Security Experts:

Microsoft Publishes Data About Secret FISA Orders

Microsoft Provides Additional Transparency on US Government Requests for User Data

Microsoft on Monday said that it was in the process of updating its transparency reporting in order to provide new information relating to governmental demands for customer data.

In June 2013, Microsoft's made a legal request to the Foreign Intelligence Surveillance Court (FISA) asking permission to disclose more information about secret government requests for data. Google made a similar request a day before.

Microsoft Data Protection 

Since then, the US Government has agreed to allow technology companies to publish data about FISA orders.

“While there remain some constraints on what we can publish, we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. Government pursuant to national security authorities,”  Brad Smith General Counsel & Executive Vice President, Legal & Corporate Affairs at Microsoft, wrote in a blog post Monday afternoon.

Smith said that Microsoft was now permitted to publish data about the number of FISA orders it has received, along with the number of accounts or other identifiers the government sought information about, and whether those orders sought customer content or only non-content information.

According to government rules, data about FISA requests must reported in bands of a thousand, starting with the band from 0-999, and can only be published six months after the end of a reporting period.

Smith said that from January 2013 through June 2013, Microsoft received fewer than 1,000 FISA orders seeking the disclosure of customer content.

“These orders related to between 15,000 and 15,999 accounts or individual identifiers,” he explained. “It’s important to note that this does not necessarily mean that more than 15,000 people were covered by these data requests. This is because one individual may have multiple accounts, each of which would be counted separately for the purposes of reporting this data.”

Additionally, Microsoft received fewer than 1,000 FISA orders for non-content data only, seeking information that related to fewer than 1,000 accounts or identifiers. The company received fewer than 1,000 National Security Letters covering fewer than 1,000 accounts or identifiers. Microsoft also provided the same information going back to July of 2011.

“While our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands,” Smith said. “This obviously means that only a fraction of a percent of our users are affected by these orders. In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records. This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.”

Smith also highlighted how the increased transparency allowed by the US government does nothing to minimize the significance of efforts by governments to obtain customer information outside legal process.

“Since the Washington Post reported in October about the purported hacking of cables running between data centers of some of our competitors, this has been and remains a major concern across the tech sector,” Smith said.

In December, concerned over the allegations of governments attempting to circumvent online security measures in order to monitor users, Microsoft vowed to take action in order to protect its customers from prying eyes and increase transparency.

“Despite the President’s reform efforts and our ability to publish more information, there has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies,” Smith wrote. “We believe the Constitution requires that our government seek information from American companies within the rule of law. We’ll therefore continue to press for more on this point, in collaboration with others across our industry. 

Going forward, Microsoft said it would include the new FISA data in its future Law Enforcement Requests Report which the software giant publishes every six months.

In addition to Microsoft, Yahoo, LinkedIn, Facebook and Google all on Monday published new data on government requests related to FISA orders.

Earlier this month, Microsoft said that attackers breached the email accounts of a “select number” of employees, and obtained access to documents associated with law enforcement inquiries.

Tech giants including Microsoft, Apple, Facebook, Google and several other Internet and technology companies have come under heightened scrutiny since Edward Snowden leaked details of covert Internet surveillance program conducted by the NSA.