Microsoft Details How It Complies With Government Requests For User Data

In the wake of the NSA leaks, tech companies began to distance themselves from allegations that said they provided the NSA with direct access to their servers. Microsoft was one of the more vocal in its denials, and even mounted a challenge against the secret FISA court demanding that it be allowed to release data request numbers. That hasn’t exactly worked out yet, but Microsoft is going to do the next best thing in the mean time.

In a large post today on the official Microsoft blog, Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs, details how Microsoft responds to government data requests for Outlook email, Skype calls and other services. He reiterates that Microsoft doesn’t provide the NSA with direct access, but goes even further by detailing how they respond to data requests for each service.

For Outlook, Smith says “we are sometimes obligated to comply with lawful demands from governments to turn over content for specific accounts, pursuant to a search warrant or court order.” He further says that any upgrades made to its instant messaging or email services have only been made in order to increase user privacy, and that governments must still issue search warrants to access information.

SkyDrive is much the same. Smith says that Microsoft will give governments specific content when compelled by a court order or search warrant. He also says that a 2013 upgrade to SkyDrive was made “to be able to comply with an increasing number of legal demands.” Despite that, he says that Microsoft has not, and will not, give any government direct access to SkyDrive.

As for Skype, Smith addresses concerns that arose last week after a leak said Microsoft gave the NSA direct access to Skype calls in July 2012 – the same month that Microsoft moved Skype to its own in-house servers. He says the move was not made “to facilitate greater government access to audio, video, messaging or other customer data.” He also says that Microsoft will never giver any government direct access to Skype calls, and that the company will only respond to “valid legal demands for specific user account information.”

Smith finally touches upon email and documents stored via its enterprise data storage solutions. Some companies might be concerned that the NSA can gain access to their private documents stored on Microsoft’s servers, but Smith says that Microsoft has “never provided any government with customer data from any of our business or government customers for national security purposes.” He does, however, say that Microsoft does comply with requests for data in criminal investigations. In those cases, Microsoft will attempt to direct the government to the company in question. If that’s not possible, Microsoft will provide the data while alerting the customer that their data was accessed.

To sum everything up, Smith lays out the following principles that Microsoft follows when interacting with government data requests:

Microsoft does not provide any government with direct and unfettered access to our customer’s data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand.

If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information.

We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. The aggregate data we have been able to publish shows clearly that only a tiny fraction – fractions of a percent – of our customers have ever been subject to a government demand related to criminal law or national security.

All of these requests are explicitly reviewed by Microsoft’s compliance team, who ensure the request are valid, reject those that are not, and make sure we only provide the data specified in the order. While we are obligated to comply, we continue to manage the compliance process by keeping track of the orders received, ensuring they are valid, and disclosing only the data covered by the order.

Smith says Microsoft will continue to follow the above principles in its interactions with government, but will also continue to argue that it has a right to release more detailed data request numbers. To that end, Smith says that Microsoft has petitioned U.S. Attorney General Eric Holder to allow it to publish government data request numbers. It’s a long shot, but Smiths says he’ll publish those data requests numbers immediately upon receiving permission to do so.