Microsoft releases biannual digital trust reports

Microsoft has released its latest biannual digital trust reports on the Microsoft Reports Hub. These reports consist of the Law Enforcement Requests Report, U.S. National Security Orders Report and Content Removal Request Reports.  In light of passage of the CLOUD Act in the United States, for the first time the Law Enforcement Requests Report now includes a new category on the requests we received during the first half of 2018 from U.S. law enforcement for customer data stored in data centers outside of the United States. While the CLOUD Act offers important legal protections, we’ve argued strongly that more work needs to be done to create lasting legal frameworks to govern how governments seek digital evidence across borders.  We hope transparency on this issue will help move this important discussion forward. Whenever Microsoft receives a law enforcement request – from any government – we only disclose customer data in response to a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider consistent with the rule of law and our Microsoft principles.

Apart from the addition of this new reporting category for customer data stored outside of the United States, the Law Enforcement Requests Report encompassing the period from January to June 2018 remains largely consistent with previous reports:

Requests for consumer data

  • During the first half of 2018, Microsoft received a total number of 23,222 legal requests related to our consumer services from law enforcement agencies around the world, which is a slight increase from the previous six-month period of 22,939 legal requests.
  • A majority of the law enforcement demands Microsoft received during this period continued to come from a handful of countries, including France, Germany, the United Kingdom and the United States.
  • Specific to United States law enforcement, Microsoft received 4,948 legal demands for data related to our consumer services. A small fraction of those demands, 133 court-issued warrants, sought content data stored in data centers outside of the United States. In only one case did Microsoft disclose enterprise content data stored outside the United States.

Requests for enterprise customer data

  • In the first half of 2018, Microsoft received 50 requests from law enforcement (U.S. and international) for data associated with enterprise cloud customers (defined as customers who purchased more than 50 seats).
    • Of these requests, 34 were from U.S. law enforcement and 16 were from other countries.
    • In 32 cases, these requests were rejected, withdrawn or law enforcement was successfully redirected to the customer to obtain the information they are seeking.
    • In 18 cases, Microsoft was compelled to provide some information in response to the order: 10 cases required the disclosure of some customer content and in eight of the cases we were compelled to disclose non-content information only.
    • As noted above, in only one case was Microsoft compelled to disclose to U.S. law enforcement enterprise content data stored outside the United States.

The U.S. National Security Orders, which encompass the period from July to December 2017, are largely consistent with the previous reports:

  • For the latest Foreign Intelligence Surveillance Act (FISA) data reported, Microsoft received 0 – 499 FISA orders seeking content disclosures affecting 12,500 – 12,999 accounts, which is unchanged from the previous period. We received 0 – 499 National Security Letters in the latest reporting period, which is also unchanged from the previous period.

The latest Content Removal Request Reports details acceptance rates regarding requests received from governments, copyright holders and individuals subject to the European Union’s “Right to be Forgotten” ruling, and victims of non-consensual pornography.

We believe transparency is an important part of building trust in technology. The information contained in these reports is intended to help our customers understand how Microsoft responds to government requests for data as well as requests for content removal.  Please visit our Data Law website for more information about Microsoft’s principles, policies and procedures for responding to government requests for data.