Principles, Policies and Practices FAQ
Does Microsoft have different principles for responding to law enforcement and national
No. Microsoft adheres to the same principles for all types of government demands
for user data, and does so across all of Microsoft’s services.
What are Microsoft principles and policies for responding to government legal demands
for customer data?
Microsoft adheres to the same principles for all requests from government agencies
for user data, requiring governmental entities to follow the applicable laws, rules
and procedures for requesting customer data. Microsoft does not provide any government
with direct and unfettered access to our customers’ data, and we do not provide
any government with our encryption keys or the ability to break our encryption.
If a government wants customer data, it needs to follow applicable legal process
– meaning, it must serve us with a warrant or court order for content or a subpoena
for subscriber information or other non-content data. We require that any requests
be targeted at specific accounts and identifiers. Microsoft's compliance team reviews
government demands for user data to ensure the requests are valid, rejects those
that are not valid, and only provides the data specified in the legal order.
What are “content” and “non-content” data?
Non-content data includes basic subscriber information, such as email address, name,
state, country, zip code, and IP address at time of registration. Other non-content
data may include IP connection history, an Xbox Gamertag, and credit card or other
billing information. We require a valid legal demand, such as a subpoena or court
order, before we will consider disclosing non-content data to law enforcement.
Content is what our customers create, communicate, and store on or through our services,
such as the words in an email exchanged between friends or business colleagues or
the photographs and documents stored on OneDrive (formerly called SkyDrive) or other
cloud offerings such as Office 365 and Azure. We require a court order or warrant
before we will consider disclosing content to law enforcement.
What is the process for disclosing customer information in response to government
Microsoft requires an official, signed document, issued pursuant to local law and
rules. Specifically, we require a subpoena or equivalent before disclosing non-content,
and only disclose content in response to a warrant or court order. Microsoft's compliance
team reviews government demands for user data to ensure the requests are valid,
rejects those that are not valid, and only provides the data specified in the legal
What laws apply to Microsoft customer records and content?
For data hosted in the U.S., Microsoft follows the Electronic Communications Privacy
Act. We require at least a subpoena before turning over non-content records, such
as basic subscriber information or IP connection history, and we require a court
order or warrant before producing content. Irish law and European Union directives
apply to the Hotmail and Outlook.com accounts hosted in Ireland. Skype is a wholly-owned,
but independent division of Microsoft, headquartered in and operating pursuant to
How does Microsoft determine what countries are able to request data?
Microsoft must produce certain data in response to valid legal requests from governmental
entities for data we host in those countries. Microsoft may disclose non-content
data in response to a valid legal request after it is validated locally and transmitted
to our compliance teams. When legal demands are served directly on our local subsidiaries
in other countries, a local team or individual (typically a lawyer or someone operating
under legal guidance) will receive and authenticate the legal demand. If it complies
with local law, then it will be translated and sent to the appropriate compliance
team for review and processing.
What is Microsoft’s position on CALEA?
The U.S. law, Communications Assistance for Law Enforcement Act, does not currently
apply to many of Microsoft’s services, including Skype, because they are not considered
Why does Microsoft reject a government demand?
There are a number of reasons why Microsoft may reject or challenge a government
request for user data. For example, we might reject or challenge an order if the
request exceeds the authority, or the requested information is beyond the jurisdiction,
of the requesting government or agency. Similarly, we may reject a demand if it
is not signed or appropriately authorized, contains the wrong dates, is not properly
addressed, contains material mistakes, or is overly broad.
Is rejecting a request the only way Microsoft resists government demands?
No. In a number of cases, we seek to narrow the scope of government demands. Also,
in the context of our commercial services, we always attempt to redirect the government
to obtain the information directly from our customer. Except in the most limited
circumstances, we believe that government agencies can go directly to business or
government customers for information about one of their employees – just as they
did before these customers moved to the cloud – and that they can do so without
undermining their investigation or national security. We may also file a formal
legal challenge in court seeking to modify or quash a particular legal order.
Does Microsoft ever challenge non-disclosure obligations or gag orders?
Microsoft sometimes receives legal demands that prohibit us from notifying our customer.
In some cases, we request permission to notify our customer or even challenge the
gag order. For example, in one case, Microsoft received a National Security Letter
(NSL) pertaining to an enterprise customer, which included a gag order preventing
Microsoft from notifying the customer. Microsoft filed a legal challenge to the
government’s gag order because we believed the government should obtain the data
directly from the customer. As a result of the legal challenge, the government later
withdrew the NSL and was able to obtain the data directly from the customer without
compromising the integrity of its investigation.
If a request was rejected, can you assure your customer that their information was
Not necessarily. While no customer information is provided to governments in response
to a rejected request, it is possible that the government later submitted a valid
request for the same information.
Does Microsoft reject U.S. subpoenas from government entities seeking content data?
Yes. We require a court order or warrant before we will consider releasing content.
Like other companies, we implemented the holding of U.S. v. Warshak, which held
a provision of the Electronic Communications Privacy Act to be unconstitutional.
How does Microsoft consider potential human rights issues impacted by law enforcement
Global Human Rights Statement outlines our commitment to respect the human
rights of our customers. By verifying law enforcement entities followed the laws
and procedures in their jurisdictions before we respond to a request, we seek to
ensure we are disclosing customer data in authorized criminal investigations. We
respect the fact that law enforcement entities have the very difficult job of keeping
us all safe and bringing to justice those who commit crimes. At the same time, we
remain cognizant of the potential for law enforcement activities to infringe upon
human rights and free expression.
Does Microsoft provide any data to governments absent a formal legal demand?
Only in limited circumstances. Pursuant to United States law, we are required to
report identified or suspected images exploiting children to the United States’
National Center for Missing and Exploited Children (NCMEC). We also, on occasion,
report some limited information about a user when we have reason to believe the
individual is about to harm themselves or someone else due to a public posting on
one of our forums, on Xbox LIVE, or through referrals from other customers. If one
of our customers or employees, or Microsoft itself, is the victim of a crime, we
may report some limited information to law enforcement. Additionally, consistent
with applicable law and industry practice, Microsoft sometimes discloses limited
information to law enforcement where we believe the disclosure is necessary to prevent
an emergency involving danger of death or serious physical injury to a person. Microsoft
considers emergency requests from law enforcement agencies around the world. Those
requests must be in writing on official letterhead, and signed by a law enforcement
authority. The request must contain a summary of the emergency, along with an explanation
of how the information sought will assist law enforcement in addressing the emergency.
Each request is carefully evaluated by Microsoft’s compliance team before any data
is disclosed, and the disclosure is limited to the data that we believe would enable
law enforcement to address the emergency. Every six months, we publish information
about the emergency requests we receive
Does Microsoft charge governments for providing data and content?
Sometimes. Pursuant to U.S. law, Microsoft is entitled to seek reimbursement for
costs associated with compliance with a valid legal demands. We only charge in an
attempt to recover some costs associated with the need to comply with U.S. legal
demands. To be clear, these reimbursements cover only a portion of the costs we
actually incur to comply with legal orders. We do not, however, charge in emergency
situations or in known child exploitation investigations.
For additional information about how we use and protect customer information, please
read the Microsoft
Does Microsoft notify users of its consumer services, such as Outlook.com, when
law enforcement or another governmental entity requests their data?
Yes. Microsoft will give prior notice to users whose data is sought by a law enforcement
agency or other governmental entity, except where prohibited by law. We may also
withhold notice in exceptional circumstances, such as emergencies, where notice
could result in danger (e.g., child exploitation investigations), or where notice
would be counterproductive (e.g., where the user’s account has been hacked).