Access Policy Counsel Fabiola Carrión contributed to this report.
Last week Microsoft released its first-ever transparency report, detailing its approach and response to law enforcement data requests worldwide.
This release comes after repeated inquiries from civil society, including recent scrutiny following the company’s acquisition of voice over IP platform Skype. In January, more than forty organizations (including Access) and sixty individuals signed an open letter to Microsoft demanding the company issue a transparency report for Skype detailing its obligations, practices, and disclosures. This letter was accompanied by significant media coverage.
The 2012 Law Enforcement Requests Report analyzes Microsoft and Skype data separately, for reasons detailed below. Together, Microsoft and Skype received a total of 75,378 law enforcement requests in 2012. Skype was the subject of only 4,713 of those requests; the remainder concerned other Microsoft products.
The raw numbers, broken down by country, shine a light on governments’ user data requests, a process that often impacts the privacy rights of users. With this report, Microsoft joins fellow technology service providers Google and Twitter in providing more transparency as to both how they share government data requests, and to how governments demand for user data.
The report separates Skype-related data from other Microsoft properties, such as Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365. Microsoft explains this distinction as a result of separate corporate structures: Skype operates under the laws of Luxembourg and the European Union, and continues to process and record law enforcement requests differently than its corporate parent.
The Microsoft report provides further evidence that law enforcement data requests are truly an international issue. The new report lists 49 countries that requested Microsoft user data in 2012, and 56 countries that called for Skype user data. Microsoft attributes receiving ‘more requests’ and a ‘greater volume’ of requests than other companies to its presence in more than 100 countries worldwide.
Turkey tops the list of Microsoft data requests, with 11,434, but the country is not listed on the Skype chart. The U.S., United Kingdom, Taiwan, France, Germany, and Australia rank high on both charts.
Despite its scope of operations, Microsoft asserts that it “only disclose[s] data in 46 countries,” where the company has the ability to validate the lawfulness of the requests. As the report shows requests from 56 and 49 countries for Skype and Microsoft, respectively, it is possible requests from countries other than those 46 are processed through Mutual Legal Assistance Treaties (MLATs) or a similar process.
Compliance, lawfulness, and validation
In an FAQ accompanying the report, the company explains its definition of lawfulness, and provides further insight into its processes of validation. Microsoft largely follows due process standards, requiring that data requests abide by procedural laws and regulations. For example, law enforcement agents must submit an official and signed document that is specific in its request and that contains correct dates, addresses, and other material information.
For sensitive content data, of the sort created and stored by users in their email or storage accounts, Microsoft and Skype require a court order or warrant for the request to be considered ‘lawful.’ However, for ‘non-content’ or ‘subscriber/transactional’ data, including email addresses, location data, or IP addresses, Microsoft and Skype require only “an official, signed document… pursuant to local laws,” such as a subpoena.
Microsoft further describes its process of validation for English and non-English language requests. Requests from English-speaking countries are reviewed by the company’s compliance teams in the United States or Ireland. Requests from non-English speaking companies are first reviewed and ‘authenticated’ under ‘legal guidance’ in the originating country, and following determination of compliance with local law, the request is translated and further assessed via the Irish and American compliance teams.
In countries where Microsoft doesn’t disclose data, the report does not make it clear whether this is due to Microsoft’s lack of capacity, or because of insufficient laws, regulations, or government procedures. The absence of data limits our understanding of whether and how nations not listed may request data.
Rejections and unfulfilled requests
Last week’s report indicates the portion of government requests that were rejected for non-compliance, as well as those that failed to properly identify a user’s account and resulted in no data being shared.
Last year, the Microsoft compliance teams in charge of vetting government requests rejected 1.2% of non-Skype data requests for failing to meet legal requirements. A further 16.8% of non-Skype requests resulted in no data handover for the specific request as the company’s compliance team found no data related to the request or order in question.
For nearly one-quarter of U.S. requests for Skype data, the company was unable to find data for the username or other identifier, such as a telephone number, specified in the request. A non-trivial percentage of U.S. requests — 6.9% — failed to adequately meet legal requirements and were subsequently denied; this percentage was significantly higher than any other country.
It should be noted, however, that a failed request does not definitively mean no data was disclosed: Microsoft clarifies that it is “possible that law enforcement later submit a valid request for the same information.”
Content versus non-content data
In contrast to Google’s and Twitter’s Report, Microsoft’s reporting distinguishes between ‘content’ and ‘non-content’ user data. Although it is useful to understand the extent to which responses to data requests provide user-generated data versus user data, this distinction perpetuates a false binary of acknowledging the private nature of user-generated content, but underweighting the sensitivity of personally identifiable information.
The report indicates that ‘content’ data is rarely shared in comparison with other data: “Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content.”
The report does not make clear the full scope of data that Microsoft counts as ‘content information.’ The report describes it as the “content that customers create, communicate, and store on or through their services” and cites examples like emails, photographs, and documents stored on Skydrive or Hotmail, descriptions applicable to core Microsoft services.
However, the company does not clarify what data is considered as ‘content’ data for Skype, such as audio or text conversation records, profile images, or status updates. Although Microsoft did not disclose any ‘content’ data for Skype in 2012, it is unclear whether this is because governments did not request this data, the company did not have access to this data, or what other mitigating factors might exist.
Access believes that all data, content and non-content, should be subject to the same lawful request standard: a court order or warrant. The aggregation of ‘non-content’ data can unearth much about person’s identity, whereabouts, and opinions–data that may place that person at risk by revealing personal political, social, or professional associations.
It is not clear whether Microsoft informs customers when their information has been accessed. The report only states that the company does not alert its customers when a request has been rejected, as it is possible that law enforcement will again request the information with a valid request. Given this preference towards law enforcement needs, it can be deduced that users are not notified of this request. We urge the company to reverse this practice and provide notification of all requests.
The report does not provide insight into the role of Mutual Legal Assistance Treaties (MLATs), a mechanism by which signatory countries agree to exchange information related to criminal or copyright investigations. For example, MLAT requests from foreign governments to the United States would be executed through the U.S. government, and listed as U.S. government requests. Access recently filed a FOIA request before the FBI and the Department of Justice to clarify what countries are using MLATs to request user data information from the United States.
Trends in transparency reporting
Microsoft becomes the second internet company after Google to release information about National Security Letters (NSLs), secret letters issued by the FBI to request information related to national security investigations. Microsoft reveals that the number of NSL requests (0-999) has decreased since it began collecting this type of information in 2009, although given the broad ranges cited, it’s unclear if this is a matter of a handful of fewer requests or hundreds of fewer requests. (NSLs were recently found to be unconstitutional in response to a 2011 EFF petition, though the decision has been stayed pending appeal.)
Overall, Access is heartened to see yet another major company take steps to publicly address its human rights impacts in a transparent way. Microsoft’s first report is an excellent addition to the mosaic of requests for user data. Its shortcomings only point to the need for wider industry standards on transparency reporting and due process requirements for accessing user data. Access will use Microsoft’s report as a benchmark for the transparency of other information and communications technology sector companies.