Microsoft Releases First Ever Law Enforcement Requests Report
Microsoft has finally opened up and disclosed how frequently U.S. and foreign governments demand user data, and how often it hands the information over. While it appears to be frequently, not a lot of personal data is being disclosed, according to the report.
Microsoft received 75,378 requests for user data in 2012 from U.S. and foreign governments, and fulfilled a little over 80 percent of the requests, Microsoft said in its first ever law enforcement report released Thursday. This figure includes queries law enforcement made regarding users of various Microsoft services, including Hotmail, Outlook.com, Sky Drive, Skype, Microsoft Account, Office 365, and Xbox Live.
Microsoft rejected requests for data in 18 percent of cases, because it was unable to find information on the requested individual, or because law enforcement was unable to demonstrate proper legal justification for demanding the data, according to the report.
“Like every company we are obligated to comply with legally binding requests from law enforcement, and we respect and appreciate the role that law enforcement personnel play in so many countries to protect the public’s safety,” Microsoft’s general counsel, Brad Smith, wrote on Microsoft on the Issues, a public policy blog.
The requests potentially impacted 137,424 accounts, but when considered against the total user base, it appears that “less than 0.02 percent of active users were affected,” said Smith.
Of the 75,378 requests, 4,713 were specific to Skype and impacted 15,409 users. Microsoft did not provide any content data, such as content from the calls, for any of the Skype requests, according to the report. Skype’s peer-to-peer architecture means the company does not store calls and has no historic access to previous conversations, Microsoft said. Instead, Microsoft provided “guidance” to law enforcement in the form of Skype ID, usernames, email accounts, and billing records, for 501 cases.
At the moment, the report lists the requests for Skype data separately because Microsoft hasn’t finished integrating Skype data into its system post-2011-acquisition. Going forward, Microsoft plans to roll the numbers together.
Only 11 requests were made for information on enterprise customers, of which Microsoft rejected seven. The company disclosed some customer information for the remaining four, but did so after obtaining the customer’s consent or because the customer had already contractually given permission.
Microsoft joins a handful of companies, including Google and Twitter, which regularly disclose how often governments demand user data, and how often they comply with those demands. Microsoft plans to update its report every six months.
“Google, Twitter and others have made important and helpful contributions to this discussion by publishing some of their data,” Smith said, noting that Microsoft “benefited from the opportunity to learn from them and their experience.”
Microsoft’s report was different from other reports in that the company broke out the types of data being requested, as well as for the application. Microsoft handed over non-content data, such as the account holder’s name, gender, country of residence, dates and times of data traffic, email addresses, usernames, and IP addresses associated with the user, as well as content data, such as the subject headline of an email sent via Hotmail, images stored on Sky Drive, and the text of an email.
Microsoft gave authorities actual content data in only 2.1 percent of the cases, or 1,558 requests, according to the report. Microsoft also included information about national security letters in this report. The U.S. government requested data such as ” name, address, length of service, and local and long distance toll billing records” of between 11,000 and 14,996 of its users from 2009 to 2012. The information was deemed “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.”
One interesting thing to note about the report is that Microsoft complied less frequently with the U.S. government’s demands compared to Google. Microsoft received 11,073 requests for user data in 2012 from the U.S. government, and handed over data to the government in about 79 percent of those cases, according to the report. Google, according to the most recent report issued in January, received 16,407 requests in 2012 and complied with about 89 percent of those requests.
Another was that Microsoft was more likely to hand over content data to U.S. governments than to foreign governments. Compared to the hundreds of requests for actual content from the U.S. government, Microsoft handed over user content for only 14 requests from countries such as Brazil, Canada, Ireland, and New Zealand.
“As we continue to move forward, Microsoft is committed to respecting human rights, free expression, and individual privacy,” Smith said.