Forums - Microsoft Discussion - Microsoft Legal Memo: Responding to government legal demands for customer data

Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information. We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the Government is stopping us. For example, Government lawyers have yet to respond to the petition we filed in court on June 19, seeking permission to publish the volume of national security requests we have received. We hope the Attorney General can step in to change this situation.

Until that happens, we want to share as much information as we currently can. There are significant inaccuracies in the interpretations of leaked government documents reported in the media last week. We have asked the Government again for permission to discuss the issues raised by these new documents, and our request was denied by government lawyers. In the meantime, we have summarized below the information that we are in a position to share, in response to the allegations in the reporting:

Outlook.com (formerly Hotmail): We do not provide any government with direct access to emails or instant messages. Full stop. Like all providers of communications services, we are sometimes obligated to comply with lawful demands from governments to turn over content for specific accounts, pursuant to a search warrant or court order. This is true in the United States and other countries where we store data. When we receive such a demand, we review it and, if obligated to we comply. We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts.

Not surprisingly, we remain subject to these types of legal obligations when we update our products and even when we strengthen encryption and security measures to better protect content as it travels across the Web. Recent leaked government documents have focused on the addition of HTTPS encryption to Outlook.com instant messaging, which is designed to make this content more secure as it travels across the Internet. To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.

Cutting through the technical details, all of the information in the recent leaked government documents adds up to two things. First, while we did discuss legal compliance requirements with the government as reported last week, in none of these discussions did Microsoft provide or agree to provide any government with direct access to user content or the ability to break our encryption. Second, these discussions were instead about how Microsoft would meet its continuing obligation to comply with the law by providing specific information in response to lawful government orders.

SkyDrive: We respond to legal government demands for data stored in SkyDrive in the same way. All providers of these types of storage services have always been under legal obligations to provide stored content when they receive proper legal demands. In 2013 we made changes to our processes to be able to continue to comply with an increasing number of legal demands governments worldwide. None of these changes provided any government with direct access to SkyDrive. Nor did any of them change the fact that we still require governments to follow legal processes when requesting customer data. The process used for producing SkyDrive files is the same whether it is for a criminal search warrant or in response to a national security order, in the United States or elsewhere.

Skype Calls: As with other services, we only respond to legal government demands, and we only comply with orders for requests about specific accounts or identifiers. The reporting last week made allegations about a specific change in 2012.  We continue to enhance and evolve the Skype offerings and have made a number of improvements to the technical back-end for Skype, such as the 2012 move to in-house hosting of “supernodes” and the migration of much Skype IM traffic to servers in our data centers. These changes were not made to facilitate greater government access to audio, video, messaging or other customer data.  Looking forward, as Internet-based voice and video communications increase, it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security.  Even in these circumstances Microsoft remains committed to responding only to valid legal demands for specific user account information. We will not provide governments with direct or unfettered access to customer data or encryption keys.

Enterprise Email and Document Storage: If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes. In terms of criminal law enforcement requests, we made clear in our Law Enforcement Requests Report that throughout 2012 we only complied with four requests related to business or government customers.  In three instances, we notified the customer of the demand and they asked us to produce the data.  In the fourth case, the customer received the demand directly and asked Microsoft to produce the data. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.

In short, when governments seek information from Microsoft relating to customers, we strive to be principled, limited in what we disclose, and committed to transparency. Put together, all of this adds up to the following across all of our software and services:

Microsoft does not provide any government with direct and unfettered access to our customer’s data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.

If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information.

We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. The aggregate data we have been able to publish shows clearly that only a tiny fraction – fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security.

All of these requests are explicitly reviewed by Microsoft’s compliance team, who ensure the request are valid, reject those that are not, and make sure we only provide the data specified in the order. While we are obligated to comply, we continue to manage the compliance process by keeping track of the orders received, ensuring they are valid, and disclosing only the data covered by the order.

Microsoft is obligated to comply with the applicable laws that governments around the world – not just the United States – pass, and this includes responding to legal demands for customer data. All of us now live in a world in which companies and government agencies are using big data, and it would be a mistake to assume this somehow is confined to the United States. Agencies likely obtain this information from a variety of sources and in a variety of ways, but if they seek customer data from Microsoft they must follow legal processes.

The world needs a more open and public discussion of these practices. While the debate should focus on the practices of all governments, it should start with practices in the United States. In part, this is an obvious reflection of the most recent stories in the news. It’s also a reflection of something more timeless. The United States has been a role model by guaranteeing a Constitutional right to free speech. We want to exercise that right. With U.S. Government lawyers stopping us from sharing more information with the public, we need the Attorney General to uphold the Constitution.

If we do receive approval to share more information, we’ll publish it immediately.

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx



Around the Network

 

Moderated - Kresnik.



 

 

        Wii FC: 6440 8298 7583 0720   XBOX GT: WICK1978               PSN: its_the_wick   3DS: 1676-3747-7846                                          Nintendo Network: its-the-wick

Systems I've owned: Atari 2600, NES, SNES, GBColor, N64, Gamecube, PS2, Xbox, GBAdvance, DSlite, PSP, Wii, Xbox360, PS3, 3DS, PSVita, PS4, 3DS XL, Wii U

The best quote I've seen this year:

Angelus said: I'm a moron

Its so sad that people will not listen to this. Yes even the mighty Sony an Nintendo HAVE to do the same. Some sad pathetic media ( The Guardian ) again decides to twist shit and make crap up.

Poor Guardian if Microsft sues. ROFL.

wick said:

I love the pic.

ut expected nothing less of a reaction on this site.Everything Microsoft have said here Sonyand Nintedo HAVE to do also. HAVE TO. Its the law in certain countries.



I can't blame the majority, if they have doubts. Usually big corporations are in bed with the Government in more ways than one.

But in truth, any business establishment will be caught between a rock and a hard place with this one.

Share your data with the Governments and you will have the ire of the consumer. Do not share your data and the Government will be breathing down your neck when they get the chance. There is no win-win here, whatever your stance is.



Around the Network
The funny thing is people think only MS can share info on customers... like other companies can't, Sony, Apple, Samsung etc... funny how the internet people work, logic am fail!

THERE IS NO NOT SHARING WITH THE GOVERNMENT.... Jesus effing Christ god damn.... when will people realize you DON'T and CAN'T say go fuck yourself to legal government request....

if X country ask legally Y information to Z company.... they comply PERIOD....

what MS just published was evident and anybody that is not a fool knows that it is a microfraction of the data they have in storage that has been shared.... it's not like they send out 2000 request a day and even if they did it would take them decades to use them.....

“Conspiracy theories appear to be a way of reacting to uncertainty and powerlessness” where the human brain jumps into “analytical overdrive … in an attempt to create a coherent and understandable narrative.”

that's what all those tards on the interweb have been up to lately

http://www.nytimes.com/2013/05/26/magazine/why-rational-people-buy-into-conspiracy-theories.html?_r=0

The NSA would have hammered on MS first and most, because they are the biggest, but there would be no way for MS to tell them to take a hike.

wick said:

Thats a strong, compelling, intellighent and considered response you have there.



Around the Network
If Sony and Nintendo are also doing it, it doesn't make it okay for Microsoft. In that case it's a major fuck up from all three. But I didn't hear anything about involvement from japanese companies in prism. And why should they? I can understand the US government has american companies on the balls, so Microsoft more or less can't do anything about it. But the US do not control the whole world. They showed us time and time again that they would really like to. But they still don't.