Providing additional transparency on US government requests for customer data

 Posted by Brad Smith
General Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft

Today we are updating our transparency reporting to provide new information relating to governmental demands for customer data.  Beginning last summer, Microsoft, Google, and other companies filed lawsuits against the U.S. government arguing that we have a legal and constitutional right to disclose more detailed information about these demands.  We contended that we should be able to disclose information about legal orders issued pursuant to U.S. national security laws such as the Foreign Intelligence Surveillance Act (FISA), which we had previously been barred from disclosing.

As a result of that litigation and after lengthy discussions, the Government recently agreed for the first time to permit technology companies to publish data about FISA orders. While there remain some constraints on what we can publish (more details on that below), we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. Government pursuant to national security authorities.

The Government has agreed that data about these requests can be reported in bands of a thousand, starting with the band from 0-999.  The aggregate FISA data covers six month periods, but can only be published six months after the end of a reporting period.

Our most recent report covers the period from January – June 2013, addressing all of Microsoft’s services.  Specifically, during this time period:

  • We received fewer than 1,000 FISA orders seeking the disclosure of customer content.  These orders related to between 15,000 and 15,999 accounts or individual identifiers.  It’s important to note that this does not necessarily mean that more than 15,000 people were covered by these data requests. This is because one individual may have multiple accounts, each of which would be counted separately for the purposes of reporting this data.
  • We also received fewer than 1,000 FISA orders for non-content data only, seeking information that related to fewer than 1,000 accounts or identifiers. 
  • Finally, we received fewer than 1,000 National Security Letters covering fewer than 1,000 accounts or identifiers. 

The table below provides the same information going back to July of 2011, so you can see the last four time periods in context.  (It’s worth noting that National Security Letters by definition do not seek disclosure of customer content, hence the reference below to N/A regarding the number of accounts impacted by requests for content for these letters.)

Reporting Period

Orders Seeking Disclosure of Content

Accounts Impacted by Orders Seeking Content

Orders Seeking Disclosure of Only Non-Content

Accounts Impacted by Non-Content Requests

Foreign Intelligence Surveillance Act (FISA) Orders

July – Dec 2011

0-999

11,000-11,999

0-999

0-999

Jan – June 2012

0-999

11,000-11,999

0-999

0-999

July – Dec 2012

0-999

16,000-16,999

0-999

0-999

Jan – June 2013

0-999

15,000-15,999

0-999

0-999

National Security Letters (NSLs)

July – Dec 2011

N/A

N/A

0-999

1,000-1,999

Jan – June 2012

N/A

N/A

0-999

1,000-1,999

July – Dec 2012

N/A

N/A

0-999

0-999

Jan-June 2013

N/A

N/A

0-999

0-999

July – Dec 2013

N/A

N/A

0-999

0-999

 

We appreciate that there is interest not only in what these numbers show, but in what they mean.  I’d offer two thoughts.  First, while our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands.  This obviously means that only a fraction of a percent of our users are affected by these orders.  In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.  This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data. 

Second, nothing in today’s report minimizes the significance of efforts by governments to obtain customer information outside legal process.  Since the Washington Post reported in October about the purported hacking of cables running between data centers of some of our competitors, this has been and remains a major concern across the tech sector.  In December, we announced a number of measures to protect customer data, including a significant expansion of encryption across our services.  However, despite the President’s reform efforts and our ability to publish more information, there has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies.  We believe the Constitution requires that our government seek information from American companies within the rule of law.  We’ll therefore continue to press for more on this point, in collaboration with others across our industry.

Additional Notes on the Data:

We are permitted to publish data about the number of FISA orders we have received, the number of accounts or other identifiers the government sought information about, and whether those orders sought customer content or only non-content information. 

We’ve reported data using the following definitions:

  • FISA Orders Seeking Disclosure of Content: This category would include any FISA electronic surveillance orders (50 U.S.C. § 1805), FISA search warrants (50 U.S.C. § 1824), and FISA Amendments Act directives (50 U.S.C. §1881) that were received or active during the reporting period. 
  • FISA Orders Requesting Disclosure of Non-Content: This category would include any FISA business records (50 U.S.C. § 1861), commonly referred to as 215 orders, and FISA pen register and trap and trace orders (50 U.S.C. § 1842) that were received or active during the reporting period.
  • Accounts Impacted: The number of user accounts impacted by FISA orders that were received or active during the period of time.  Since individuals may have multiple accounts across different Microsoft services - all of which are counted separately to determine the number of accounts impacted - this number will likely overstate the number of individuals subject to government orders.

It is important to remember that receipt of an order does not mean the information that was sought was ultimately disclosed. Microsoft has successfully challenged requests in court, and we will continue to contest orders that we believe lack legal validity. 

Going forward, we’ll include the data published today in our upcoming Law Enforcement Requests Report, so we can provide a comprehensive view of all the legal demands we receive from the U.S. government.  We publish these reports every six months.