The Vergecast - Microsoft’s president explains how Gab shutdown notice went from customer support to his desk
Episode Date: August 28, 2018We're kicking off our secondary Vergecast episode of the week with an interview with Microsoft President and Chief Legal Officer Brad Smith. In this wide-ranging interview , Smith expanded on why the... company nearly shut down Gab.ai, the “free-speech” absolutist platform that’s become an alt-right favorite. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Hey everybody, it's Nealai from the Vergecast. You might notice this isn't a normal Vergecast episode in your feed. We're trying something a little different. Here's what's going on. We've been trying a lot of new things on the show. Segments, new hosts, interviews. People have given us a lot of feedback. And most of it's positive, but the show's starting to get a little overstuffed. Everyone's telling us there's too much going on the Vergecast. So we decided we really like the interviews that can probably stand alone. So we're going to start doing a second episode of the Vergecast every week, just focused on those interviews. Probably published Tuesday, Wednesday.
And then the regular crazy Paul Miller Vergecast happens on Fridays.
So first up, we have Brad Smith, who's a president-in-chief legal officer of Microsoft.
He's got big ideas about how tech companies should work in 2018.
He has big ideas on how services should be allowed to use Azure,
on how Microsoft should sell products and services to the government, including ICE,
and on honestly how big tech companies need to work to protect our elections.
So check this out.
It's a super fascinating interview.
Brad Smith, President, Chief Legal Officer of Microsoft.
So I'm here with Brad Smith, the President-in-Chief Legal Officer of Microsoft.
Thanks for being with us today.
My pleasure. It's great to be here.
So really quick, I want to start. I don't think people realize this. How long have you been at Microsoft?
On the 1st of November, it'll be 25 years.
That is an incredible run.
I just couldn't get a job anywhere else, I guess.
It's been wonderful.
I've loved every year. I started in Paris.
It's been three years there and have been working here in Redmond, Washington, since 1996.
So you've seen all the eras of Microsoft.
you've seen the leadership changes.
And the reason I wanted to bring that up right at the top is it seems like right now is a very pivotal moment for the tech industry, for the government, for how we interact with tech.
It feels like the notion that the tech industry has this big responsibility to both the culture, to society, to our elections, is getting deeper.
It's more resonant with many more people.
Is that new?
Is that me just not seeing it in the past?
Is it the audience not seeing the past?
Or is that actually new in terms of how resonant it is right now?
I think it is definitely new and important ways.
To some degree, this is a trend that has been going on for a quarter of a century.
But we're so clearly in a different place compared to tech in the past.
And I think we're so clearly in a different place compared to other technologies and industries in the past.
I remember in the 1990s when people first started to make movies that included the Internet in it.
and it was just starting to seep into the public consciousness.
I remember when technology issues from a public policy perspective first went from sort of legal
publications into, say, the back page of something like Time Magazine and then eventually
made it to the cover. But now it's in the middle of everything. And I think that there are a few
characteristics that are really noteworthy today. First, we're dealing with technology and
technology companies that are global. That's different.
from prior eras of history when technologies tended to be developed mostly by companies that were
national. Second, we're dealing with technologies that are so pervasive that they're really
impacting for all practical purposes every aspect of our daily lives, not just at work,
not just what we read while we might be sitting on a subway car, but devices on our dinner
table. In some cases, these are the things that people first look at when they wake up in the
morning, they may even be the first thing or the last thing they look at before they go to sleep at
night. And finally, we're working at a time when the political currents of our day are different
from any other point, at least in our lifetime. There's more nationalism, there's more populism,
and in some places in the world, there's less confidence in government itself. So technology is ubiquitous.
Technology companies have more impact. People have more doubts about other institutions and society on which we've
often relied in the past. Yeah, and I think that that is playing out in ways big and small.
You brought up the idea that the devices interrupt you. Whenever I speak to groups, I always say,
would you put a camera in your bedroom and everyone says no? And I always remind them, like,
you have two to three cameras in your bedroom just when you put your phone down at night.
And I think that realization is starting to grow. But really what I want to get to is the notion
of responsibility. Do you feel the tech industry has a greater responsibility to police itself?
or, you know, you just read a blog post about facial recognition saying we need some regulation here.
We need to understand our limits.
Do you think that's a push and pull or do you think this is a moment for the tech industry to kind of stand up and be leaders?
I actually think both of these things are true.
We in the tech sector have a huge responsibility to address these global issues and these societal impacts.
We have a huge responsibility to be thoughtful.
We have a huge responsibility to work together and to think beyond ourselves.
At the same time, I believe that the world is best when no person is above the law, when no government is above the law, when no company is above the law, when no product or technology is above the law.
