During his recent visit to Brussels, Microsoft chief Brad Smith committed his company to defending European interests from ‘geopolitical volatility’, including the impact of potential US administration interventions.
Suggesting that Microsoft is ‘critically dependent on sustaining the trust of customers, countries, and government across Europe’, anyone leaving his session with EU leaders should have reasonably felt buoyed up by his words; but might also have sensibly awaited evidence of the commitments being applied in practice before relying upon them.
If so, the news that the International Criminal Court (ICC) chief prosecutor and his staff have had their Microsoft email and services cancelled in direct response to US government sanctions might come as an unwelcome reality check.
According to media reports, ICC chief prosecutor Karim Khan had his Microsoft email and other services suspended after the US applied sanctions in February to all ICC staff in response to their investigations into key Israeli politicians.
The circumstances of the situation that gave rise to those sanctions are outside the scope of this article, and largely irrelevant to the problems these service suspensions indicate, however.
Regardless of the ‘why’, what the service suspensions demonstrate is that Microsoft has the means (and when it comes down to it also possess the will) to do the US government’s bidding and disrupt services to any party deemed to be unacceptable.
This is almost exactly contrary to the assurances Brad Smith so very recently gave.
The disconnection of prosecutor Khan is a mouse-click heard around the world, and will undoubtedly give anyone using or currently considering the adoption of Microsoft cloud technologies pause for thought.
By disconnecting the ICC staff in this way, Microsoft has done themselves some serious damage, and how much may take some time yet to become clear.
Immediately after the disconnection became public, the Dutch government and public bodies are reported to have accelerated their examination of non-Microsoft and EU-located alternative services.
Meanwhile, several suppliers have indicated an uptick in requests for backup of key data to protect against possible Microsoft disconnections.
Press coverage in Germany suggests these concerns are rippling out to them also, whilst the Nordics and France have long made clear that they see a future that is distinctly less Azure in colour.
The likelihood or otherwise of further disconnections is unclear, and for most users it should be considered very unlikely that Microsoft will start switching off services for no good reason.
With 25% of Microsoft’s global revenues coming from European customers, it is unlikely to act rashly to damage that market, and can generally be counted on to be sensible and not commit commercial suicide – so most customers should not be worried.
Nonetheless much of the damage to the confidence of public sector bodies might well have already been done.
Governments like to be in control of their own destiny and that extends to digital services and data.
When a key supplier they have relied upon for many years shows themselves to be subject to the whims and foibles of a foreign government – friendly or otherwise – most public sector buyers intuitively know it’s time to find an alternative provider “just-in-case”. Having a plan B option is just common sense.
The big problem for Microsoft is that in the IT sector “just-in-case” or plan B options, often become strategic plan A directions of travel. And a trickle of departures can quite soon become a flood. Governments are herd animals – when one turns they all tend to follow.
I’m not by any measure suggesting we are going to see an overnight exodus. Even if that was technically feasible (which it isn’t in most cases), these organisations are a bit concerned, not panicked.
However, these previously affirmed Microsoft user groups are now openly talking about the need for alternatives to the Redmond cloud provider, and that should have Microsoft worried.
Concerns that US hyperscalers might be subjected to pressure from US authorities to disclose information have existed for some time but have been broadly assuaged by repeated promises and commitments from Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft that they would resist such requests and protect their customers.
When it has come to the acid test, however, many clearly feel that Microsoft has failed, and that instead of protecting the ICC as a key pillar of the global legal community, instead acted as an instrument of US policy.
To restore his own email access, prosecutor Khan reportedly turned to Proton Mail, the Swiss end-to-end encrypted mail service beloved of whistleblowers and other digital refugees.
Proton Mail operate under its own constraints and obligations to disclose information to the Swiss government on demand, but this is limited to IP address info, rather than email payloads, which it is generally accepted they cannot access.
In doing so it’s likely that Mr Khan has had to forgo some user functionality and ease of use – but he may feel that’s a small price to pay to protect his office and role from US government influence.
That might be a choice others have to make in the months and years to come, since regardless of their choice of cloud provider, the lesson here is that we cannot always trust them to rigorously and strongly protect our data or our services, despite what they may say, or how often they do so.
In this case, Microsoft’s actions sadly speak a lot louder than Mr Smith’s words.
