Microsoft details law enforcement requests in new report

Following similar disclosures from companies like Google and Twitter, Microsoft has for the first time released statistics about requests it has received from law enforcement agencies for data about its users, and the criteria it employs to decide how it will respond.

The company is seeking to build further on the industry's commitment to transparency by releasing its own data, Brad Smith, general counsel, said in a post on Thursday, which also links to the report.

Last year, Microsoft got 75,378 law enforcement requests for customer information, which potentially affected 137,424 accounts or other identifiers, according to Smith. All of its major online services are covered in the report, including Hotmail, Outlook.com, SkyDrive, Xbox LIVE, Office 365, as well as Skype.

In 2.1 percent of those cases, Microsoft disclosed what it refers to as customer "content," such as email text or stored photos. Recipients in more than 99 percent of these cases were law enforcement agencies in the U.S. that provided lawful warrants from courts, according to Smith.

However, in more than 56,000 cases Microsoft disclosed what it calls "non-content" data such as users' names, email addresses, IP addresses, country of residence and gender. In these cases, more than 66 percent of the data went to agencies in the U.S., U.K., Turkey, Germany and France. These non-content data disclosures don't include Skype.

Skype specifically received 4,713 requests from law enforcement, impacting 15,409 accounts or other identifiers, such as phone numbers. Skype provided no content in response to these requests, but it did provide non-content data, like SkypeIDs, names, email accounts, billing information and call detail records. For Skype, U.K., U.S., Germany, France and Taiwan accounted for 81 percent of all requests.

Microsoft will update its report every six months, according to Smith.

What Microsoft needs to disclose information

Microsoft said it requires a valid subpoena or legal equivalent before it considers releasing a customer's non-content data to a law enforcement agency. To consider disclosing actual customer content, it requires a court order or warrant.

"We take a close look in each instance to ensure that the requests we receive for a customer's information are in accord with the laws, rules and procedures that are applicable to requests for customer data and content," he wrote.

Subscribe to the Security Watch Newsletter

Comments