News

Microsoft Goes Public on Government Snooping Requests

• By Kurt Mackie
• 03/21/2013

Microsoft today released its very first report profiling law enforcement agency requests to access user content and subscriber information associated with Microsoft's online services.

The new "2012 Law Enforcement Requests Report" covers worldwide agency requests throughout calendar-year 2012, which totaled 75,378 requests affecting 137,424 accounts. As might be expected, it's the United States that leads in seeking disclosure of user content, which can include information such as the text of e-mail messages or electronic photos. Of the 1,558 requests that led to disclosure of user content, 1,544 (99 percent) of those requests came from U.S. authorities. The other countries that received such user content from Microsoft -- Brazil, Canada, Ireland and New Zealand -- accounted for just 14 disclosures.

In addition to disclosing content, Microsoft releases so-called "non-content data." This non-content data includes information such as the user's "e-mail address, name, location and IP address captured at the time of registration," according to Microsoft's FAQ. While law enforcement requests for content data require a court order or warrant, Microsoft requests a "document based request, such as a subpoena," before deciding on whether to dispense non-content data to law enforcement agencies.

Microsoft mostly released non-content data to law enforcement agencies in 2012. There were 56,388 disclosures of non-content data in 2012, with the bulk of it going to Turkey (8,997), France (7,377), United States (7,196), Germany (7,088) and the United Kingdom (7,057).

Microsoft is taking a cue from Google and Twitter, which also produce law enforcement request reports associated with online service use. Microsoft is planning to regularly update these Law Enforcement Requests reports every six months.

Consumer Services Mostly Hit
The report covers the "major online services" delivered by Microsoft, according to a blog post by Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft. Those services include free consumer services, such as Hotmail, Outlook.com and SkyDrive, as well as paid services such as Xbox Live and Office 365. However, also included in the mix is the "Microsoft account," which is a user authentication service that affects access to a wide swath of Microsoft online services.

Most of the law enforcement requests were associated with Microsoft's no-cost services for consumers, according to Microsoft's FAQ. However, the paid Xbox Live service was a particular target for law enforcement agencies in 2012.

"The requests also largely impact Xbox Live," the FAQ states. "Unless an individual subscribes to a paid-for service, such as Xbox Live, Microsoft cannot and does not verify an individual's identity."

Enterprise Requests
Enterprise customers, such as those using Office 365 services, represented a small portion of the requests. There were 11 such requests in 2012, and Microsoft disclosed information in four of those cases. Smith suggested that Microsoft points law enforcement agencies to enterprise customers directly.

"In general, we believe that law enforcement requests for information from an enterprise customer are best directed to that customer rather than a tech company that happens to host that customer’s data," Smith wrote in the blog post.

It appears that no company or individual is shielded from U.S. national security letters, which are documents that FBI officials can type up to request information in cases associated with international terrorism or intelligence activities. Microsoft's FAQ just lists a range of "identifiers" at "1,000 - 1,999," which presumably means that the FBI may have requested information in 2012 associated with as many as 1,999 users of Microsoft's online services.

Tapping Skype
Skype requests are described separately in this report. There were 4,713 requests affecting 15,409 Skype accounts in 2012. The United States led other governments in seeking Skype information, as it sought data affecting 4,814 accounts.

Microsoft announced the acquisition of Luxembourg-based Skype in May of 2011, so it's still trying to set up a common reporting scheme with its other services, according to the FAQ. Microsoft claims in the FAQ that Skype is not a telecom carrier, so the U.S. Communications Assistance for Law Enforcement Act (CALEA), doesn't apply. CALEA is the law that requires U.S. telcos to make their networks technically capable of being tapped by U.S. government officials. However, the Skype voice-over-IP network gets routed over a U.S. telecom network at some point, so the legal distinction, if it exists, is probably moot in terms of VoIP networks and their ability to be tapped by governments.

Microsoft is currently engaged in a legal dispute with France over Skype. The French government wants Skype designated as an electronic communications operator, which would subject it to having emergency call support, as well as wire-tapping capabilities.