Posted by Brad SmithGeneral Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft
Today we are updating our transparency reporting to provide new information relating to governmental demands for customer data. Beginning last summer, Microsoft, Google, and other companies filed lawsuits against the U.S. government arguing that we have a legal and constitutional right to disclose more detailed information about these demands. We contended that we should be able to disclose information about legal orders issued pursuant to U.S. national security laws such as the Foreign Intelligence Surveillance Act (FISA), which we had previously been barred from disclosing.
As a result of that litigation and after lengthy discussions, the Government recently agreed for the first time to permit technology companies to publish data about FISA orders. While there remain some constraints on what we can publish (more details on that below), we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. Government pursuant to national security authorities.
The Government has agreed that data about these requests can be reported in bands of a thousand, starting with the band from 0-999. The aggregate FISA data covers six month periods, but can only be published six months after the end of a reporting period.
Our most recent report covers the period from January – June 2013, addressing all of Microsoft’s services. Specifically, during this time period:
The table below provides the same information going back to July of 2011, so you can see the last four time periods in context. (It’s worth noting that National Security Letters by definition do not seek disclosure of customer content, hence the reference below to N/A regarding the number of accounts impacted by requests for content for these letters.)
Orders Seeking Disclosure of Content
Accounts Impacted by Orders Seeking Content
Orders Seeking Disclosure of Only Non-Content
Accounts Impacted by Non-Content Requests
Foreign Intelligence Surveillance Act (FISA) Orders
July – Dec 2011
Jan – June 2012
July – Dec 2012
Jan – June 2013
National Security Letters (NSLs)
July – Dec 2013
We appreciate that there is interest not only in what these numbers show, but in what they mean. I’d offer two thoughts. First, while our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands. This obviously means that only a fraction of a percent of our users are affected by these orders. In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records. This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.
Second, nothing in today’s report minimizes the significance of efforts by governments to obtain customer information outside legal process. Since the Washington Post reported in October about the purported hacking of cables running between data centers of some of our competitors, this has been and remains a major concern across the tech sector. In December, we announced a number of measures to protect customer data, including a significant expansion of encryption across our services. However, despite the President’s reform efforts and our ability to publish more information, there has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies. We believe the Constitution requires that our government seek information from American companies within the rule of law. We’ll therefore continue to press for more on this point, in collaboration with others across our industry.
Additional Notes on the Data:
We are permitted to publish data about the number of FISA orders we have received, the number of accounts or other identifiers the government sought information about, and whether those orders sought customer content or only non-content information.
We’ve reported data using the following definitions:
It is important to remember that receipt of an order does not mean the information that was sought was ultimately disclosed. Microsoft has successfully challenged requests in court, and we will continue to contest orders that we believe lack legal validity.
Going forward, we’ll include the data published today in our upcoming Law Enforcement Requests Report, so we can provide a comprehensive view of all the legal demands we receive from the U.S. government. We publish these reports every six months.