When transparency alone isn’t enough

Today, we are publishing our bi-annual Law Enforcement Requests Report and U.S National Security Order Report. These reports detail the long-held policies Microsoft follows for responding to requests, the number of requests Microsoft has received for customer information from law enforcement agencies around the world, how Microsoft responded to those requests, and aggregated data on national security related data requests Microsoft received from the U.S. government.

The Law Enforcement Requests Report published today covers the period from July to December 2014. The U.S. National Security Order Report provides information on National Security Letters we received for the same period as well. It also includes requests made under the Foreign Intelligence Surveillance Act from January through June 2014. (FISA court orders are subject to a six-month reporting delay.)

While we saw little change from the proceeding period in the overall number of law enforcement and government requests for Microsoft customer data, the world around us continues to change.

In the 14 months since the government agreed to greater transparency for reporting national security orders, we’ve seen new threats emerge around the globe. We’re also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone.

As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.

Greater transparency should inspire a more informed conversation on the public policies that balance national security and protect our fundamental values. There are many paths forward that would increase transparency and accountability for governments and companies. These three steps are especially critical this year:

  • We must reform government surveillance. Outdated laws don’t keep the public safe or privacy strong. We support reforming the Electronic Communications Privacy Act (ECPA) and other proposals like the USA Freedom Act, which we believe increase protections for our customers and improve transparency.
  • We need clarity on international law when it comes to law enforcement accessing data abroad. There is a growing interest by some governments to reach across borders to access customer data. We need new agreements that will enable the rule of law to work more routinely across national borders, in a way that protects individual privacy and respects human rights. The LEADS Act, recently introduced in the both chambers of Congress, would take a step forward in the right direction. We also proposed a detailed framework for a transatlantic agreement that could resolve some of the most pressing questions about how we can balance public safety and individual privacy in a way that makes all of us stronger.
  • We need commitments that governments will not hack technology companies to access data outside the legal process. Efforts to hack technology companies have undermined confidence in the security and privacy of online communications. It’s time for the executive branch to end its silence on this practice that first came to light more than a year ago.

These issues are difficult, but we believe they are surmountable. We should approach these challenges with a sense of urgency – a sense that this is the year to move forward in ways that strike a more effective balance between public safety and privacy for all of us.

Here are some of the key findings from the report:

  • The total number of law enforcement requests received from July to December 2014 was 31,002, bringing to the total for the year to 65,496. That’s down slightly from 2013, when requests totaled 72,279.
  • Of the data provided to law enforcement, 3 percent was content customers created, shared or stored on our services, such as email. Before we will consider providing this content to law enforcement, we require a court order or a warrant.
  • The remaining 97 percent of data disclosed was non-content data. This is basic subscriber data, such as name, email address, email address, name, state, country, ZIP code and IP address captured at the time of registration country, and IP address at the time of registration.
  • The number of law enforcement requests we rejected for not meeting legal requirements more than doubled from 2013 to 2014. In 2013, we rejected 2,105 requests; in 2014, we rejected 4,379 requests.
  • Requests from law enforcement agencies in five countries, France, Germany, Turkey, the United Kingdom and the United States, made up 70 percent of all requests in the second half of 2014.

To stay up to date on our continued commitment to transparency, we encourage you to follow us on Twitter: @MSFTPrivacy.

Tags: , , , ,