Microsoft receives legal demands for customer data from law enforcement agencies around the world. In March 2013, as part of our commitment to increased transparency, Microsoft began publishing details of the number of demands we receive each year in our Law Enforcement Requests Report and clear documentation of our established practices in responding to government legal demands for customer data.
We update this report every six months, and each report includes the number of demands we receive and the number of accounts or identifiers that may be affected by these demands. We also provide details on the number of demands we complied with and, if we complied, whether we provided content or non-content data.
This Law Enforcement Requests Report is focused only on law enforcement requests. In early 2014, we received permission to begin publishing data about the number of legal demands we receive from the U.S. Government pursuant to national security laws. Our most recent report on these requests can be found here, and like the Law Enforcement Requests Report, will be updated every six months. We publish this information to help customers understand the clear principles Microsoft follows in responding to legal demands for customer data. We believe that our customers deserve and need to understand our policies, and the extent to which law enforcement requests impact our users. We also believe that that this kind of increased transparency may help advocates and policymakers better arrive at an appropriate balance between public safety and customer privacy.
About Microsoft’s response process
Microsoft follows clear principles in responding to government legal demands for customer data:
- We require a valid subpoena or legal equivalent before we consider releasing a customer’s non-content data to law enforcement;
- We require a court order or warrant before we consider releasing a customer’s content data;
- In each instance, we carefully examine the requests we receive for a customer’s information to make sure they are in accord with the laws, rules and procedures that apply.
Law Enforcement Requests Report FAQ
Which Microsoft Services are included in this report?
We report all Microsoft services, including Skype, together.
How many Microsoft users were impacted by law enforcement requests?
Fewer users are impacted than the number of accounts impacted, but for a variety of reasons, it is difficult to determine an exact number. For example, a single request may seek information about multiple accounts belonging to one user or the same accounts may also be subject to repeat orders in different timeframes and, as a result, be “double counted”.
How many enterprise cloud customers were impacted by law enforcement requests?
In the second half of 2014, Microsoft only received three requests from law enforcement for thirty-two users associated with an enterprise customer. In two cases, the requests were rejected or law enforcement was successfully redirected to the customer. In the third case, the customer was notified of the legal demand and the customer directed Microsoft to provide responsive information to law enforcement.
How many times did Microsoft disclose the content of customer communications or data storage to law enforcement?
In the second half of 2014, Microsoft disclosed content in response to 3.37 % of the total number of law enforcement requests received. With the exception of emergency disclosures, which are reported below, each disclosure of content was in response to a court order or warrant.
What services are subject to law enforcement requests?
As our law enforcement requests reports have shown, the overwhelming majority of law enforcement requests seek information related to our free consumer services. By comparison, we have received very few law enforcement requests for data associated with use of our commercial services by our enterprise customers.
What is the difference between a consumer and an enterprise customer?
A consumer service is generally one subscribed to and used by an individual in his or her personal capacity. Some examples include Hotmail/Outlook.com, OneDrive (which was previously called SkyDrive), Xbox Live and Skype. For purposes of this report, “enterprise customer” generally includes those organizations or entities (commercial, government or educational) that purchase more than 50 “seats” for one of our commercial cloud offerings, such as Office 365, Azure and Exchange Online and CRM Online. Those organizations, in turn, may provide services, such as e-mail, to individual employees, students or others.
What should Microsoft customers take away from this data disclosure?
Microsoft’s mission is to help people and businesses across the globe realize their full potential, and all of our technologies are designed to further that mission. We place a premium on respecting and protecting the privacy of our users, and work to earn their trust every day. At the same time, Microsoft recognizes that law enforcement plays a critically important role in keeping our users – and our technology – safe and free from abuse or exploitation. We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens.
Did Microsoft ever challenge a law enforcement request?
As our report shows, every year, we reject a number of law enforcement requests. Challenges to government requests can take many forms. In many of these cases, we simply inform the requesting government that we are unable to disclose the requested information, and explain our reason for rejecting the request. We also, where it is appropriate, challenge requests in court. For example, in December 2013, we formally challenged the geographic reach of a U.S. search warrant, arguing that email should receive the same treatment as physical documents or other property, where the U.S. Government cannot obtain a search warrant to search and seize property located outside the U.S. For more information on that case, please visit digitalconstitution.com.
Does the data include any legal demands that may have been issued pursuant to U.S. national security orders (e.g. FISA Orders and FISA Directives)?
No. This report covers requests from law enforcement agencies – usually local or national police departments investigating a range of criminal activity.
As a result of lawsuits that Microsoft and other technology companies filed, we received permission from the U.S. Government to report on the aggregate number of requests we receive under U.S. national security laws, such as the Foreign Intelligence Surveillance Act (FISA). We published that data here.
Does Microsoft have a program to disclose information in response to imminent emergencies?
Yes, consistent with industry practice and as permitted by law, we do, in limited circumstances, disclose information to criminal law enforcement agencies where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world. Those requests must be in writing on official letterhead, and signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. A summary of the emergency requests received in the second half of 2014 is below.
Data Disclosure Summary