And so I think we need tech companies to step up to assume greater responsibility, but I think we equally as societies need to step up collectively and have our government step up collectively.
or there will come a day when we'll wake up and we'll find that our lives are increasingly being
ruled by unelected tech companies that are not subject to the laws that we have always relied
upon to keep the right kinds of principles and values at the surface in the places where we live.
So what I want to do is kind of use a few specific examples of things Microsoft has been talking about,
has been doing to kind of illuminate that bigger question.
So the first one is ICE and what Microsoft has been doing with ICE.
The second one is Azure and some moderation decisions you've made with Azure.
The third is broadly, and you just announced this yesterday the day before,
Russian interference with the election and what your digital crimes unit is doing there.
So let's start with ICE.
And I know you knew this, but to quickly sum up for the listeners,
there was a little bit of controversy recently.
You had an older blog post saying you had a contract with ICE that blog post suggested
those services might include facial recognition.
some people, including some Microsoft employees, took issue with that.
And then you recently clarified in a blog post,
Microsoft was just providing legacy email calendar messaging and document management workloads
that you weren't doing anything related to family separation or facial recognition.
Walk me through that.
How did that sort of start and finish?
Well, the first story of how it started and finished,
or really how it started because it's not yet finished,
was in a sense a coincidence on Father's Day here in the United States.
I wrote a blog post that day that ended up posting that.
evening on LinkedIn about the separation of families at the border. It was an issue that we could see
was just beginning to break into what I will call front page news. And it was an issue that we've cared
about and I've been passionate about having spent a decade sharing what is the largest pro bono
organization, I think, in the country, focused exclusively actually on serving kids in immigration
proceedings when they've been separated from their families. It's called kids in the defense.
I thought Father's Day was a good day for us all to remember the values we place on protecting children.
And by great coincidence, within about an hour of the time that I posted that, there was a tweet that resurrected a short marketing blog that frankly nobody at Microsoft even remembered, but it was earlier this year that was touting some of the security advances we had made with the federal government with a couple of agencies.
and one of the agencies was ICE.
And there was a line in this blog that said, gee, this paved the way for all of these new uses of technology, potentially including facial recognition.
And then as so often happens, the Internet exploded, at least in a small way.
We ended up really having to grapple quite a bit with these questions.
Part of it was figuring out, okay, what's really going on here?
What are we really doing with ICE?
And I think your description of that was quite accurate.
But we also asked ourselves a few things.
Number one, we asked us, look, what do we stand for or what do we want to stand up for
on what was the burning question across the country, namely the separation of children from
families?
And there was no doubt where we stand.
We opposed it.
Satya Nadella came out and made his view clear.
I made my view clear.
We made the company's view clear.
And actually, I think we're an unusual.
not just in tech, but across the economy, in that we have been standing up for this very specific
issue as a company for a decade, working with justice departments and pro bono groups and
literally with 500 law firms, companies, law schools across the country to ensure these kids are represented.
Then we had to tease apart the issues. And we actually came to the conclusion that there is a
complicated set of issues with respect to facial recognition that need to be addressed.
and we can talk more about that specifically.
And then there was also the question that others were putting before us.
And basically what they said was, look, even if you're not providing facial recognition,
assistance or services to ICE, shouldn't you stop doing business with them all together?
Yeah.
And we've attempted to bring these things together.
And what we've said is at one level, we believe that these new technologies that are so sensitive
like facial recognition absolutely need to be governed by law.
They need to be regulated.
We've said as well that we have a responsibility to address these issues ourselves, and we're
working to develop a principled approach to doing so based on lots of input from external and
internal stakeholders. And we've also said that we have to decide how we're going to continue to
use our voice most impactfully to address this issue that people care about, that we care about,
the protection of children. And one of the things we've said is we have a lot of tools at our
disposal. And in our own view, the most impactful set of tools for us really doesn't involve
us turning off our technology or boycotting, you know, one part of the government. It's using
all of the other ways we have to ensure our voice is heard. Actually, walk me through that
determination. Like on a pure impact level saying, we won't work with you is one of the most
impactful things you can do. Why do you think the other stuff outweighs that? First of all,
we look at what we've been able to accomplish through the other things that we've,
done. And some of our work is very public and some of our work is behind the scenes. It's behind the
scenes in part because we have been, by coincidence, so involved on this issue for so long.
