The total number of law enforcement requests for Microsoft's customers' information was lower in 2014 than in 2013, but Microsoft said "transparency is not enough" in our changing world.
"We need commitments that governments will not hack technology companies to access data outside the legal process," wrote Microsoft Deputy General Counsel John Frank when Microsoft published its bi-annual transparency report. "Efforts to hack technology companies have undermined confidence in the security and privacy of online communications. It's time for the executive branch to end its silence on this practice that first came to light more than a year ago."
Regarding Microsoft's law enforcement request transparency report, the company received 31,002 requests between July and December 2014, making 65,496 the total for 2014. That was down from 72,279 total requests in 2013. "The number of law enforcement requests we rejected for not meeting legal requirements more than doubled from 2013 to 2014. In 2013, we rejected 2,105 requests; in 2014, we rejected 4,379 requests."
Other "key findings" pointed out by Frank included:
Of the data provided to law enforcement, 3% was content customers created, shared or stored on our services, such as email. Before we will consider providing this content to law enforcement, we require a court order or a warrant.
The remaining 97% of data disclosed was non-content data. This is basic subscriber data, such as email address, name, state, country, ZIP code and IP address captured at the time of registration.
Microsoft said, "Requests from law enforcement agencies in five countries, France, Germany, Turkey, the United Kingdom and the United States, made up 70% of all requests in the second half of 2014." So let's look at those countries.
Surprise, or not so much at all, law enforcement requests were highest for the U.S., with 5,445 requests that affected 13,101 accounts. 16.1% of those were rejected, 12.6% included disclosed content, there was no data found for 15.2%, and 56.1% pertained to "only subscriber/transactional data."
The UK had the second highest number with 4,518 requests affecting 8,034 user accounts. Microsoft rejected 9.8% of law enforcement requests.
For Germany, Microsoft received 4,192 requests targeting 7,629 users; 5.7% were rejected.
For France, Microsoft received 4,546 requests which specified 6,851 total user accounts; 6.2% were rejected.
Microsoft noted modified laws in Turkey that allowed a "brief period" of 3,039 law enforcement requests sent to Microsoft. 3,328 users were affected and 0.2% of the requests were rejected.
National Security Orders transparency report
"In the 14 months since the government agreed to greater transparency for reporting national security orders, we've seen new threats emerge around the globe," Frank added. "We're also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone."
Microsoft and other tech firms are allowed to report only limited information regarding governmental demands for customer data through national security orders. Regarding National Security Letters (NSLs) Microsoft received between July and December 2014, 0-999 were "orders seeking disclosure of only non-content" and 0-999 accounts were impacted by non-content orders.
Foreign Intelligence Surveillance Act requests are required to be reported on a six-month delay. From January to June 2014, 19,000-19,999 accounts were impacted by FISA orders seeking content; of those 0-999 orders sought the disclosure of only non-content and 0-999 accounts were impacted by non-content orders.
Frank called three steps "especially critical" in 2015 to increase transparency and accountability for governments and companies: reform government surveillance; clarify "international law when it comes to law enforcement accessing data abroad. There is a growing interest by some governments to reach across borders to access customer data." That's an especially touchy one for Microsoft which has been fighting a U.S. court order that demanded Microsoft release user data from its data center based in Ireland. Governments must also commit to not hacking tech companies in order to get its hands on data.
Although Microsoft said "there are times when law enforcement authorities need to access data to protect the public," the company believes "that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers."