Microsoft Discloses Law Enforcement Requests For Customer Data
redOrbit Staff & Wire Reports – Your Universe Online
Microsoft revealed on Thursday that it had it received 75,378 law enforcement requests for customer data worldwide in 2012, but only disclosed customer content in just two percent of those cases.
“We’ve benefited from the opportunity to learn from them and their experience, and we seek to build further on the industry’s commitment to transparency by releasing our own data today,” wrote Microsoft’s general counsel, Brad Smith, in a blog posting on Thursday.
The report, which Microsoft said it plans to update every six months, covers all of Microsoft’s major online services — Hotmail, Outlook.com, SkyDrive, Xbox Live, Microsoft Account, Office 365 and Skype, although the Skype figures are reported separately in Thursday’s release.
Microsoft said the 75,378 total law enforcement requests it received for customer data potentially impacted 137,424 accounts.
“One law enforcement request could include the names of multiple users, and/or could include multiple accounts associated with a single user. For example one user could have multiple accounts – such as an Outlook.com E-mail account, an Xbox Gamertag, a Microsoft Account ID, or an Xbox serial number,” Microsoft noted in the report.
Excluding Skype, the company said it received 70,665 requests that impacted a potential 122,015 accounts. Law enforcement agencies in five countries — Britain, France, Germany, Turkey and the United States — accounted for 69 percent of these.
Microsoft said that in only 2.1 percent of cases, or 1,558 requests, did it disclose customer content, such as the subject line and body of an e-mail message or a picture stored on SkyDrive. Of those requests, “more than 99 percent were in response to lawful warrants from courts in the United States,” the company said.
The 14 disclosures of customer content given to governments outside the US went to Brazil, Ireland, Canada, and New Zealand.
“Non-content” data refers to things such as a person’s name, gender, e-mail address, country of residence or system-generated data such as IP address and traffic data. Of the 56,388 requests in which Microsoft (excluding Skype) disclosed some type of non-content information, more than 66 percent were from government agencies in the US, the UK, Turkey, Germany and France. For Skype, the top five countries were the UK, the US, Germany, France and Taiwan, which together accounted for 81 percent of all requests.
Excluding Skype, roughly 18 percent of the law enforcement requests resulted in the disclosure of no customer information, either because Microsoft rejected the request or because no customer data was found.
Microsoft said it received 4,713 law enforcement requests for Skype customer data that impacted 15,409 accounts or other identifiers, such as a PSTN number.
“Skype produced no content in response to these requests…but did provide non-content data, such as a SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number,” Microsoft said.
Smith emphasized Microsoft’s support for both customer privacy and the need to comply with laws in the countries in which it operates.
“Microsoft is committed to respecting human rights, free expression, and individual privacy. We seek to operate all of the services we own in a manner that’s consistent with our Global Human Rights Statement and responsibilities as a member of the Global Network Initiative,” Smith wrote.
“Like every company, we are obligated to comply with legally binding requests from law enforcement, and we respect and appreciate the role that law enforcement personnel play in so many countries to protect the public’s safety.”
Smith noted that Microsoft requires a subpoena or legal equivalent before it will consider releasing a customer’s non-content data to any law enforcement agency, and a court order or warrant before it will consider releasing a customer’s content to law enforcement.
“We take a close look in each instance to ensure that the requests we receive for a customer’s information are in accord with the laws, rules and procedures that are applicable to requests for customer data and content.”