December 5, 2024

Microsoft Report Discloses Law Enforcement Requests for Customer Data

The report, which Microsoft said it planned to update every six months, showed that law enforcement agencies in five countries — Britain, France, Germany, Turkey and the United States — accounted for 69 percent of the 70,665 requests the company received last year.

In 80 percent of requests, Microsoft provided elements of what is called noncontent data, like an account holder’s name, sex, e-mail address, I.P. address, country of residence, and dates and times of data traffic.

In 2.1 percent of requests, the company disclosed the actual content of a communication, like the subject heading of an e-mail, the contents of an e-mail or a picture stored on SkyDrive, its cloud computing service.

Microsoft said it disclosed the content of communications in 1,544 cases to law enforcement agencies in the United States, and in 14 cases to agents in Brazil, Canada, Ireland and New Zealand.

“Government requests for online data are like the dark matter of the Internet,” said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation in San Francisco, which has campaigned for greater disclosure.

Ms. Galperin said that even with Microsoft’s disclosures, fewer than 10 companies published the extent of their cooperation with law enforcement agencies.

“Only a few companies report this, but they are only a very small percent of the online universe,” she said. “So any one company that joins the disclosure effort is good news. The faster this becomes a standard for all Web businesses, the better.”

The law enforcement requests concerned users of Microsoft services including Hotmail, Outlook.com, SkyDrive, Skype and Xbox Live, where people are typically asked to enter their personal details to obtain service.

Google was the first major Web business, in 2010, to report the number of legal requests it had received for information. Since then, Twitter, LinkedIn and some smaller companies have also begun reporting, but big businesses like Apple and Yahoo have not.

Microsoft also resisted at first. In January, a group of more than 100 Internet activists and digital rights groups signed a petition asking the company to disclose its data-handling practices for Skype, the Internet voice and video service it bought in 2011.

But Microsoft did provide two types of detail in its transparency report that rivals have not addressed in similar fashion.

It described the reasons it had rejected some requests, and it listed separately by country how it had responded to requests for the content of communications and for noncontent data.

It also published separate information for Skype, which is based in Luxembourg and is subject to national and European Union laws.

In 4,713 cases last year, Microsoft disclosed administrative details of Skype accounts — like a user’s Skype ID, name, e-mail address and billing information, as well as call detail records if a person subscribed to a Skype service that connects to a telephone number.

But Microsoft said it had released no content from Skype transmissions last year. It has said that the peer-to-peer nature of Skype’s Internet conversations means the company does not store and has no access to past conversations.

The countries that made the most requests and received information from Microsoft for Skype noncontent information last year, in descending order, were Britain, the United States, Germany, France and Taiwan, which together accounted for about 80 percent of the requests.

Microsoft did not disclose the total number of requests it had received for Skype information, but said it aimed to do so in its next report later this year.

Brad Smith, an executive vice president at Microsoft and the company’s general counsel, said that the number of requests Microsoft received last year covered only a tiny fraction of its huge customer base, which the company estimates is in the hundreds of millions.

Mr. Smith said in a blog post that the requests in 2012 had affected less than 0.02 percent of Microsoft account holders. He wrote that Microsoft, like all global businesses, must comply with requests from law enforcement, but that the company had set high standards for doing so.

Law enforcement agencies must present a subpoena or its foreign equivalent to obtain noncontent data about Microsoft users, Mr. Smith wrote. To obtain the contents of e-mails and other communications, the company requires agencies to submit a warrant, which is issued in the United States by a court judge and in Britain by the home secretary.

Microsoft rejected requests for data in 18 percent of cases last year, mostly because it could not find any information on the individuals named or because law enforcement officials had not demonstrated the proper legal justification for the requests, the company said.

It also said it had received a minuscule number of requests for data on businesses.

In 2012, Microsoft said, it received only 11 requests for information on business clients and complied in four instances, either after it had obtained consent from the business or when it already had in effect a contract permitting it to disclose the information.

“Like every company, we are obligated to comply with legally binding requests from law enforcement, and we respect and appreciate the role that law enforcement personnel play in so many countries to protect the public’s safety,” Mr. Smith wrote in his blog post. “As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”

Article source: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?partner=rss&emc=rss