges in the case, but concluded that “[Clinton and her staff] were extremely careless in their handling of very sensitive, highly classified information.”

While it’s evident that Clinton probably didn’t think she was being so careless with her data, there are a few simple ways that people in heavily-regulated and litigated industries can avoid being extremely careless. This is especially important when it comes to ediscovery, a time when you’re highly likely to make private information public.

1. The personal & professional are inseparable. Nowadays, people answer work emails on their personal devices and vice versa. They send company files to their home computers so they can work nights and weekends, and send personal documents to print or fax from work. This can be a major headache when it comes to data security, as we saw with the Clinton email scandal. Data that was once relativity secure on company premises leaves the office on portable devices and home networks and is then exposed to the risk of physical and virtual theft. Companies with BYOD or work-from-home policies should establish and enforce strict and specific security guidelines. Employees who work from home or from portable devices should always logout of email accounts and be careful not to join any unknown networks.

2. Keep passwords fresh. Update passwords every 4-6 months. Contrary to popular belief, updating your passwords every 60 or 90 days won’t necessarily result in better security measures, especially when your passwords aren’t strong in the first place. Experts recommend using a password manager like LastPass,  DashLane, or KeePass to generate stronger passwords and keep track of them.

3. Beware of the cloud. Add security layers anywhere sensitive data lives, particularly if it’s shared in the cloud. Putting locks on network file directories is simple enough, but with the massive surge in cloud usage, data leaks become more difficult to control. According to expert Joe Moriarty, businesses can better protect cloud-based data “by adding content controls, protection, tracking and deep analytics to files.” Content controls that a company can easily implement to secure data include watermarking files and videos; limiting employees’ ability to forward or print files; and most importantly, preventing unauthorized viewing, saving, and sharing of data.

4. Continued education by HR. Training your employees on security best practices is crucial to preventing a breach. Consider assigning a compliance officer who can be involved in business decisions. Such a position helps bridge the gap between tech-savvy IT employees and those who may not be able to answer, “How does this affect PCI, PII compliance of HIPAA?”

5. Remember printers? According to expert Michael Howard, the biggest mistake companies make when it comes to securing sensitive data is not securing their printing fleet. He goes on to say a staggering 90% of enterprise businesses have experienced a breach due to unsecured printing. In order to avoid this risk, Michael recommends installing security software that limits printing and helps protect your company paper trail.

While establishing day-to-day security practices is important, safeguarding data during ediscovery is a whole new ballgame. During ediscovery, data changes hands many times internally and externally. Data is gathered from multiple network drives, sources, and authorities then handed over to another party or two, and some of that data might end up in the public record. Penalties for breaches during ediscovery can include mistrials, fines, sanctions, and even lawsuits, so the stakes are extremely high.

6. Know your data. Every organization needs to be familiar with where its data resides, the laws governing it, and  how it may be collected, processed, retained, and transferred before litigation begins. This is especially important when working with cross-border litigation, given the recent changes in EU data protection laws.

7. Limit scope as much as possible. Evaluate the scope of data that is being requested during discovery. For litigation purposes, can the data requested be reasonably limited so that personal data issues can be reduced or eliminated altogether?

8. When in doubt, redact. Redaction is the only foolproof way to protect sensitive data. With the growing amount of ESI and increasing regulations surrounding things like PII, you can’t risk letting sensitive data slip through the cracks during ediscovery and into the hands of opposing counsel. Unfortunately, the viability and cost of manual redaction is quickly approaching an unsustainable level. With the correct redaction software, companies can ensure sensitive data gets redacted automatically, saving time, costs, and reducing the risk of human error during review.

While the data we deal with on a day-to-day basis may not be labeled as “Highly Classified” like Clinton’s, it’s still very important to have the proper procedures in place for handling and protecting it. With ESI volumes growing at an alarming rate, it’s important that we look to technology for help with data security, particularly during ediscovery, so that we aren’t caught being extremely careless.

Thoughts on Emailgate.

Department of State

Note: not a political post, just adding some Infosec commentary to what we were told yesterday.

Last night, I sat back and watched FBI Director James Comey’s press conference on the Hilary Clinton email saga through my technical and investigative eyes.

I think it was the first mainstream press conference I’d seen with so much mention of slack space, a digital forensics term for the portions of the hard drive not currently used, but filled with fragments of previously deleted files. It was like when you see someone you knew from growing up on the local news and thinking, “oh, I used to sit next to that person in math class!”

The overview of how the FBI had reconstructed years worth of “shadow IT” usage by the former Secretary of State and her staff, spoke of a classic unwinding of the spaghetti exercise. Where a path that lead to an end state is crisscrossed by avenues that may or may not be of relevance, but nevertheless must be investigated.

James Comey then went on to list the findings of the investigation, and painted a picture, which is unfortunately a picture that I’ve personally seen painted over and over again through my work in information security and digital forensics.

