Microsoft got 37,196 law enforcement info requests in first half of 2013

In March, Microsoft released its firstĀ Law Enforcement Requests Report in an effort to be more transparent about how its customer information is used by outside agencies. The first such report covered all of 2012, with Microsoft stating they received a total of 75,378 law enforcement requests.

Today, Microsoft issued its second such report, covering requests for the first half of 2013. The post claims that Microsoft received 37,196 requests from law enforcement agencies that could have impacted as many as 66,539 accounts for the first six months of this year. Microsoft says those requests cover less than 0.01 percent of all of its customer accounts.

Microsoft said that nearly 21 percent of the requests resulted in no information being given to law enforcement authorities. Microsoft did disclose what it called "non content information" for 77 percent of the law enforcement requests in the first half of this year. Actual content disclosures to law enforcement groups covered just 2.19 percent of the requests. The vast majority of those particular orders, 92 percent, were from the U.S.

In August, Microsoft said it would move forward with litigation against the U.S. government to have the right to offer detailed information to the public on any account requests that involve the Foreign Intelligence Surveillance Act.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Microsoft to allow Windows 8, 8.1 apps to be installed on up to 81 devices on one account

Next Story

Microsoft to launch massive Xbox One preview tour in U.S. and Europe

12 Comments

Microsoft disclosed content in response to 2.2% of the total number of law enforcement requests received. Each of those disclosures was in response to a court order or warrant...

So information hosted by Microsoft is held to the same expectation of privacy that items in a safe in our house retains.

This is actually comforting to know.

Mobius Enigma said,

So information hosted by Microsoft is held to the same expectation of privacy that items in a safe in our house retains.

This is actually comforting to know.


Except for the big difference that cloud content is off-site. A stubborn person could refuse to comply with a warrant and not unlock a safe / decrypt a file. They'd be punished for it, but they could still theoretically throw a tantrum and refuse.

Now, many people think of their cloud content the same way--that they should be able to throw a tantrum and refuse to allow access. That is, that they should themselves be the final say in accessing content they've put on the internet.

This is a result of the way many people have never fully absorbed the fact that the internet isn't some abstract 'thing' floating in the ether, distinct from the physical world and without location. Data exists, physically, on objects, in places, and those places are usually not the user's property. This post will be stored in a database on privately-owned hardware, accessed over networks running on more hardware, and so on.

One of the hardest challenges of the internet is getting people to understand that they haven't created something independent of geography.

I don't accept any of the justifications for destroying the world's right too privacy. It's one thing to let people know up front their data is basically open to government and law enforcement as it pretty much is now, but what about all those years people actually thought their data was secure? MS is just part of all the rest that comply, not all have the luxury of standing their ground like lavabit. Nice they at least give some measure of the problem.

@Joshie: That's an interesting legal question you have there, "should user data stored in the cloud be considered the users or the hosts property?".

Unfortunely, legislators are always two steps back regarding information technology, so I guess that will be answered... eventually. And considering that it's a global thing, it's a clusterf***.

I think the answer to that is definitely the individual... The unfortunate part is that instead of treating it as such, government takes the "easy" rout and forces the company to give up such information.

It's kinda like asking dad if you can go outside after you've been grounded by your mom. You know dad's gonna let you go.

Joshie said,

Except for the big difference that cloud content is off-site. A stubborn person could refuse to comply with a warrant and not unlock a safe / decrypt a file. They'd be punished for it, but they could still theoretically throw a tantrum and refuse.
...

I agree with almost everything you said, but there are exceptions, specifically with regard to Microsoft.

At Microsoft, any user or cloud stored information is stored in a non-human readable/accessible data store that has several layers of encryption. With a final layer using your 'MS Account' GUID private key which your data is encrypted against.

This means that even a 'rouge' employee cannot view/open the data or perform queries against the data.

Everything is also not touchable, meaning that everything is handed off to a set of queues which go through several approval processes that also have time based locks.

There simply is no mechanism to get to the data, and even if the employee goes and gains physical access to the media, they still would need 30-300 billions years to crack all the encryption layers.

So even with a 'legal warrant' as an example, there is quite a set of procedures to gain access to a temporary set of keys to open/view a user's data.

Once Microsoft gets a legitimate information request, the process starts with a series of 'machine' queued requests, which initiates a separate request process that goes through additional employee approvals, that is passed along to another set of machine queues which needs another set of employee approvals with an even more complex set of protections that release the keys.

So after this entire process, what gets 'opened' is a set of temporary keys, that can be used to decrypt the account information. Which even has a 'time limit' of access, as the data is again encrypted with a new set of keys.


In contrast, Google doesn't have anything beyond 'employee' policies to protect data.

All user data stored at Google is human readable/accessible, as they freely admit.

This means that employees at Google can view/open any account and all the information inside. They can also run queries against all user stored data. Examples of how this might be used would be in detailed trend tracking or could be as specific to look for pictures or phrases typed into documents in GDrive/GDocs, which makes their access to data borderline illegal and somewhat dangerous. (An employee could do a query looking for trade secrets, stock information or even political leverage.)

So there are things to consider when using a cloud, I agree.

However, when using SkyDrive or Outlook or any Microsoft branded storage service, it is more secure than an printed document in a safe in your house. (Unless you have a safe that takes 30 billion years to crack and self destructs if there is an attempt to physically bypass the lock.)

PS - If that is still not enough encryption and protection, simply use Disk Management in Windows to create an encrypted VHD and put it on SkyDrive. Then the law enforcement officials will have to force you to open it, as Microsoft can't help them.

That's interesting information, and very detailed, but is there a source for where you're getting this?

I'm curious, because at work (a university office) we use Google Docs spreadsheets for putting in student worker's timesheet hours and what they did, and we use Google Docs for storing other internal-related stuff too for convenience. I've been distrustful of the service for awhile, but I can't recommend a switch to SkyDrive (or at least something away from Google Drive) without definitive proof that our information is less secure with them. Thanks.

There's no such thing as a right to privacy. You have a property rights but if your data is not on your property, that doesn't apply. Privacy is your responsibility and not your right. If you don't like someone looking in your window, you put up curtains.

Commenting is disabled on this article.