There is broad legal representation for not all of these kids, but a great many of these kids
who go through immigration proceedings, frankly, because to some degree we've been involved
in active lobbying of the executive and legislative branches in Washington, D.C. I personally have
been. And I do believe that's played an important role in, frankly, ensuring that,
consistent federal budgeting to make these services available. And we want to continue to serve these
children through these kinds of steps, steps that we would not be able to take nearly as effectively
if we just walked away. Second, I do think that one really needs to think through what it would
mean to start taking, say, parts of the U.S. government and say, hey, we're done. We're not going to serve
these parts of the government anymore. And with all of these things,
things, there's the classic what's called the fallacy of the last move. The fallacy of the last
move is if the world were to end tomorrow and you were, this was the last move that anybody was
ever to take, what would the world be like? And then you have to step back and recognize,
you know, in all probability, the sun is going to rise tomorrow. And more things are going to
happen. Well, part of this is we want to see these kids reunited with their parents. If we turn
off Microsoft Exchange and Microsoft Office and all of their cloud services,
how do we think the people in ICE are going to find the parents and kids and reunite them? Because
they're relying on our digital data to know where people are. We have factors like that that need to be
considered. Second, right now, and actually for the last couple of months, every single day,
the focus of the country is in our view where it should be. How many kids are there that are still
separated? How do we get them back together? The moment tech companies start taking a different path,
there will be a backlash against those tech companies and the issue starts getting fragmented and you start to move the focus off of, frankly, the children and more on what tech companies are doing. I don't think that is actually going to help the cause. But third, there's a very interesting question in all of this. What kind of world do we want to live in? Yeah, I understand people who say, I don't want my employer to do business with somebody who has different values from me. But we have to ask ourselves what it will be like if every employer,
actually applies that frame of reference. What if you came to work tomorrow? And because you had
expressed a strong point of view as a company to address climate change, and the power company turned
off your electricity, because the power company is still depending on coal. And they're upset with
the position you've taken on coal. I mean, there's so many issues in this country or any country.
And fundamentally, what we're saying is, you know what, we live in a democratic society. We
rely on the democratic process of discussion and debate and deliberation and decision-making by
elected officials to sort these issues out, we actually don't rely on everybody boycotting each other
when we disagree with each other. Who wants to go to the gas station and find that they won't
let you fill up your car because you took a position against the oil company that provides the oil
to that gas station? I mean, just start to think a little bit. Yeah, but I could distinguish some of those.
You know, I think that leads us to a pretty complicated place. I agree with you. The issue is deeply complicated. But, you know, the power company is a regulated utility that has to provide power. The phone company, for the most part, is a regulated utility that's supplied connectivity. The ISPs are not, and that is a whole set of questions. It sounds like you're saying a company at a certain scale or provision of service needs to be required to provide service to everybody, which does lead into a pretty deep conversation about regulation. Are you comfortable going all the way that way?
Are you comfortable with the government saying you have to provide Office 365 to all comers?
Let me put it this way. I think you can divide it into a couple of areas, and I think your question is perfectly legitimate.
Are there certain services that are so fundamental that companies should really be prepared? Let's just say in a democratic society like the United States to provide them to everyone.
And let's set aside the question of regulation for a moment. Should we provide our services to everyone? Broadly speaking, I think with room for very limited exceptions, I think the answer generally is,
is yes. I mean, think about the case that went to the Supreme Court. Should the baker of a cake
be obligated to provide a cake to a wedding of two individuals of the same gender, despite the baker's
opposition to a same-sex marriage? Most people have said, yes, please, let's not turn these things
into political statements. And if we don't want them to be turned into political statements from the
right, well, then we should be careful not to turn them into political statements from the left.
But let's also just posit for a moment that not everything is potentially subject to regulation.
We can still ask ourselves, do we want to politicize every single aspect of daily life so that the dry
cleaner is never going to be a regulated business? Do you want the dry cleaner to be saying,
you know, we're not going to serve people who are employed by this company because we don't like what
this company is doing? Or let's say the dry cleaner says, you know what, we're not going to do dry
cleaning for anybody who works for the U.S. government or anybody who,
who works for this government agency because we disagree with what this agency is doing and the new
public policy it is articulated. In general, and this is a question. I think it's a question for all
of us to ask what kind of society do we want to live in? I would advocate for a moment that we're in
many ways well served by using our democratic processes to engage in democratic decision making
and not turning every aspect of our daily lives into something that is so inherently connected with politics.
But I would pull that back to Microsoft.
You set policy for Microsoft broadly.
The dry cleaner does not offer facial recognition services.
Are you saying Microsoft has drawn some lines?
So actually, my first question, this says legacy email.
Is ICE not on Office 365?
Because you should really upsell them.
I actually don't know whether they're using Exchange or Office or Office 360.
I do know that they're using our services for some type of email and document storage of those guys.
So Office in some capacity is being used there.
So you're saying office is okay, but facial recognition is not, right?
You've drawn that line.
Are there other lines?
Do you have a chart of things that you will sell to ICE and things you won't sell to ICE?
I think you're asking a great question.
First of all, we are suddenly in a world where some lines need to be contemplated.
And this goes to the complexity of the use of technology and the way.
world in which we live. We then need to think about different technology scenarios. When we really
thought about facial recognition, we concluded that this is fundamentally a technology that has great
potential benefits, but also is fraught with at least some risk or even potential peril. And in a way,
you can think about it at a couple of different levels. To some degree, there is what I would call
the peril of the moment. There is the fact that facial recognition at its current state,
of development, regardless of the company you're thinking about, has error rates that are higher
than we're going to see five years from now and that people will generally want to see.
