Microsoft Pulls Back the Curtain on Law Enforcement Requests for Data
Xbox Live users talk a lot of trash while playing games, and some of those conversations may have been of interest to law enforcement agencies. That's one data point from the first Microsoft transparency report, which details what kinds of information was requested by law enforcement agencies from around the world. The company joins Google and a handful of other tech companies opening up about official requests for user information.
Mar 22, 2013 5:00 AM PT
Microsoft on Thursday released its first transparency report, detailing what information was sought from the company last year by governments and law enforcement agencies around the world -- and what information Microsoft gave up to those authorities.
The 2012 Law Enforcement Requests Report covers all the company's major online services -- Hotmail, Outlook.com, SkyDrive, Xbox Live, Microsoft Account, and Office 365. Data relating to Skype, which Microsoft acquired in October 2011, was also released.
Xbox Live users were among those targeted by law enforcement agencies' requests.
"Xbox Live supports chat, text messaging, voice and video communication among users," Greg Nojeim, senior counsel at the Center for Democracy & Technology, told TechNewsWorld. "I doubt law enforcement is interested in the entertainment habits or consumption of subscribers. The government would be interested instead in their communications over the Xbox Live system."
"Microsoft, and a growing number of companies have concluded that, in order to retain the trust of their customers, it is important to be transparent," Nojeim said. "The effort is also linked to corporate advocacy in the United States and globally in support of strict checks and balances limiting government demands."
However, Microsoft "has been behind the curve in its transparency," said Pam Dixon, executive director of the World Privacy Forum. "Google has issued a robust transparency report for years now, and Twitter also releases a detailed report."
There are no surprises in the transparency report, Dixon told TechNewsWorld. "Law enforcement access to data held by third parties is part of the risk of sharing data in a digital age. It would be nearly impossible to entirely mitigate these risks and lead a normal modern life."
The Report's Highlights
Microsoft disclosed non-content information -- user subscriber information such as names, locations, email addresses and IP address -- to law enforcement agencies in more than 56,000 cases. More than 66 percent of this data went to agencies in the U.S., the UK, Turkey, Germany and France.
Microsoft and Skype also acceded to about 1,600 requests for customer content, such as text in emails, photographs and documents stored on SkyDrive, Office 365 or the Microsoft Azure cloud. That number represented about 2 percent of more than 75,000 law enforcement requests received.
More than 99 percent of the disclosures were in response to lawful warrants from U.S. courts. Only 14 disclosures were made to foreign governments.
The bulk of law enforcement requests concerned free consumer services used by individuals such as webmail accounts, SkyDrive cloud storage, Microsoft Messenger, Skype, and Xbox Live.
Microsoft also received 11 requests for enterprise data regarding email accounts it hosts and administers for other enterprises. It complied with four of them.
About 18 percent of requests from law enforcement agencies, excluding those sent to Skype, did not result in the disclosure of any customer information. Microsoft either rejected the request or no customer information was found.
Skype received more than 4,700 requests from law enforcement. It did not produce any content in response to those requests, but provided non-content data such as a Skype ID and the customer's name, email account, billing information and, if the customer subscribed to the Skype In/Online service, which connects to a telephone number, call detail records for that customer.
Is A Better Law Needed?
Google, Facebook, Twitter and Microsoft all insist that government agents obtain a warrant from a judge when seeking the content of communications. This position, based on the rulings of several courts, goes "beyond what the relevant statute, the Electronic Communications Privacy Act (ECPA), requires," Nojeim said.
"All these companies and many others agree that the statute is outdated," he said. "They all maintain that the Constitution requires a warrant for access to the content of communications and documents stored online, and they are urging Congress to update the law to make that clear."
Bipartisan legislation was introduced in the Senate earlier this week to amend ECPA to require a warrant to compel disclosure of the content of communications. Not only that, Nojeim added that "the Justice Department [has] admitted for the first time ever that there is no principled basis for the provisions in ECPA that allow the government to demand access to stored content without a warrant."