Security

The Empty Promise Microsoft Made to EU Customers

Leave a comment

Microsoft wants to call its EU commitment a “contractually binding court-fight clause.” Apparently that means Brad Smith pledges to the EU customers he will sue the US government rather than suspend EU operations.

From where I’m sitting, that pledge sure looks hollow, and Microsoft’s own documents are the proof.

First, there’s an unnatural split. The US reaches across the ocean for EU-hosted data in two ways. A CLOUD Act warrant compels Microsoft to transfer the data, or a sanctions order compels Microsoft to cut the customer off. I’m not a lawyer but these different laws mean different commands. Smith’s pledge says nothing about the first, which makes me wonder wny he’s only talking about the second.

Next, looking at the first, the promise seems to be only for the wrong door. Microsoft’s own transparency report shows 115 warrants in six months for content stored outside the US. Those are production orders being executed. The data gets handed over. That door is in constant use, and Smith’s pledge skips it entirely. The scenario he does pledge to fight, a company-wide order to suspend EU operations, has hit a hyperscaler at that scale essentially never. His promise is this to guard an already shut door while ignoring the other one swinging on its hinges.

The two doors aren’t the same scale. A single customer can be cut off, which is what happened famously to Karim Khan. A continental shutdown of all EU operations is the thing Smith promises to litigate, and that has not occurred. I can see there’s different magnitudes, so maybe he pledges against something that’s never happened because it’s never happened.

Three, where’s the revocability control of Smith’s post? The usual fear with any EU-US data deal is that an executive order can’t be trusted, because any president can revoke it. Smith’s pledge on a blog post seems many levels below that. “Contractually binding” can be deleted on a patch Tuesday.

None of this should surprise anyone. Microsoft did its thing already. When EO 14203 designated Karim Khan, the ICC chief prosecutor, his Microsoft email stopped working. Microsoft says it wasn’t them. That denial goes to who acted, not to whether the service was permitted. The order text says it bars US persons from providing services to a blocked person, email included, which makes Microsoft’s denial beside the point. And the ICC moved to openDesk either way. The actual point is that after a US designation landed, an EU Microsoft customer was no longer a customer.

Then a year later a pledge came, on a blog, addressing the warrant door, while the thing that actually failed for Khan got nothing. Hello, is this thing on? I am no lawyer, but the pledge is a contract, and the IEEPA order starts blocking “notwithstanding” any contract entered into before it. Microsoft offers the EU the exact thing that will suffer an override, on a thing that isn’t the other thing. So how does the pledge really help anyone?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.