Microsoft Opens Up About Protecting Data Privacy in the Cloud
- By Kurt Mackie
- June 08, 2016
Microsoft gets an average of 70,000 requests a year from governments worldwide that are seeking information about Microsoft's business and consumer customers.
That information comes from Nate Jones, senior attorney for the legal and corporate affairs group at Microsoft. Jones took part in a Microsoft-produced Web presentation on Tuesday called "Technology, Privacy and Public Safety: When Worlds Collide." As part of the presentation, Microsoft fielded several questions about how its legal team looks at data privacy issues for its cloud services customers in cases where governments are seeking information.
Typically, governments are not targeting businesses with these requests, but consumer users of Microsoft's free services, according to a FAQ in Microsoft's "Law Enforcement Requests Report":
As our law enforcement requests reports have shown, the overwhelming majority of law enforcement requests seek information related to our free consumer services. By comparison, we have received very few law enforcement requests for data associated with use of our commercial services by our enterprise customers.
Microsoft publishes that report twice a year, showing law enforcement request data in aggregate, without identifying individuals or organizations. It also puts out a "U.S. National Security Orders Report," although what's published is even more generalized and obscure.
Few Business Requests
Government requests for business customer information are a small part of the total. Jones suggested that Microsoft gets about 12 requests a year.
"We get 70,000 total for all of our services and when you talk about our commercial services that we offer to large enterprises, medium enterprises, I think the rough numbers are about a half a dozen every six months," Jones said.
In most cases, Microsoft asks the government to direct its request to the business entity directly. Alternatively, Microsoft may outright reject improper requests.
There's less of a legal means to protect consumers, though. Here's how Microsoft's legal team responded to a question about whether consumers get the same privacy protections from Microsoft as business customers:
We have a set of principles that guide our responses to government demands irrespective of whether the user is an individual consumer or enterprise customer. There are, however, some practical differences. For example, when it comes to redirecting the government to obtain the information from our customer, we are often successful in the enterprise realm, since the government can go to the company's legal department without compromising the investigation. When it comes to individual consumers, it is often not possible to do that.
Jones later explained that if a government has obtained a search warrant, then they likely are concerned that the customer will destroy evidence if they become aware of the investigation. The search warrant "essentially allows them to go into the business' premises and literally unplug the servers and take them away," he said, adding that "there's really no difference between when you are in the cloud and when your data is on premise in terms of what the government can do to you and your ability to oppose that."
Search Warrants vs. Subpoenas
Essentially a search warrant is a criminal investigatory tool implying that the customer has committed some criminal activity that the government has jurisdiction over, Jones explained. Subpoenas, in contrast, generally involve less oversight than search warrants, although there are different kinds of subpoenas.
"Generally speaking...if you are talking about a grand jury subpoena, the authority is overseen by the court through the grand jury, but really you're talking about a prosecutor pulling subpoenas out of their desk and signing them and sending them out," Jones said. "That's typically the legal process they use when they want to investigate one of our commercial customers."
All subpoenas come to a centralized location at Microsoft, and any request for a commercial customer's data is automatically escalated to Jones and another attorney for legal review. "We only disclose customer data in a commercial context when legally required to do so," Jones said. Microsoft can't voluntarily disclose the information unless it has customer consent, he added.
In the United States, the government is required to get a search warrant when they want to get e-mail content or other content that's stored on Microsoft's servers that belongs to its customers. And they have to go to judge in a district court to demonstrate probable cause that the information was used to commit a crime or contains evidence of a crime before the judge will issue the search warrant, Jones explained.
The government can actually take data using a search warrant, explained Neal Suggs, vice president and associate general counsel at Microsoft Corp., during the talk. He asked Jones if a subpoena also could be used to obtain customer data.
Jones said that basic subscriber information is essentially all governments can get with a subpoena.
Microsoft Fighting Gag Orders
Microsoft's business customers mostly just want to know about the government requests, Jones said. Microsoft has adopted a couple of approaches in response. It's committed to notifying its customers of the requests for their data "unless we are legally prohibited from doing so," he said, likely referring to U.S. PATRIOT Act restrictions. "There are laws on the books that allow the government to prohibit us from notifying the customer," Jones explained.
Microsoft's position is that it has free speech rights as a corporate citizen and is fighting such government gag orders, having filed a case to that effect back in April. Microsoft generally contests gag orders in court and also pushes back informally, Jones said. Sometimes governments have backed down and let Microsoft notify its customers about the requests for data. Microsoft's position is that "gag orders are appropriate in some cases, but the government needs to have the facts to justify it," Jones said. Gag orders should be the exception and not the rule, he added.
Jones said that Microsoft picks legal fights when it needs clarity on what the law allows. One example along those lines is its Dec. 2013 Ireland warrant case, where the U.S. government was seeking information from an Outlook.com customer in which data were stored in Ireland.
"We said U.S. courts can't issue search warrants for homes in Ireland, [so] why is data different?" Jones explained. Warrants are needed to get such data but warrants are territorially limited. This case is currently before Second Circuit Court of Appeals right now, he said, adding, "We like our chances."
Microsoft also backed Apple when it resisted FBI requests to decrypt an iPhone associated with alleged terror attack. The primary driving force in the Apple case was that the government was relying on a law that was last updated in 1911, according to Jones. The U.S. law that covers stored communications, called the "Stored Communications Act," is actually pretty good, Jones said, but it was passed in 1986. Jones contended that laws regarding unlocking phones should be made by policy makers, not courts interpreting 100-year-old laws.
Microsoft's legal team was asked during the talk about how its approach might apply to other countries' legal systems besides the U.S legal system, such as the one in the United Kingdom. The team suggested it's a somewhat similar process for those located outside the United States:
Many countries have similar legal authorities, but not all of these countries have jurisdiction over Microsoft and/or the data. If they lack jurisdiction, we would not be legally required to disclose the information, and would require the country to go through appropriate international processes to obtain the cooperation of a government that does have jurisdiction over Microsoft and/or the data.
Perhaps, that's somewhat assuring following revelations about massive "Five Eyes" spying worldwide, as disclosed in secret U.S. documents made public by whistle-blower Edward Snowden. Certainly, big money is at stake for U.S.-based Microsoft. It has a monetary interest in assuring that concepts like "data sovereignty" and legal transparency get respected by governments around the globe.
All told, Microsoft had "more than 100 globally distributed datacenters" and other facilities in place, as of June 2015, to deliver its hosted services. That infrastructure supports consumer services, Office 365 services and Microsoft Azure services. It has 32 Azure regions worldwide, with new expansions taking place in Canada and Seoul, South Korea. Those investments total $15 billion worldwide, Microsoft recently explained. It's building undersea infrastructure to support its cloud infrastructure, too.
And, of course, it's got a few lawyers to help things along the way.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.