A culture existed at the State Department that allowed Mrs. Clinton and her staff to operate outside the boundaries of the policies, procedures and regulations that were in place to protect information and people. In this case of course, that is all the more concerning, because we’re talking about highly sensitive national security information which is protected by law.

In Comey’s words, Clinton and her staff were “Extremely Careless” in their information handling.  He was right, they were, there can be no denying that. As he went into detail on some of Mrs. Clinton’s email practices, I was reminded of a few similar cases I’d personally worked on.

  • While conducting a security review of a semiconductor’s perimeter IP address range, I found evidence that FTP sites were being hosted on an unofficial server within the range. As it turned out, one of the network administrators had punched a hole through the firewall to a server that was hidden in the data center, attached to the internal network, and he made money hosting data for others with zero overhead costs. I was shocked to discover that this was a known activity when it was raised in the report, although, when I explained the risk in more detail the sites did go away, and the network administrator was reprimanded and eventually lost their job.
  • I once stumbled across an undocumented SSH entry point to a hosting environment, set up by a team to bypass a corporate two-factor requirement. It had been “approved” by a couple of layers of management.
  • I conducted an audit of an on-premises corporate Exchange deployment and found that a senior member of an organization was forwarding every single email received to a personal Gmail account, because they preferred the Gmail UI. The idea had been suggested by another person within the company.
  • Anecdotally, I have a thousand stories of siloed groups within organizations using “cloud services” and tools dangerously “under the radar”.

In all of the cases above, a culture existed in which, for whatever reason, people were empowered to do extremely careless things, which put the safety of information at risk. Much like at the State Department in regards to email.

The problem is, the end result doesn’t really care if it is born of malice, extreme carelessness or ignorance. It’ll still be the same. And if the end result is a breach, well, we’ve all seen that one play out many times.

In the end, the FBI will not be recommending charges against Mrs. Clinton or her staff. I’m not going into any more detail on whether I think that is right or wrong. To use one of those most horrific of terms, “it is what it is, and we can’t change that.”

Given this fact, I hope if anything positive comes out of this case, it’s the following:

  • The case highlights that security cultures everywhere, especially in government agencies charged with keeping us all safe, that empower this type of behavior, get an overhaul.
  • It encourages more productive and positive conversations between IT teams, Security teams and end users about things that they find restrictive or cumbersome in their working lives, so a mutually acceptable solution can be found.
  • It reinforces that no one within an organization should be above the rules when it comes to information security. Leaders should set an example.
  • That security teams are reminded that not all threats come in the form of IDS alerts from Chinese IP addresses. Some of your biggest risks might be right under your nose, in the form of Shadow IT lurking in broad daylight. Get visibility, now.

 

The US government is touting cyber as the next theatre of warfare. If the US wants to be seen as a leader in cybersecurity, a top down order to discover and address the doubtless many Emailgates that are occurring right now must surely be forthcoming.

Attorney Confidentiality, Cybersecurity, and the Cloud

Legal

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

White_Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US_Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Cloud_Mag

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Contract

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.  Thanks to Microsoft for its support of this piece.  All views in this piece are my own.

5 cyber security mistakes that might make you vulnerable to hackers

 

cyber_security_2Very few of us fall for the old Nigerian prince email scam these days, and even fewer will click on a pop-up ad inviting us to “win $1 million” by playing a simple game. We’ve come a long way in terms of learning the do’s and don’ts of cyber security, but that doesn’t mean our days of online vulnerability are completely behind us.

Over 6 million internet users were attacked by malware in 2015. As we become savvier to the tricks they’ve pulled in the past, hackers begin to up their game by catching us where we least expect it. Although we’d like to assume that all of those users who were attacked in 2015 were prime targets, or perhaps people who are a bit less tech savvy than the rest of us, the fact is that many of them were normal internet browsers like you and me who actually know a thing or two about online safety.

There are additional risks these days, and even some of the tech-savviest internet users create cyber security risks without knowing it. To help avoid online attacks, here is a list of some of the top cyber security mistakes internet users are making in 2016.

1. Storing passwords in a browser

According to a recent survey, 59 percent of millennials store passwords in their browsers on a regular basis. It may be convenient to easily access your most-used accounts without typing in a username and password each time, but it also puts you at serious risk for an online attack.

The first step in keeping your passwords safe is to create a strong password that uses numbers, symbols, and both capital and lower case letters. You’ll also want to use a different password for each site. Once you’ve got a solid password for each of your online accounts, avoid storing them in your browser! If you’re like me and tend to forget things easily, try using a secure password storage system or software such as “KeePass, LastPass, Dashlane, 1 Password, RoboForm”  to keep track of your logins.

2. Purchasing locked devices

Prices for phones, laptops, and tablets can be high these days. The good news is that the market for selling used electronics online is getting bigger and more easily accessible. The bad news is that scammers have begun to use this second-hand marketplace as a means for duping consumers into paying more for devices that they’ve already paid for.

If you’re looking into purchasing a used device online, it will be important to ensure that it is unlocked. There will be different processes for checking iOS and Android devices.

