Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/22/2013
11:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Reports On Patriot Act Data Requests

Following Google's lead, Microsoft releases statistics on government requests for user information.

Office 2013: 10 Questions To Ask
Office 2013: 10 Questions To Ask
(click image for slideshow)
Microsoft on Thursday revealed for the first time statistics related to law enforcement requests for user data. Following similar disclosures by Google, the information adds new wrinkles to ongoing debates among lawmakers, intelligence agencies and the public regarding how to best balance national security concerns, civil liberties and transparency.

"Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information," Microsoft said in a statement. In a blog post, Redmond general counsel and EVP of legal and corporate affairs Brad Smith stated the report would be updated every six months.

Microsoft received just over 11,000 requests from the U.S. government for user data in 2012, and more than 70,000 from governments and law enforcement agencies worldwide. In nearly 80% of total cases, the software giant complied by delivering limited data such as an account holder's name, gender or email address. Redmond provided more substantive content, such as email subject headings, in response to just over 2% of requests. Smith wrote that less than 0.02% of Microsoft customers "were potentially affected by law enforcement requests."

Google announced in a report released earlier this month it received 31,000 inquiries from the U.S. government in 2012, and around 42,000 overall. Google responded to requests with some sort of disclosure in almost 90% of cases.

[ Learn more about Google's user data disclosures. See Government Google Data Requests: Scope Unclear. ]

Microsoft said that fewer than 1,000 of the requests involved National Security Letters, which enable the FBI to pursue private information without a warrant and, in the name of national security, under a gag order. Redmond said that between 1,000 and 1,999 user accounts were named in these letters, which have been a popular tactic since the Patriot Act expanded law enforcement's ability to collect such data more than a decade ago. Microsoft received fewer of these requests in 2012 than it did in 2011, when between 1,000 and 1,999 letters were delivered to investigate between 3,000 and 3,999 accounts. Redmond publishes ranges instead of precise figures because federal law does not currently allow companies to provide exact statistics.

Like Microsoft, Google also received fewer than 1,000 letters in 2012. The Mountain View, Calif.-based giant fielded fewer than 1,000 requests in 2011 as well, but recieved between 2,000 and 2,999 inquiries in 2010.

The use of National Security Letters has been contentious. Earlier this month, U.S. District Judge Susan Illston ruled that the strategy violates federal law, but stayed her order until the government has a chance to appeal the decision.

Such national security debates have continued to rage as the U.S. government struggles to pass legislation to keep pace with evolving technological and social trends. The Justice Department criticized the FBI in 2010 for abusing its ability to monitor citizens, for example, and recently conceded that current cyber laws, such as those that deny privacy protections to emails older than 180 days, need to be changed. This is the same Justice Department that argued in favor of such outdated laws only a few months ago, a dissonance that suggests evolving opinions, but also speaks to the various agendas competing to shape reform efforts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/5/2013 | 4:51:44 PM
re: Microsoft Reports On Patriot Act Data Requests
I have to admit that these numbers are lower than I expected to see, but still troubling that there are a number of accounts where personal information was accessed. It would be nice to see that statistic on how many convictions have been made due to these accounts information being accessed. If they are very low or limited, then I must be missing something here. Why are my rights being violated if the results of such violations are so low to begin with.

Paul Sprague
InformationWeek Contributor
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
3/22/2013 | 3:56:32 PM
re: Microsoft Reports On Patriot Act Data Requests
What I find interesting about Microsoft's announcement is that it's become part of a trend of online service providers releasing details about these requests. Google may have started it but it's good to see others like Microsoft jump in too with a bit of transparency.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...