In its second announcement of the kind, Microsoft revealed today that it received more than 37,000 requests for information on customers of its Skype, Azure and other services from law enforcement agencies around the world.
The count does not include requests made using “National Security Letters” issued by the FBI or other U.S. federal agencies that have the force of a warrant or subpoena, albeit without the oversight or control provided by the courts that issue those sorts of orders.
Demands for information using National Security Letters can include customer names, addresses, phone-billing records and other metadata, and may include orders not to disclose that any such request was made. They typically cannot be used to demand access to the content of customer e-mails or other communications, including search terms, IP addresses or other details.
Microsoft is forbidden from revealing details of national-security orders, but can summarize those requests by listing the number of requests and type of data it provided.
During the first six months of 2013, Microsoft received 37,196 requests that covered a total of 66,539 customer accounts. The company refused to provide any information in response to 21 percent of those requests. It provided “non-content data” in response to 77 percent of the requests – non-content data usually includes information such as names or basic subscriber information rather than information on the content of messages or other details describing online activity of those customers.
In 2.19 percent of cases, however, Microsoft reports having provided “customer content data” – which includes the content of messages or data stored in accounts owned by Microsoft companies. Ninety-two percent of requests for customer content came from U.S. law-enforcement agencies.
Requests for Microsoft services other than Skype came from “a large number” of national law enforcement agencies, but 73 percent came from just five countries: The U.S., Turkey, Germany, the U.K. and France.
Seventy percent of requests for data from Skype came from the U.S., U.K., France and Germany.
Microsoft made a special effort to point out that only 0.01 percent of all Microsoft customer accounts were affected by law-enforcement requests. Even so, the number of requests covering consumer accounts dwarfed the number of business accounts. There were only 19 law-enforcement requests for information about Microsoft enterprise services such as Office 365; those requests affected approximately 48 different accounts.
Microsoft supplied customer-content data in response to four of those requests and provided non-content data in response to a fifth. “In all but one case, we were able to notify the customer” of the request and the response, according to the company. One of the 14 remaining requests is still pending; Microsoft supplied no information in response to the other 13 requests.
Microsoft, along with other tech vendors affected by National Security Letters and other requests from law enforcement agencies, is petitioning the U.S. government for permission to publish detailed information about the requests, including the agencies making those requests, the company’s response and the justification of the request itself.
So far those petitions have yielded no change in policy, leaving tech vendors able to provide only information on the volume of requests, not details about the nature of requests or content being sought.
“While we believe [aggregated data about requests for data] had some value in quantifying the overall volume of requests we received, it is clear that the continued lack of transparency makes it very difficult for the community—including the global community—to have an informed debate about the balance between investigating crimes, keeping communities safe, and personal privacy,” the company’s statement said.