We also see a differential error rate.
Facial recognition tends to produce incorrect results in many more situations that involve
women or people of color.
So there's this bias that is involved in the technology.
And even looking beyond the current bias, which I think we can assume over time, will be reduced
as the technology is improved. This is technology that in many ways poses absolutely fundamental
questions for civil liberties and for personal privacy. We can all imagine good uses.
Maybe it can be used to find these parents and children that the government has not been able to match
yet. But on the other hand, a camera on every corner, a camera on every police car, a camera in every
store that is connected to facial recognition could create a world where in effect, surveillance
is far more pervasive and intrusive than the world we've ever lived in before. And it could chill
the exercise of people's civil liberties. These are questions that not only need to be addressed and
deserve thoughtful answers before the technology is distributed everywhere, these fundamentally,
in our view, are questions that need to be answered by elected governments, because they go to,
in many ways, the core of our public values. And hence, one of the things that we said is we need to
draw some lines for ourselves, but at the end of the day, just say in terms of how the technology
is used in the United States of America, we need our government to draw these lines. This is technology
that actually should be regulated by law, and we need to get to work on doing that well.
Are you going to withhold the facial recognition technology until there's a law?
Well, one of the things we have said is that we are going, we are both going to develop principles for ourselves.
We're going to engage in the public discussions to really encourage this kind of regulatory approach.
But in the meantime, we're also going slow, or at least slower than we would otherwise go.
There are situations where we have said no to a customer request to deploy facial recognition.
There are other situations as recently as two days ago where I said, gee, that does not sound like a good scenario in which to deploy facial recognition today.
Are you reviewing all those things? Does that come up to you? Is there a facial recognition council at Microsoft? Do all the employees get to vote? What's that process?
They occasionally across my desk. But we have an ethics advisory committee on these issues involving artificial intelligence. Facial recognition fits into the artificial intelligence domain. And so we do have people who are sending in issues as they're.
come across them. We do look to this group as one of the sources for advice. And then we do
make decisions at the executive level. And specifically, Harry Schum, who leads a lot of our
artificial intelligence work, Harry and I, then are tasked when we get to these most sensitive
questions to make a call on whether we're going to say no. And there are calls we are making
to say no. I know we have to, I could do this the whole time, but I know you have limited
time. I want to move on to Azure because it's the same question in a different way. Earlier this
month, Microsoft told Gab, which is sort of an alt-right Twitter clone, that they would be dropped
from Azure if they didn't take action on anti-Semitic posts within two days. Gab is still on
Azure, yeah? Yes, it is. And I think it was because the user deleted those posts. This is
ultimately the same. Azure is a huge service that you run, one of the biggest cloud computing
providers out there. What prompted the warning? Literally in that case, in all candor, somebody
in our Azure support area in India had received an email from somebody who was in the consulting
business who had heard from another company expressing concerns about some content on GAB.AI.
And while we were sleeping on the West Coast of the United States, an employee in India had
sort of turned out an email that went to GAB that said, we've spotted some content.
And under our policy, you have to address it in 48 hours or you risk being cut off.
We came to work the next morning in Redmond, Washington, blissfully ignorant of all of this.
And then we heard not from gab.a.I, but from the verge in the Washington Post.
And they said, we've heard from Gab, and we have this in front of us.
And we're going to run a story in two hours.
Can you tell us what your decision is?
We do do that.
I'm aware it's quite annoying, but we do it all the time.
And so I was very happy that I'd come back from vacation the day before because I happened to
be in the office and somebody walked down the hall and said, gee, we've got to make a judgment call
here. And now it's an hour and 25 minutes. And so you do what you do in life. It's like,
okay, let's look at this. What is this service? What is this content? What is it that was raised
and flagged and what was sent to gab? And in that instance, it was a relatively straightforward
judgment call because the content was so extreme. Yeah. It was advocating genocide through violence
against all people who are Jewish. We looked at it and said, look, this isn't the kind of speech
that is protected in the United States. It's not the kind of speech that's protected under
international human rights standards. It's not the kind of speech that is in conformity with
Azure's own policies. Therefore, we're going to go to GAB and say, yeah, that's right.
Whoever made that call while we were sleeping made the right call. And that specific content
really does need to be taken down. And if you don't want to take it down,
it's your call, but we won't let you continue to use Azure. And we did take pains to say,
we'll give you, in a likelihood, more than 48 hours to move to another service because we did
appreciate that they probably wouldn't be able to move to another service in 48 hours.
But it called the question. And from what I understand, Gab went back to the individual who had
posted that content and that individuals voluntarily, if you will, took down that content.
