Risk
3/22/2013
11:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft Reports On Patriot Act Data Requests

Following Google's lead, Microsoft releases statistics on government requests for user information.

Office 2013: 10 Questions To Ask
Office 2013: 10 Questions To Ask
(click image for slideshow)
Microsoft on Thursday revealed for the first time statistics related to law enforcement requests for user data. Following similar disclosures by Google, the information adds new wrinkles to ongoing debates among lawmakers, intelligence agencies and the public regarding how to best balance national security concerns, civil liberties and transparency.

"Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information," Microsoft said in a statement. In a blog post, Redmond general counsel and EVP of legal and corporate affairs Brad Smith stated the report would be updated every six months.

Microsoft received just over 11,000 requests from the U.S. government for user data in 2012, and more than 70,000 from governments and law enforcement agencies worldwide. In nearly 80% of total cases, the software giant complied by delivering limited data such as an account holder's name, gender or email address. Redmond provided more substantive content, such as email subject headings, in response to just over 2% of requests. Smith wrote that less than 0.02% of Microsoft customers "were potentially affected by law enforcement requests."

Google announced in a report released earlier this month it received 31,000 inquiries from the U.S. government in 2012, and around 42,000 overall. Google responded to requests with some sort of disclosure in almost 90% of cases.

[ Learn more about Google's user data disclosures. See Government Google Data Requests: Scope Unclear. ]

Microsoft said that fewer than 1,000 of the requests involved National Security Letters, which enable the FBI to pursue private information without a warrant and, in the name of national security, under a gag order. Redmond said that between 1,000 and 1,999 user accounts were named in these letters, which have been a popular tactic since the Patriot Act expanded law enforcement's ability to collect such data more than a decade ago. Microsoft received fewer of these requests in 2012 than it did in 2011, when between 1,000 and 1,999 letters were delivered to investigate between 3,000 and 3,999 accounts. Redmond publishes ranges instead of precise figures because federal law does not currently allow companies to provide exact statistics.

Like Microsoft, Google also received fewer than 1,000 letters in 2012. The Mountain View, Calif.-based giant fielded fewer than 1,000 requests in 2011 as well, but recieved between 2,000 and 2,999 inquiries in 2010.

The use of National Security Letters has been contentious. Earlier this month, U.S. District Judge Susan Illston ruled that the strategy violates federal law, but stayed her order until the government has a chance to appeal the decision.

Such national security debates have continued to rage as the U.S. government struggles to pass legislation to keep pace with evolving technological and social trends. The Justice Department criticized the FBI in 2010 for abusing its ability to monitor citizens, for example, and recently conceded that current cyber laws, such as those that deny privacy protections to emails older than 180 days, need to be changed. This is the same Justice Department that argued in favor of such outdated laws only a few months ago, a dissonance that suggests evolving opinions, but also speaks to the various agendas competing to shape reform efforts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Apprentice
4/5/2013 | 4:51:44 PM
re: Microsoft Reports On Patriot Act Data Requests
I have to admit that these numbers are lower than I expected to see, but still troubling that there are a number of accounts where personal information was accessed. It would be nice to see that statistic on how many convictions have been made due to these accounts information being accessed. If they are very low or limited, then I must be missing something here. Why are my rights being violated if the results of such violations are so low to begin with.

Paul Sprague
InformationWeek Contributor
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
3/22/2013 | 3:56:32 PM
re: Microsoft Reports On Patriot Act Data Requests
What I find interesting about Microsoft's announcement is that it's become part of a trend of online service providers releasing details about these requests. Google may have started it but it's good to see others like Microsoft jump in too with a bit of transparency.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web