November 17, 2024

Microsoft Releases Report on Law Enforcement Requests

The report, which Microsoft plans to update every six months, showed that law enforcement agencies in five countries — Turkey, the United States, Britain, France and Germany — accounted for 69 percent of the 70,665 requests Microsoft received during 2012.

In 8 of 10 requests, Microsoft provided agencies with elements of so-called non-content information such as an account holder’s name, gender, e-mail address, IP address, country of residence and dates and times of data traffic.

In 2.1 percent of requests Microsoft disclosed the actual content of a communication, such as the subject headline of an e-mail, the contents of an e-mail, or a picture stored on SkyDrive, its cloud computing service.

Microsoft said it disclosed the content of communications in 1,544 cases to U.S. law enforcement agencies, and in 14 cases to agents in Brazil, Ireland, Canada and New Zealand.

“Government requests for online data are like the dark matter of the Internet,” said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation in San Francisco, which has campaigned for greater disclosure.

She said that even with Microsoft’s disclosures, fewer than 10 companies publish the extent of their cooperation with law enforcement agencies.

“Only a few companies report this, but they are only a very small percent of the online universe,” Ms. Galperin said. “So any one company that joins the disclosure effort is good news. The faster this becomes a standard for all Web businesses, the better.”

The law enforcement requests targeted users of Microsoft services such as Hotmail, Outlook.com, SkyDrive, Skype and Xbox Live, services where consumers are typically asked to enter their personal details in order to obtain service.

Google was the first major Web business in 2010 to begin reporting the level of legal requests it received for information. Since then, Twitter, LinkedIn and some smaller companies have also reported, but big businesses such as Apple and Yahoo still do not.

Microsoft also initially resisted. In January, a group of more than 100 Internet activists and digital rights groups signed a petition asking Microsoft to disclose its data-handling practices for Skype, the Internet voice and video service it bought in 2011.

But Microsoft did provide two new facets of detail in its transparency report that rivals have not addressed in similar fashion — supplying detail on the reason why it rejected some requests, and listing separate categories by country on how it responded to requests for actual content of communications and to requests for non-content data.

In its transparency report, Microsoft also published separate information for Skype, which continues to be based in Luxembourg and therefore is subject to national and E.U. law.

During 2012, Microsoft disclosed in 4,713 cases administrative details of Skype accounts — such as a user’s SkypeID, name, email account, billing information, and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number.

But Microsoft said it released no content from any Skype transmissions during 2012. Microsoft has said that the peer-to-peer nature of Skype’s Internet conversations mean the company does not store and has no historic access to Skype conversations.

The top countries that made requests and received information from Microsoft for Skype non-content information last year, in descending order, were Britain, the United States, Germany, France and Taiwan, which accounted for eight in 10 Skype requests.

Microsoft did not disclose the total number of requests it had received for Skype information, but said it aimed to do so starting in its next report later this year.

Brad Smith, a Microsoft executive vice president and the company’s general counsel, estimated that the number of requests Microsoft received during 2012 covered only a tiny fraction of its vast customer base, which the company estimates to be in the hundreds of millions of users.

Mr. Smith, in a blog post, said the 2012 requests affected less than 0.02 percent, or less than two one-hundredths of 1 percent, of Microsoft account holders. He noted that Microsoft, like all global businesses, was obligated to comply with legal requests from law enforcement. But Mr. Smith wrote that Microsoft had set high standards for complying.

Law enforcement agencies must first present a subpoena or its foreign equivalent to obtain non-content data on Microsoft users, Mr. Smith wrote. To obtain the contents of e-mails and other communications, Microsoft requires agencies to submit a warrant, which in the United States are issued by court judges, or in Britain, by the Home Secretary.

Microsoft rejected requests for data in 18 percent of cases during 2012, mostly because the company said it couldn’t find any information on the requested individuals or because law enforcement had not demonstrated proper legal justification for the requests.

Microsoft also said it received a minuscule number of requests for data on businesses.

During 2012, Microsoft said it received only 11 requests for information on business clients, and complied in only four instances — after Microsoft said it had either obtained consent from the business or already had in effect a contract to disclose the information.

“Like every company we are obligated to comply with legally binding requests from law enforcement, and we respect and appreciate the role that law enforcement personnel play in so many countries to protect the public’s safety,” Mr. Smith wrote on his blog. “As we continue to move forward, Microsoft is committed to respecting human rights, free expression, and individual privacy.”

Article source: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?partner=rss&emc=rss

Speak Your Mind