How often do calls like that escalate to you? You obviously have a huge support network across the world. Does that happen to you all the time? Or does other Azure stuff come down more frequently? It just doesn't hit your desk. It's the exception that somebody like I get involved in these things. Our goal is to develop a set of principles. And so at a high level, we work to understand these issues, develop a principled approach, stress test the principles, and then empower people to apply them.
If the principles break down, or if there's a new question, it's likely to come back up.
But mostly you've got to run a global company at scale.
And it is not by having executives make these individual calls every day.
Oh, come on.
Your next title could be king of Microsoft Policy.
You keep going up.
So, look, Azure is huge, right?
Office 365 is huge.
Xbox Live is huge.
Are you thinking about holistic content moderation across all of these services?
If you police Azure in some way, you're policing the Internet, right?
I mean, so much of the Internet, to Microsoft's credit, runs on Azure now.
Can you content moderate individual word docs of the alt-right on 365?
Or are you looking at some deeper level, higher level, rather?
I think that you are asking a question of just huge importance.
And I think one needs to reflect on multiple things here.
First, in all probability, you wouldn't want to apply the same approach to every aspect of technology.
For example, if you've got a service that is a community service, use LinkedIn as an example,
LinkedIn might want to apply one approach to the kinds of content it wants to have for that community on LinkedIn.
Xbox Live might want a somewhat different standard, but it too has a community.
We'll take Bing as a search engine.
Well, that actually is not focused on a specific community.
And arguably, it has a broader role to play because Bing like Google,
and other search engines really play a fundamental role in ensuring that content is discoverable
to people in a country or around the world. So the notion that you would actually apply
precisely the same approach to say Xbox Live and LinkedIn and Bing is very unlikely.
Then you get down to another level of where we basically provide what you might consider
to be platform level tools and services. And I think your reference to Word is
really an interesting and important one. Because, you know, the first version of Microsoft Word
went on sale in 1984. So think about how many years that's been around. No one ever asked Microsoft
or anyone else to try to police what people wrote with Microsoft Word. For the simple reason,
it wasn't technically possible. It was put on other people's machines. They saw the content Microsoft
did not. Now, theoretically, in a cloud-based world, in a world of office,
online or Google Docs, people could ask tech companies to constantly look in effect over the shoulders
of everyone who is writing and start to get people to stop. But that's a quite intrusive world.
I mean, it has major implications for privacy and for the freedom of expression around the world,
which is a long way of saying, you know what, if there's content moderation across some services,
one would think long and hard and be very reluctant to ever apply it to something like a word
processing service. And then you actually then get to the platform level cloud services,
whether it's AWS or Azure or the Google Cloud, which in effect was the issue posed by gab.aI.
And then you can ask again, what approach do you want when it comes to the moderation of content?
Think about it with respect to say Twitter. You know, it might be one thing to ask Twitter to
moderate the content of what's on Twitter. People do ask Twitter to do that. Twitter does do that.
They don't do a great job. Just to be clear. You could have your, yeah, you could have a point of
view. But then let's assume for a moment that Twitter runs on AWS. Should Amazon then take on an
added approach of looking over the shoulder of Twitter to assess what kind of job Twitter is doing
managing the moderation of content on its service? All of these are questions that frankly people in the
tech sector are having to think through. There are the kinds of questions that are being addressed
more broadly in the political community in the United States in Brussels and around the world.
I think if nothing else, it underscores both the complexity involved and ultimately the need
for people to be very thoughtful and only principle. But that is the choice you made with Gab,
right? You were the cloud services provider to Gab. You received a complaint. You said, we stand
by this complaint. Clean it up or you're gone. So it seems from your actions, you're arguing that, yes,
our platform vendors should do some of this or should have some values,
particularly their clients that distribute information, need to live up to.
In the case of that particular incident, it was a relatively easy question to answer
because fundamentally I think we felt we were dealing with content that was not only
hateful and objectionable, but unlawful as well.
I think that where one gets into greater levels of complexity is when you may well have
content that is objectionable to a great many people, but may be lawful. And that's where,
you know, part of what we're going to have to work through, not just as a company, but as an
industry, is who will exercise, who should exercise responsibility for, in effect, policing or
moderating that. How many layers of tech companies do you want to have involved in policing
or moderating that? And perhaps most importantly, what are the principles that people want to
see applied as that has taken on. So there's an InfoWars app in the Windows store. Have you had the same
kind of InfoWars conversation that we're seeing Facebook and Apple and Google all have sort of in
public? Is Microsoft had that conversation? All I'll say here is actually if there is an InfoWars
app in the Windows store, you're the first person to tell me that. I'm not actually aware that
there is. Well, there is. We check the window store. I'm just letting you know. Let me know what you guys
decide to do with it. We're very curious. Do I have more than two hours to make a decision?
