ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Microsoft Reveals Law-Enforcement Requests for Customer Data
Microsoft has now joined Google and Twitter by releasing for the first time information on law enforcement requests for customer data. And general counsel Brad Smith had a lot to say about that.
Last week, Microsoft published its 2012 Law Enforcement Requests Report, breaking down by country the 75,378 requests that potentially affected 137,424 accounts. The entire report covers Microsoft services such as Hotmail, Outlook.com, Xbox LIVE, and Office 365, and includes a separate breakdown for requests related to Skype, which Microsoft acquired in 2011.
In recent months, there has been broadening public interest in how often law enforcement agencies request customer data from technology companies and how our industry responds to these requests, Smith wrote in a lengthy blog post accompanying the report. Google, Twitter and others have made important and helpful contributions to this discussion by publishing some of their data.
Google first published its Transparency Report in 2010, and Twitter began to do so last July. Earlier this year, an initiative made up of Internet privacy advocates petitioned Microsoft to follow suit.
Microsoft took the unique step of disclosing details about what kind of information it provided to law enforcement in each country whether it was content data, like the body of an email, or non-content data, which can include a persons name, email address, country of residence, or IP address.
Smith was particularly interested in analyzing that data with various Microsoft teams. While transparency is definitely valuable, its also important to step back when reports like this are released and ask what the data actually show, wrote the GC, who was recently named one of the 100 most influential lawyers in the U.S. by The National Law Journal, a CorpCounsel.com sibling publication.
So what struck Smith as the most significant themes in the report? First, he said, is how very few [law enforcement requests] actually result in the disclosure to these agencies of customer content… Only 2.1 percent, or 1,558 requests, resulted in the disclosure of customer content.
Next on Smiths list is looking at the governments to whom Microsoft disclosed customer content. Theres mainly just one:
Of the 1,558 disclosures of customer content, more than 99 percent were in response to lawful warrants from courts in the United States, Smith said. In fact, there were only 14 disclosures of customer content to governments outside the United States. Those disclosures were made to governments in Brazil, Ireland, Canada, and New Zealand.
When it came to providing non-content data to law enforcement, Microsoft primarily made disclosures to a handful of countries. Among 56,388 cases (excluding Skype) where Microsoft disclosed non-content information, more than 66 percent of these were to agencies in only five countries, Smith notes. These were the U.S., the United Kingdom, Turkey, Germany and France.
According to the report, law enforcement in 49 countries requested Microsoft customer information. The list of countries that produced the highest volume of requests in 2012 includes: Turkey (11,434 requests); the U.S. (11,073); France (8,603); Germany (8,419); Taiwan (4,381); Australia (2,238); and Brazil (2,214).
Microsoft doesnt always provide customer information in response to a request, Smith pointed out. Roughly 18 percent of the law enforcement requests (again, excluding Skype) resulted in the disclosure of no customer information in any form, he said, either because Microsoft rejected the request or because no customer information was found.
Microsoft may reject a law enforcement request, according to an explanation on the companys website, if it is not signed or appropriately authorized, contains the wrong dates, is not properly addressed, contains material mistakes or if it is overly broad. The company rejected requests for not meeting legal requirements in 1.2 percent of requests, according to the new report.
In a nod to his in-house counsel peers, Smith also addressed how Microsoft prefers to handle government requests for data on business account-holders.
In general, we believe that law enforcement requests for information from an enterprise customer are best directed to that customer rather than a tech company that happens to host that customers data, Smith said. That way, the customers legal department can engage directly with law enforcement personnel to address the issue.
Out of 11 requests for data on its business customers last year, we either rejected or were successful in redirecting seven of these 11 requests, Smith wrote. In the four cases where Microsoft did disclose some business customer information, Smith said Microsoft either obtained the customers consent before complying, or we disclosed the information pursuant to a specific contractual arrangement to process such requests on behalf of the customer.
Smith said that Microsoft plans to update the report every six months, and that the company will standardize the law enforcement statistics retained by Skype in future reports.