Microsoft Omits NSA Details from Law Enforcement Request Report

Microsoft Omits NSA Details from Law Enforcement Request Report
Microsoft Omits NSA Details from Law Enforcement Request Report

In its second-ever Law Enforcement Requests Report, Microsoft said that it (including Skype) received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts in the first six months of this year. This compares to 75,378 requests and 137,424 potential accounts in the whole of 2012—so request volume is remaining steady.

The company’s report shows that about 77% of requests resulted in the disclosure of what the company calls “non-content data,” e.g. no actual information that individuals wrote or said messages and so on was included. In 92% of these cases, the requests were from United States law enforcement agencies.

No data at all was disclosed in nearly 21% of requests, and only a small number of requests resulted in the disclosure of customer content data—2.19% of total requests. These numbers are also “broadly in line with what we saw in 2012,” Microsoft said.

“As with the 2012 report this new data shows that across our services only a tiny fraction of accounts, less that 0.01%, are ever affected by law enforcement requests for customer data,” Microsoft noted. “Of the small number that were affected, the overwhelming majority involved the disclosure of non-content data.”

But lest anyone be looking to parse out what the National Security Agency may have been asking for in particular, that information is omitted from the report. “Unfortunately, we are not currently permitted to report detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives) that we may receive, so any national security orders we may receive are not included in this report”, the company noted on the research page. Instead, “we have summarized, per government direction, the aggregate volume of National Security Letters we have received.”

The company was quick to burnish its populist bona fides here, noting that it is looking to change that. “We recognize that this report—focused on law enforcement and excluding national security—only paints part of the picture,” it noted. “We believe the U.S. Constitution guarantees our freedom to share more information with you and are therefore currently petitioning the federal government for permission to publish more detailed data relating to any legal demands we may have received from the U.S. pursuant to the Foreign Intelligence Surveillance Act (FISA).”

In a further nod to consumer and business fears over the NSA’s surveillance of communications, Microsoft capped the discussion with this: “While we believe that had some value in quantifying the overall volume of requests we received, it is clear that the continued lack of transparency makes it very difficult for the community—including the global community—to have an informed debate about the balance between investigating crimes, keeping communities safe and personal privacy.”

NSA info aside, it’s interesting to note that when it came to users of enterprise services, such as Office 365, the number of those affected was beyond fractional. Microsoft received just 19 requests for email accounts it hosts for enterprise customers, seeking information about 48 accounts. 

“We disclosed customer data in response to five of those requests (four content; one only non-content), and in all but one case, we were able to notify the customer,” Microsoft explained. “We rejected the request, found no responsive data, or redirected law enforcement to obtain the information from the customer directly in 13 of those cases. One request is still pending.”

For all 19 enterprise requests, the legal demands were from law enforcement entities located in the U.S., and sought data about accounts associated with enterprise customers located in the United States. In addition, to date, Microsoft has not disclosed enterprise customer data in response to a government request issued pursuant to national security laws.

Overall, requests came from a large number of countries, but the bulk of them were fairly concentrated. More than 73% of requests came from five countries: the United States, Turkey, Germany, the United Kingdom and France. For Skype the requests were similarly concentrated, with four countries, the US, UK, France and Germany accounting for more than 70% of requests.


What’s Hot on Infosecurity Magazine?