I'll give you more than two hours in this one. It is a thorny problem and I think everyone's sort of
dealing with it in public. Are you thinking of your rules legalistically? You're a lawyer. I was a
horrible lawyer. But the way I see it is, you know, Facebook Zuckerberg is out there saying,
I need a court, I need an appeals process. I want one rule to lead to another rule logically.
Then you, I think I have a company like Apple, which has a great deal of rules for its app store,
but maintains a great deal of discretion
in how they apply those rules.
They focus more on their values.
Then you have some companies
that seem utterly capricious.
Where does Microsoft fall?
Are you thinking you need a formal policy
that can be appealed for when the Azure situation happens
or when an Xbox live person gets banned?
What's your thinking at how these rules need to be built?
Well, I guess I would say a couple of things.
I mean, fundamentally, we are talking about rules or lines
that are drawn.
And, you know, increasingly we are living in an environment
where people are looking to, expecting, even demanding that tech companies create certain lines,
draw lines, put in place rules. I would say just sort of a couple things from about that.
First of all, it's not bad to have been trained as a lawyer, and it's not bad to have worked as a
lawyer because, frankly, lawyers are trained in drawing of lines. That is actually the fundamental
core of legal reasoning. I would also be quick to add that one needs to be careful not to be
entirely or too legalistic. Because these are broad questions. They involve broad values. And
frankly, it's too important to be left to people who are thinking like lawyers alone. This really
requires the bringing together of people of multiple disciplines and backgrounds. But there's
something to be learned from, call it the rule of law. Second, there's also something to be learned
from certain aspects of what you might call legal processes. And I think you just hit the nub of it.
any legal system, at least one that is well-functioning that works fairly, there is likely to be
some kind of right to appeal. Why is there a right to appeal? Because people make mistakes.
They may make decisions without adequate information. They may make decisions based on a misunderstanding
of the information they have. And equally, when you look at the, you know, and what are really
20 years of tech sector involvement in effect to managing content, you know, going back to the
Digital Millennium Copyright Act in the 1990s and the notion that there was content that people
could or even must remove if it violated copyright law, you know, it was quickly established
that there should be some kind of notice and right to appeal for the same reason. You don't
want people to make decisions based on mistakes. Do you think Microsoft needs to have a more
legalistic process for these policies in particular? Are you working towards that? I would not use
the phrase too legalistic because I think we're going to need to formalize more processes.
Unfortunately, we're going to publish precedent. Honestly, I think one of the big problems that
the Facebooks in the world have is they make decisions and there's no precedent from which people
can learn. What I would say is whether you put it in the context of publishing precedent,
which sounds like the conversation lawyers would have, it underscores the importance of transparency.
It absolutely underscores the importance, first of all, of us making decisions that we can articulate to others, which is part of the reason that we focus on being principled.
It also underscores the importance of then sharing that information.
And that is sometimes an uncomfortable place to be, but it probably is a necessary place to be as all of these things go forward.
So do you think this is a problem that the market can solve, or is this a purely policy problem?
Is there enough competition for cloud service vendors and Twitter clones and Xbox Live services that honestly the market could just solve it if necessary?
Or is this to the point where there needs to be a rationalized public policy?
Well, I think that we need thoughtful, responsible action in the marketplace and we need thoughtful action by governments.
It's not because the market is incapable of acting by itself, but frankly, it's because in my view, some of these decisions at least,
are so impactful in terms of what they mean for fundamental civil liberties and free expression
and people's privacy rights that they need to be subject not just to companies that are competing
with each other, but to the fundamental democratic process and the rule of law. And that was part
of what we really said when we talked about the facial recognition issue, that in democratic
societies, we should be comfortable relying on democratic processes and we should contribute to
promoting and supporting the democratic process so public decisions can be made. And to sort of
connect the dot with in some ways the other question that you alluded to earlier, the other issue of
this particular week, if we're going to rely on the democratic process and if we're going to
support the democratic process, we also need to be prepared to defend the democratic process,
including from attacks, cyber attacks, from other nation states.
Yeah, I want to get to that.
Real quick, we just interviewed Ron Wyden, who's Senator from your neck of the woods,
and he said, you know, Section 230, if the tech companies don't start using their,
I think he described it as a sword and the shield, they don't start using the sword more.
We're going to rethink that law.
Do you think 230 needs to get reworked?
I think it's an interesting question.
It's not one that I've actually thought enough about myself to consider how it might be reworked
if it were to. So I would just add that to the daily list that gets longer every day of the kinds
of questions we may have to develop an opinion on. My first question was, is it different now?
And I have to say after talking to you, it feels like it is definitely different now. The scope of
problems that you are dealing with must be just radically longer and different. So let's end on the
up note of Russian election interference. Speaking of things that are radically new, you just announced
that you found six domains that were being used for fishing attempts by Russian actors,
all the evidence was Russian actors.