For iOS devices, you’ll also need to ensure that the former user’s iCloud account is taken off of your device. If it’s not, you’ll need to take the necessary steps to remove their account from your device before they have a chance to lock the phone.

3. Connecting to unencrypted Wi-Fi networks

The ability to hop onto free Wi-Fi at your local coffee shop or the university library sure does make working on projects or simply browsing much easier on the go. The problem is, hackers are starting to take advantage of society’s reliance upon public Wi-Fi connections.

Do your best to avoid Wi-Fi connections that don’t have password protection when you’re out and about. Checking for the password of the official Wi-Fi at your location of choice will also help you avoid logging into a network set up by hackers looking to view your online activity.

To be extra secure on public Wi-Fi, stick to HTTPS sites while you’re browsing and look into using a virtual private network. It’s also best to avoid installing new software while using a public Wi-Fi network.

4. Ignoring security software updates

We’re all guilty of clicking out of software update notifications when they pop up on our screens. Although taking a few minutes to update your device’s security software may seem like a burden in the middle of a big project, it will be worth your while when it prevents an online attacker from installing malware on your device.

Be sure to install security software updates each time you receive a notification. If you’re connected to a public Wi-Fi network or really don’t have the time to do it when the notification pops up, set a reminder to install the new software later. The longer your device runs without up-to-speed security software, the more vulnerable you become to cyber security breaches.

5. Clicking on links in emails

Most of us receive emails from banks, utility companies, and other organizations with links to view account activity online. Although these are typically from a trusted source, you can never be too sure. A well-written email from a seemingly credible source could send you a link that installs malware on your device when clicked.

Next time you receive a link in an email, leave your email account and look for the actual site in your browser to avoid clicking on a malicious link. For example, even if the link goes to your bank of choice, it’s best to leave your account and log in through a trusted portal.

Have you been making any of these common cyber security errors? If so, it’s about time to take action and implement the provided tips to protect yourself from online attacks.

Share your experiences in the comment section.

 

 

 

Microsoft sues U.S. government over data requests

Microsoft

An important case to pay attention to:

SAN FRANCISCO (Reuters) – Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington.

The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents.

The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft’s First Amendment right to free speech.

The Department of Justice is reviewing the filing, spokeswoman Emily Pierce said.

Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people’s computers, which Microsoft says has provided a new opening for the government to access electronic data.

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

SURVEILLANCE BATTLE

The lawsuit represents the newest front in the battle between technology companies and the U.S. government over how much private businesses should assist government surveillance.

By filing the suit, Microsoft is taking a more prominent role in that battle, dominated by Apple Inc (AAPL.O) in recent months due to the government’s efforts to get the company to write software to unlock an iPhone used by one of the shooters in a December massacre in San Bernardino, California.

Apple, backed by big technology companies including Microsoft, had complained that cooperating would turn businesses into arms of the state.

“Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” Microsoft’s Chief Legal Officer Brad Smith said in a phone interview after the suit was filed.

One security expert questioned Microsoft’s motivation and timing. Its lawsuit was “one hundred percent motivated by business interests” and timed to capitalize on new interest in customer privacy issues spurred in part by Apple’s dispute, said D.J. Rosenthal, a former White House cyber security official in the Obama administration.

As Microsoft’s Windows and other legacy software products are losing some traction in an increasingly mobile and Internet-centric computing environment, the company’s cloud-based business is taking on more importance. Chief Executive Satya Nadella’s describes Microsoft’s efforts as “mobile first, cloud first.”

Its customers have been asking the company about government surveillance, Smith said, suggesting that the issue could hurt Microsoft’s ability to win or keep cloud customers.

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

Increasingly, U.S. companies are under pressure to prove they are helping protect consumer privacy. The campaign gained momentum in the wake of revelations by former government contractor Edward Snowden in 2013 that the government routinely conducted extensive phone and Internet surveillance to a much greater degree than believed.

Late last year, after Reuters reported that Microsoft had not alerted customers, including leaders of China’s Tibetan and Uigher minorities, that their email was compromised by hackers operating from China, Microsoft said publicly it would adopt a policy of telling email customers when it believed their email had been hacked by a government.

The company’s lawsuit on Thursday comes a day after a U.S. congressional panel voted unanimously to advance a package of reforms to the ECPA.

Last-minute changes to the legislation removed an obligation for the government to notify a targeted user whose communications are being sought. Instead, the bill would require disclosure of a warrant only to a service provider, which retains the right to voluntarily notify users, unless a court grants a gag order.

It is unclear if the bill will advance through the Senate and become law this year.

Separately, Microsoft is fighting a U.S. government warrant to turn over data held in a server in Ireland, which the government argues is lawful under another part of the ECPA. Microsoft argues the government needs to go through a procedure outlined in a legal-assistance treaty between the U.S. and Ireland.

Twitter Inc (TWTR.N) is fighting a separate battle in federal court in Northern California over public disclosure of government requests for information on users.

The case is Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington, No. 2:16-cv-00537.