Microsoft, Stool Pigeon for the Cops and FBI

I've got my hands on a copy of the leaked, confidential Microsoft "Global Criminal Compliance Handbook," which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.

The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.

The handbook is available at the Wikileaks site. That's where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.

The report, published in March 2008, is labeled "U.S. Domestic Version," which makes one wonder whether there's also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don't know whether such a document exists. Also, the document may have been superseded by a later one, although I don't know that, either.

The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:

"Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves "the danger of death or physical injury to any person…" as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299."

The report describes what information is available from Microsoft Online services for police and ingelligence services, including:

E-mail Services

Authentication Service: Windows Live ID

Instant Messaging: Windows Live Messenger

Social Networking Services: Windows Live Spaces & MSN Groups

Custom Domains: Windows Live Admin Center & Office Live Small Business

Online File Storage: Office Live Workspace & Windows Live SkyDrive

Gaming: Xbox Live

What's available is the actual content of your communications --- for example, copies of your emails --- as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here's an excerpt that details what emails are available from people who are MSN Premium subscribers:

Stored E-mail Records for MSN Premium Customers:

Microsoft's systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the "Folders on MSN" section of a user's account.

Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail servers.

The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.

Subscribe to the Today in Tech Newsletter

Comments