Risk
3/22/2013
11:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Reports On Patriot Act Data Requests

Following Google's lead, Microsoft releases statistics on government requests for user information.

Office 2013: 10 Questions To Ask
Office 2013: 10 Questions To Ask
(click image for slideshow)
Microsoft on Thursday revealed for the first time statistics related to law enforcement requests for user data. Following similar disclosures by Google, the information adds new wrinkles to ongoing debates among lawmakers, intelligence agencies and the public regarding how to best balance national security concerns, civil liberties and transparency.

"Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information," Microsoft said in a statement. In a blog post, Redmond general counsel and EVP of legal and corporate affairs Brad Smith stated the report would be updated every six months.

Microsoft received just over 11,000 requests from the U.S. government for user data in 2012, and more than 70,000 from governments and law enforcement agencies worldwide. In nearly 80% of total cases, the software giant complied by delivering limited data such as an account holder's name, gender or email address. Redmond provided more substantive content, such as email subject headings, in response to just over 2% of requests. Smith wrote that less than 0.02% of Microsoft customers "were potentially affected by law enforcement requests."

Google announced in a report released earlier this month it received 31,000 inquiries from the U.S. government in 2012, and around 42,000 overall. Google responded to requests with some sort of disclosure in almost 90% of cases.

[ Learn more about Google's user data disclosures. See Government Google Data Requests: Scope Unclear. ]

Microsoft said that fewer than 1,000 of the requests involved National Security Letters, which enable the FBI to pursue private information without a warrant and, in the name of national security, under a gag order. Redmond said that between 1,000 and 1,999 user accounts were named in these letters, which have been a popular tactic since the Patriot Act expanded law enforcement's ability to collect such data more than a decade ago. Microsoft received fewer of these requests in 2012 than it did in 2011, when between 1,000 and 1,999 letters were delivered to investigate between 3,000 and 3,999 accounts. Redmond publishes ranges instead of precise figures because federal law does not currently allow companies to provide exact statistics.

Like Microsoft, Google also received fewer than 1,000 letters in 2012. The Mountain View, Calif.-based giant fielded fewer than 1,000 requests in 2011 as well, but recieved between 2,000 and 2,999 inquiries in 2010.

The use of National Security Letters has been contentious. Earlier this month, U.S. District Judge Susan Illston ruled that the strategy violates federal law, but stayed her order until the government has a chance to appeal the decision.

Such national security debates have continued to rage as the U.S. government struggles to pass legislation to keep pace with evolving technological and social trends. The Justice Department criticized the FBI in 2010 for abusing its ability to monitor citizens, for example, and recently conceded that current cyber laws, such as those that deny privacy protections to emails older than 180 days, need to be changed. This is the same Justice Department that argued in favor of such outdated laws only a few months ago, a dissonance that suggests evolving opinions, but also speaks to the various agendas competing to shape reform efforts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/5/2013 | 4:51:44 PM
re: Microsoft Reports On Patriot Act Data Requests
I have to admit that these numbers are lower than I expected to see, but still troubling that there are a number of accounts where personal information was accessed. It would be nice to see that statistic on how many convictions have been made due to these accounts information being accessed. If they are very low or limited, then I must be missing something here. Why are my rights being violated if the results of such violations are so low to begin with.

Paul Sprague
InformationWeek Contributor
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
3/22/2013 | 3:56:32 PM
re: Microsoft Reports On Patriot Act Data Requests
What I find interesting about Microsoft's announcement is that it's become part of a trend of online service providers releasing details about these requests. Google may have started it but it's good to see others like Microsoft jump in too with a bit of transparency.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.