Whistleblowing site Cryptome has landed itself in trouble with Microsoft legal for publishing the software company's “Global Criminal Compliance Handbook.”
The handbook, dated March 2008, is a 22-page guide that describes the surveillance services Microsoft offers to law enforcement officials for its online services including Hotmail, Live Messenger and Xbox LIVE. The services include IP address disclosure, e-mail account registration records, stored e-mail records, account access records and in the case of Windows Live Spaces, owner (creator) information. For Xbox LIVE Microsoft retains the following:
- Credit card number
- Phone number
- First/last name with zip code
- Serial number of Xbox console if it has been used on Xbox LIVE
- Email account
- IP history for the lifetime of the gamertag
The document provides a unique insight into how personal data is provided to the relevant authorities. According to Geekosystem.com, who originally reported the leak, Cryptome have been taken offline by their host - Network Solutions. Microsoft reportedly sent a DMCA request to the hosts to remove the content. Cryptome is now inaccessible and fellow whistleblower site Wikileaks has offered to host the document. "We will host Cryptome on our multi-jurisdictional network-outside the US-if required,” said a Wikileaks spokesperson.
The case mirrors a similar leak where Microsoft's secret Computer Online Forensic Evidence Extractor (COFEE) leaked online in November 2009. COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC forensics.
Microsoft officials were unavailable for comment at the time of writing.
Update: Microsoft have now issued a statement:
“Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.”