Q&A

Q&A: Microsoft's Battle Against the U.S. Government for Data Protection

Box CEO Aaron Levie weights in on Microsoft's current lawsuit against the Feds and what it means for the future of protecting customer cloud data.

• By Jeffrey Schwartz
• 04/15/2016

Microsoft's lawsuit against the Department of Justice Thursday alleged that the Feds have demanded customer information from its cloud on 5,624 occasions over the past 18 months. Even those who follow this issue closely were surprised by that number and many were alarmed by it. Box, the online document storage company that is both a Microsoft partner via its support for Office 365, Windows and other key technologies, and a direct competitor of OneDrive, is among those who have a stake in the push by the government to restrict the privacy of information.

Aaron Levie, CEO of enterprise cloud storage provider Box was among those surprised by Microsoft's lawsuit but welcomed it, he told Redmond in a telephone interview. Box doesn't receive nearly as many requests as Microsoft since most of its customers are large enterprises. Microsoft's complaint stated that the vast majority of data demands covered consumer customers rather than business customers.

Box, whose 2015 revenues of $303 million rose 45 percent year-over year, is among the largest of alternative enterprise cloud storage providers. Levie believes the company's recently added KeySafe option, which lets customers hold onto their encryption keys, and this week's launch of Box Zones for organizations that must store data in specific countries in Europe, will address attempts to restrict privacy. During our brief interview, he shared his reaction to the Microsoft lawsuit.

A lightly edited transcript of the call follows.

What was your initial reaction to Microsoft's lawsuit?
Levie: It was right on. We are very supportive of their efforts in this area. While they obviously deal with this at a much greater scale than we do, we are concerned about the direction that these kinds of requests are heading in. We do think it's important that there are much more modern approaches to government subpoenas and the intersection of digital security and our laws in general. This is a great example of that intersection. And certainly a few weeks ago, the Apple and FBI case was another great example of that collusion that we think is just overall symptomatic of trying to take legacy laws that were based on the physical world and trying to apply them to the digital era. That's what the conversation needs to be about. We are hopeful, over the next couple of years, we can get to a better situation where we are actually designing our laws to work for this new era of technology, and a new way security is going to play a role in this era.

Have you considered filing a lawsuit too?
We have not. We deal with it at a very different scale. Our challenge in this precise area is much narrower than Microsoft's. But as with the Apple and FBI case, we sit on the side of Apple, and we're supporting Microsoft in this as well. Informally in this case, though in the Apple case we cosigned the amicus brief with Microsoft, Amazon, Facebook and others.

To what extend do you have to address these issues?
It remains a major concern for enterprises, especially global enterprises, so you can imagine the international customers that are moving to the cloud and the concern about the asymmetric approach that the U.S. government might have in collecting information. For us, this is not an issue that has been tested as much as something that is a broad concern among enterprises that creates hesitancy in moving toward the cloud. One way that we've actually solved that is we've launched a technology called Box KeySafe, and that lets customers control their own encryption keys to specifically make sure they have to be the ones decrypting their data. It's a great innovation that we're incredibly excited and proud about, but we do want to make sure this default case gives customers enough control when they move their data inside of the cloud.

What has been the uptake for KeySafe so far?
It's been very positively received primarily by very large, highly regulated customers in some of the more security sensitive industries, so you can imagine it being a great fit for banks and other kinds of organizations. Again, it's all about the customer wanting to have more control over their data, just as they had in their own datacenter, and in their own buildings. We're trying to give them that level of assurance and control, even as they move to the cloud. We don't think just because you have a more efficient computing model that you should have to then give up on your privacy and your control of data because of that. And that's the real shift that's going on.

A Senate proposal last week put forward the idea that [technology vendors] could access information at the government's request. What's your reaction to that?
It was largely trying to codify the All Writs Act usage into a modern law, which was very disturbing because if you actually followed the letter of the law that was being proposed, fundamentally, technology providers would have to write in back doors into their technology. It was a very overarching, incredibly aggressive piece of legislation that comes from a place of trying to modernize the law but in the wrong way.

How can the IT community better educate the government on ensuring it doesn't go down this path?
The first step is not voting for Trump. We need to make sure things don't get worse. Obama is incredibly thoughtful about these kinds of issues. You can already see how challenging it is to modernize some of these approaches and some of the candidates at stake here would certainly drive very regressive approaches to this. That would be scary. In general, we try to work with the various departments and agencies that are involved in these issues. It's interesting because most individuals generally lean more on the side of more security is better, more encryption is better. Where it's tested is these obviously sad events that deal with national security and terrorism.

Besides KeySafe what other ways are you addressing these concerns?
Just two days ago we launched a new technology called Box Zones and what that does is actually let customers store their data in the region of their choice. That helps with many of the data sovereignty challenges that our customers deal with. On the back end of Box, we're doing a lot to ensure that our customers, no matter what industry they are in, are getting the level of security that they need or would have had in a traditional infrastructure world but now done in the cloud. Our job is to make that as simple and easy to use as possible for customers and that's really where the technology innovation is. None of what we're doing is trying to subvert the control our customers had in the traditional infrastructure world but now is done in the cloud.

How often do you get requests to pull data for law enforcement?
Our situation is a lot more frequent because our use cases are much narrower. We obviously deal with primarily enterprise content, and if there's a government request, that generally goes to the enterprise first. It's less of a pressing issue for our own product but again much more concerning from the precedent standpoint. That's why we care about the direction and the trend that events are heading in.

What's your reaction to Brad Smith's statement about the suit?
I think what Brad talked about, specifically around the difference between the physical world and the digital world in terms of our level of control and the privacy we are afforded, is the fundamental issue at play. And he talked about how in the physical world you store your documents in a filing cabinet and if there was a subpoena request, for instance, they would have to go to you and get access to your data in that filing cabinet. In the digital world we are the digital filing cabinet so you can't simply replicate the exact precise procedure of the former law without recognizing that the structure is very different around how the service-oriented world works versus the physical-asset world works. And that's the issue at play.