And you went to court to have them transferred to you?
Yes.
It is a process that we developed in our digital crimes unit two years ago.
When we first saw this group, Strontium, Fancy Bear, APT, 28, as it's alternatively called,
setting up these websites and using them for spear fishing attacks.
And two years ago, we saw this pattern emerge.
was focused in no small degree on groups like the Democratic National Committee, Hillary Clinton's
presidential campaign, and others. And what we found is we could develop evidence and go to federal
court and seek and obtain a court order that would transfer control of these domains from,
in effect, Strontium to Microsoft. We would then set up a sinkhole in our digital crimes unit.
What that would mean is that when other traffic would go to that domain, instead of going to
Strontium, it would come to our digital crimes unit. And from that, we would be able to identify who
was being attacked. We could identify whether the attacks were successful. We could reach out to those
customers as we have to let them know and then to help them increase their security protection and
clean up their machines. We've done this 12 times now, 12 different court orders with the addition of
the six domains. We've now applied this to 84 different internet domains. We did it in the United States
in terms of the targets of attack in 2016.
We saw France really being a focus of attack in the run-up to the presidential election there last May.
We're seeing a renewed focus on the United States in the run-up to the midterm elections.
So I just want to just zoom out a little bit.
You have a digital crimes unit that's relatively new.
What is their charter?
What is their mission?
What are they?
What's their limit?
Are they Batman?
Well, they're definitely not Batman.
Interestingly, we've had a digital crimes unit in that name or other names.
for almost 20 years, going back to the beginning of the 2000s. And its charter is to bring together
lawyers and investigators and engineers and data scientists and data analysts so that working together
we can identify digital threats that would constitute crimes to our customers or the broader
public. And then we work with law enforcement or with courts and the law to try to deter and
redress and reduce those kinds of criminal threats. A big focus of activity has been the exploitation
of children, whether it be child trafficking or child pornography, which I think is one of the great
scourges of the internet. Over time, we've focused on then the morphing of cyber attacks from,
say, the individual hackers to criminal enterprises and then ultimately to nation states.
we've addressed really on a global scale malware distribution and bot net attacks. And over the last
few years, really since 2016, we've had increasingly a need to focus on nation state attacks.
And one of the key, I think, responsibilities that we have is to be strong and proactive,
but to act within the law by partnering with law enforcement or going to courts.
This is not and should not ever be an exercise and sort of digital vigilanteism.
And we've taken care to ensure that it's not.
But it is something that has a group that has had a real impact.
And it's often broken new ground in terms of identifying new forms of criminal threats and then devising, as they have in this instance, innovative steps to respond to them.
So Alex, this is the chief security officer of Facebook, put up a blog post on Lawfare today.
basically says election security in the run-up to 2018 is shot. Lost cause, we should put all of our focus in 2020.
What do you make of that? Do you think that it's lost cause? Do you think that there's more for Microsoft to do?
Well, I think we better be working every day.
Independently of whether one is an optimist or a pessimist, I am definitely not a defeatist.
And the worst thing we could do is just say, gee, let's surrender the midterm elections and the entire House of Representatives of the United States and focus all our energy on the
presidency. I believe that there are important steps that we can take. There are important steps that
many across the tech sector and across the public sector are taking. And I think we need to keep in
mind that it's in fact a multifaceted problem. It involves the hacking of candidates and campaigns.
It involves potential vulnerabilities of our voting system. It involves potential issues around
paid political advertising. And it involves disinformation, particularly on social media sites.
And we should be doing everything we can every day to ensure that we have the strongest and
healthiest process when everybody votes in November.
So are you, is Microsoft taking preemptive steps?
Are you talking to campaigns right now?
Are you only focused on those campaigns that are using, you know, Microsoft services
or are you talking to everybody?
How are you making those investments?
We created in April a new team to pursue a new initiative that we call the Defending Democracy
project.
And that team is focused on all.
four of the problems that I just listed. It thinks about them in that way. And it is working with
all candidates and campaigns and political parties at the federal state and local level in the
United States. We announced yesterday a new initiative. We call it the Account Guard initiative
that will provide enhanced threat intelligence services to any of those groups that are using
Office 365 and it will do it at no additional charge. That team has already been out of
providing security briefings in not just recent weeks, but over the last several months,
that go beyond people who are Microsoft customers. It goes beyond, say, the cybersecurity issues
that one might want to think about if one is using our services to think more generally
across the board when it comes to the role of tech tools. And we're doing this not just in the
United States. We're doing it in other countries, in Europe and in the Western Hemisphere,
and we're committed to doing it as we go forward to really protect democratic societies and
democratic processes on a global basis.
So when I talk to other companies, your competitors have similar initiatives.
They're thinking about similar things.
