News

Microsoft Reports First 6 Months of Law Enforcement Requests

• By Kurt Mackie
• 09/27/2013

Microsoft released its first 2013 report that tallies global law enforcement requests for information on online services use by customers.

The new report covers six months, from January to June. It doesn't include national security requests, such as requests issued via the U.S. Foreign Intelligence Surveillance Court. Microsoft reported aggregate data, omitting specific details.

Overall, there were 37,196 requests from law enforcement agencies around the world in the first six months of this year, but those requests "potentially" affected 66,539 accounts, according to Microsoft's report. Requests regarding Microsoft's services came most frequently from the U.S. government (7,014), followed by Turkey (6,226), Germany (5,185), the United Kingdom (4,404) and France (4,379). In stark contrast, China and Russia had three requests apiece during the six-month period.

Most of the requests concerned the use of Microsoft's consumer services, such as Outlook.com, SkyDrive, Messenger and Skype. However, the requests also tapped Microsoft account sign-up information, which is used to access various Microsoft services. Users of Microsoft account are tracked by a "personal user ID, which is a unique alpha-numeric code generated for each registered Microsoft account," Microsoft explained. This so-called "non-content information" contains information such as the user's log-in ID, name, state, country, IP address and gender.

Requests specifically affecting Microsoft's business customers were few. There were "19 requests for enterprise customer data" regarding hosted e-mail accounts during the time period, according to the report.

Most of the requests were for non-content information. Microsoft claims it requires "a court order or warrant before we will consider disclosing content to law enforcement." Microsoft actually disclosed customer content in response to 10.7 percent of U.S. law enforcement requests for content during the six-month period.

The report also listed approximate numbers in response to past FBI-issued National Security Letters, which are purportedly issued for terrorism or intelligence cases. Microsoft responded to National Security Letter requests ranging between 0 and 999 in 2012, for instance. Microsoft also responds to so-called "emergency requests," which are cases such as possible kidnappings or suicide attempts. The United Stated led in those requests at 87 requests during the six-month period.

Microsoft's disclosure reports don't reveal much, but are of greater interest now given recent events. Microsoft and other service providers allegedly joined the National Security Agency's PRISM program as early as 2007, as disclosed this year by whistle-blower Edward Snowden. PRISM allows NSA agents to simply tap service provider networks, according to Snowden, which all of the service providers deny. Following that publicity, Microsoft and other service providers filed a petition to the U.S. government in September seeking permission to disclose the number of FISA Court requests it receives.

The U.S. government hasn't budged much. Microsoft was given an exception last year to publish aggregate data that included national security requests from July 2012 through Dec. 2012, mixed in with other law enforcement requests. However, that exception may be just a one-shot arrangement.

U.S.-based companies such as Microsoft are trying to promote the cloud, but can't guarantee much given recent NSA spying revelations. And that circumstance has shattered trust among some potential users. Microsoft first began issuing its law enforcement agency request reports in March.