News

Microsoft Releases Details on Government Surveillance Requests

A report released by Microsoft this week lists six months' worth of requests from global law enforcement agencies for information on customers' online services use.

The new report, the first from Microsoft in 2013, covers the period between January and June of this year. It doesn't include national security requests, such as requests issued via the U.S. Foreign Intelligence Surveillance Court. Microsoft reported aggregate data, omitting specific details.

Overall, there were 37,196 requests from law enforcement agencies around the world in the first six months of this year, but those requests "potentially" affected 66,539 accounts, according to Microsoft's report. Requests regarding Microsoft's services came most frequently from the U.S. government (7,014), followed by Turkey (6,226), Germany (5,185), the United Kingdom (4,404) and France (4,379). In stark contrast, China and Russia had three requests apiece during the six-month period.

U.S. law enforcement requests January to June, 2013
U.S. law enforcement requests from January to June, 2013. Source: Microsoft Law Enforcement Requests Report.

Most of the requests concerned the use of Microsoft's consumer services, such as Outlook.com, SkyDrive, Messenger and Skype. However, the requests also tapped Microsoft account sign-up information, which is used to access various Microsoft services. Users of Microsoft account are tracked by a "personal user ID, which is a unique alpha-numeric code generated for each registered Microsoft account," Microsoft explained. This so-called "non-content information" contains information such as the user's log-in ID, name, state, country, IP address and gender.

Requests specifically affecting Microsoft's business customers were few. There were "19 requests for enterprise customer data" regarding hosted e-mail accounts during the time period, according to the report.

Most of the requests were for non-content information. Microsoft claims it requires "a court order or warrant before we will consider disclosing content to law enforcement." Microsoft actually disclosed customer content in response to 10.7 percent of U.S. law enforcement requests for content during the six-month period.

The report also listed approximate numbers in response to past FBI-issued National Security Letters, which are purportedly issued for terrorism or intelligence cases. Microsoft responded to National Security Letter requests ranging between 0 and 999 in 2012, for instance. Microsoft also responds to so-called "emergency requests," which are cases such as possible kidnappings or suicide attempts. The United Stated led in those request at 87 requests during the six-month period.

Microsoft's disclosure reports don't reveal much, but are of greater interest now given recent events. Microsoft and other service providers joined the National Security Agency's PRISM program as early as 2007, as disclosed this year by whistle-blower Edward Snowden. PRISM allows NSA agents to simply tap service provider networks, according to Snowden, which all of the service providers deny. Following that publicity, Microsoft and other service providers filed a petition to the U.S. government in September seeking permission to disclose the number of FISA Court requests it receives.

The U.S. government hasn't budged much. Microsoft was given an exception last year by to publish aggregate data about national security requests from July 2012 through Dec. 2012. However, that exception seems to have been a one-shot arrangement as those statistics are missing from this 2013 report.

U.S.-based companies such as Microsoft are trying to promote the cloud, but can't guarantee much given recent NSA spying revelations. And that circumstance has shattered trust among some potential users. Microsoft first began issuing its law enforcement agency request reports in March.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.