Kind of a universal sense I get is the tech industry is way ahead of the government right now.
The government is not taking this seriously enough.
Do you share that view or do you think that the government's doing actually enough or more than
enough?
Well, I think first one should note there are many governments.
You know, there's federal, state, local, in the United States. We have other governments around
the world. I believe that actually people are very focused, people are aware, even if we talk
about the federal government of the United States, when we talk to people at the Department of Homeland
Security or the Department of Justice or the FBI, I think that people are addressing this.
I think they're addressing it in a serious way. I think people are committed to doing more.
I sort of think it's a common mantra in the tech sector to dismiss people in government too readily, in my view, as being behind us, not understanding issues as well as us, not moving as fast as us. And I think we do a huge disservice, not just people in government. We frankly do a disservice to ourselves because in doing that, I think we overestimate on certain days how well we're doing. The truth is, we all need to do more. We all need to move faster. We need to do
more things together. And there's really no benefit to be served on any day of the week in thinking
for a moment that any one of us is better than somebody else because none of us are as good as we
need to be. Just to be clear, you think the current federal government is doing enough right now,
or should they be doing much more? I think we all need to be doing more. No, that's the reality.
That's what Alex, I haven't read Alex's blog, but I assume that if you're going to say that this is a
lost cause, you must be thinking that more needs to be done.
We all need to be, we all need to do more.
I absolutely share that sentiment.
But there's no way under the sun that I would throw in the towel on 2018 in this country.
Yeah.
Well, last question, and I thank you for a time, is you are thinking about how the nature
of tech industry responsibility has changed, the nature of Microsoft's responsibility
to honestly, the country and the world.
has changed. What's the biggest single thing that will impact it? What's the biggest single thing
beyond one law or one set of policy conversations? What will lead to a new set of outcomes
beyond this current moment of intense reflection and focus? Well, I actually would go back to
culture. Yeah. Because I think that it all starts with culture and it ends there as well.
I think that there are three cultural elements that need to come together. The first is a
recognition of the high level of responsibility that we have. None of us can afford to be
out just for ourselves. It doesn't matter how strongly we compete with each other. We all need to
be thinking hard about what we can contribute to address these broader issues that technology is
impacting. Second, I think we need to recognize that we need to build more bridges, more bridges
between companies and more bridges between the tech sector and the public sector and with civil
society. And that's a cultural change as well as a call to action. And third, in some ways, and this
is very much a reflection of the current day culture at Microsoft. These are problems that require
that one have a sense of humility, that one have a growth mindset, that one be prepared to
experiment, that one learn quickly from mistakes because mistakes are inevitable, but that one
be enthused and ultimately inspired by the opportunity to learn something new every day.
day. We are all going to need to get better. And I think if we can fuse those three cultural elements
together, responsibility, partnership, and ultimately growth, humility, that is the combination that
will enable us to make, at least hope to make the kinds of progress for which we need to aspire.
I like that. But one thing that strikes me out Microsoft is that, you know, when we talk to
Sotr, when I've been speaking to you, you have a very clear sense of the values of the company.
values you want to push forward. I find that lacking from many of the other large tech companies.
Do you think there's a role for Microsoft to present a set of values and push those values forward?
Or is that up to the country in the democratic process at large?
I think we all need to ask ourselves how we can do more. Certainly it's something we ask ourselves here.
I think we need to ask the country to do more. I think we need to ask our government to do more.
I think we ask ourselves, we need to ask ourselves to as citizens to do more.
And at the same time, I think it's maybe a little too easy to be critical of other companies as well.
I find really thoughtful, responsible people in lots of different places.
I think sometimes we're at different stages in terms of the level of resources, the kinds of organization, the processes that we have in place, our capacity to be decisive and proactive.
But ultimately, we live in a remarkable industry with great athletes, so to speak.
And I have a lot of confidence in the ability, not just to people at Microsoft, but even among our competitors, to find new ways to work together and have more of an impact at this space.
That's great. Well, thank you so much, Brad Smith, President, Chief Legal Officer of Microsoft.
We have kept you way over your time, so I appreciate. I appreciate all the comments.
I know we'll have you back soon. Thanks so much, man.
Good. Thank you.
So that was it. That was Brad Smith, President, Chief Legal Officer of Microsoft. I hope you were as informed and entertained as I was.
He's a really interesting guy.
I also want to know how you think these interview episodes are going over time.
So I would love your feedback.
You can tweet at me.
I'm at Rackless on Twitter.
You can leave a comment on the website.
If you only just want to give us five stars, you can go on Apple Podcasts and give us five stars.
If you want to give us less stars, definitely just tweet at me instead.
But I really want your feedback.
I want to know who you want me to interview in the future.
So let me know.
We're always trying to make it better.
And we'll see you on Friday for the regular Vodercast.