Risk
3/22/2013
11:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Reports On Patriot Act Data Requests

Following Google's lead, Microsoft releases statistics on government requests for user information.

Office 2013: 10 Questions To Ask
Office 2013: 10 Questions To Ask
(click image for slideshow)
Microsoft on Thursday revealed for the first time statistics related to law enforcement requests for user data. Following similar disclosures by Google, the information adds new wrinkles to ongoing debates among lawmakers, intelligence agencies and the public regarding how to best balance national security concerns, civil liberties and transparency.

"Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information," Microsoft said in a statement. In a blog post, Redmond general counsel and EVP of legal and corporate affairs Brad Smith stated the report would be updated every six months.

Microsoft received just over 11,000 requests from the U.S. government for user data in 2012, and more than 70,000 from governments and law enforcement agencies worldwide. In nearly 80% of total cases, the software giant complied by delivering limited data such as an account holder's name, gender or email address. Redmond provided more substantive content, such as email subject headings, in response to just over 2% of requests. Smith wrote that less than 0.02% of Microsoft customers "were potentially affected by law enforcement requests."

Google announced in a report released earlier this month it received 31,000 inquiries from the U.S. government in 2012, and around 42,000 overall. Google responded to requests with some sort of disclosure in almost 90% of cases.

[ Learn more about Google's user data disclosures. See Government Google Data Requests: Scope Unclear. ]

Microsoft said that fewer than 1,000 of the requests involved National Security Letters, which enable the FBI to pursue private information without a warrant and, in the name of national security, under a gag order. Redmond said that between 1,000 and 1,999 user accounts were named in these letters, which have been a popular tactic since the Patriot Act expanded law enforcement's ability to collect such data more than a decade ago. Microsoft received fewer of these requests in 2012 than it did in 2011, when between 1,000 and 1,999 letters were delivered to investigate between 3,000 and 3,999 accounts. Redmond publishes ranges instead of precise figures because federal law does not currently allow companies to provide exact statistics.

Like Microsoft, Google also received fewer than 1,000 letters in 2012. The Mountain View, Calif.-based giant fielded fewer than 1,000 requests in 2011 as well, but recieved between 2,000 and 2,999 inquiries in 2010.

The use of National Security Letters has been contentious. Earlier this month, U.S. District Judge Susan Illston ruled that the strategy violates federal law, but stayed her order until the government has a chance to appeal the decision.

Such national security debates have continued to rage as the U.S. government struggles to pass legislation to keep pace with evolving technological and social trends. The Justice Department criticized the FBI in 2010 for abusing its ability to monitor citizens, for example, and recently conceded that current cyber laws, such as those that deny privacy protections to emails older than 180 days, need to be changed. This is the same Justice Department that argued in favor of such outdated laws only a few months ago, a dissonance that suggests evolving opinions, but also speaks to the various agendas competing to shape reform efforts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/5/2013 | 4:51:44 PM
re: Microsoft Reports On Patriot Act Data Requests
I have to admit that these numbers are lower than I expected to see, but still troubling that there are a number of accounts where personal information was accessed. It would be nice to see that statistic on how many convictions have been made due to these accounts information being accessed. If they are very low or limited, then I must be missing something here. Why are my rights being violated if the results of such violations are so low to begin with.

Paul Sprague
InformationWeek Contributor
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
3/22/2013 | 3:56:32 PM
re: Microsoft Reports On Patriot Act Data Requests
What I find interesting about Microsoft's announcement is that it's become part of a trend of online service providers releasing details about these requests. Google may have started it but it's good to see others like Microsoft jump in too with a bit of transparency.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.