FAQ

Q

Does Microsoft have different principles for responding to law enforcement and national security demands?

A

No. Microsoft adheres to the same principles for all types of government demands for user data, and does so across all of Microsoft’s services.

Q

What are Microsoft principles and policies for responding to government legal demands for customer data?

A

Microsoft adheres to the same principles for all requests from government agencies for user data, requiring governmental entities to follow the applicable laws, rules and procedures for requesting customer data. Microsoft does not provide any government with direct and unfettered access to our customers’ data, and we do not provide any government with our encryption keys or the ability to break our encryption. If a government wants customer data, it needs to follow applicable legal process – meaning, it must serve us with a warrant or court order for content or a subpoena for subscriber information or other non-content data. We require that any requests be targeted at specific accounts and identifiers. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.

Q

What are “content” and “non-content” data?

A

Non-content data includes basic subscriber information, such as email address, name, state, country, zip code, and IP address at time of registration. Other non-content data may include IP connection history, an Xbox Gamertag, and credit card or other billing information. We require a valid legal demand, such as a subpoena or court order, before we will consider disclosing non-content data to law enforcement.

Content is what our customers create, communicate, and store on or through our services, such as the words in an email exchanged between friends or business colleagues or the photographs and documents stored on OneDrive (formerly called SkyDrive) or other cloud offerings such as Office 365 and Azure. We require a court order or warrant before we will consider disclosing content to law enforcement.

Below is an example of exactly what law enforcement receives when Microsoft produces basic subscriber information, using a test account registered by a Microsoft employee. Although we changed the name and are masking the extension for security reasons, all other information is exactly what Microsoft produces to law enforcement.

Field Value
Login First.Last@xxxxxxx.com
PUID 0006BFFDA0FF8810
First Name First
Last Name Last
State Washington
Zip 98052
Country US
Timezone America/Los_Angeles
Registered from IP 65.55.161.10
Date Registered {Pacific} 10/24/2007 1:05:18 PM
Gender M
Last Login IP 64.4.1.11

The PUID in the above table stands for “Personal User ID,” which is a unique alpha-numeric code generated for each registered Microsoft account.

Q

What is the process for disclosing customer information in response to government legal demands?

A

Microsoft requires an official, signed document, issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content in response to a warrant or court order. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.

Q

What laws apply to Microsoft customer records and content?

A

For data hosted in the U.S., Microsoft follows the Electronic Communications Privacy Act. We require at least a subpoena before turning over non-content records, such as basic subscriber information or IP connection history, and we require a court order or warrant before producing content. Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland. Skype is a wholly-owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg law.

Q

How does Microsoft determine what countries are able to request data?

A

Microsoft produces certain data in response to valid legal requests from governmental entities for data we host in those countries. Additionally, Microsoft may disclose non-content data in response to a valid legal request. For our Microsoft services, we only comply after it is validated locally and transmitted to our compliance teams. When legal demands are served directly on Microsoft’s local subsidiaries in other countries, a local team or individual (typically a lawyer or someone operating under legal guidance) will receive and authenticate the legal demand. If it complies with local law, then it will be translated and sent to the appropriate compliance team for review and processing.

Q

What is Microsoft’s position on CALEA?

A

The U.S. law, Communications Assistance for Law Enforcement Act, does not currently apply to many of Microsoft’s services, including Skype, because they are not considered telecommunications services.

Q

Why does Microsoft reject a government demand?

A

There are a number of reasons why Microsoft may reject or challenge a government request for user data. For example, we might reject or challenge an order if the request exceeds the authority, or the requested information is beyond the jurisdiction, of the requesting government or agency. Similarly, we may reject a demand if it is not signed or appropriately authorized, contains the wrong dates, is not properly addressed, contains material mistakes, or is overly broad.

Q

Is rejecting a request the only way Microsoft resists government demands?

A

No. In a number of cases, we seek to narrow the scope of government demands. Also, in the context of our commercial services, we always attempt to redirect the government to obtain the information directly from our customer. Except in the most limited circumstances, we believe that government agencies can go directly to business or government customers for information about one of their employees – just as they did before these customers moved to the cloud – and that they can do so without undermining their investigation or national security. We may also file a formal legal challenge in court seeking to modify or quash a particular legal order.

Q

Does Microsoft ever challenge non-disclosure obligations or gag orders?

A

Microsoft sometimes receives legal demands that prohibit us from notifying our customer. In some cases, we request permission to notify our customer or even challenge the gag order. For example, in one case, Microsoft received a National Security Letter (NSL) pertaining to an enterprise customer, which included a gag order preventing Microsoft from notifying the customer. Microsoft filed a legal challenge to the government’s gag order because we believed the government should obtain the data directly from the customer. As a result of the legal challenge, the government later withdrew the NSL and was able to obtain the data directly from the customer without compromising the integrity of its investigation.

Q

If a request was rejected, can you assure your customer that their information was never disclosed?

A

Not necessarily. While no customer information is provided to governments in response to a rejected request, it is possible that the government later submitted a valid request for the same information.

Q

Does Microsoft reject U.S. subpoenas from government entities seeking content data?

A

Yes. We require a court order or warrant before we will consider releasing content. Like other companies, we implemented the holding of U.S. v. Warshak, which held a provision of the Electronic Communications Privacy Act to be unconstitutional.

Q

How does Microsoft consider potential human rights issues impacted by law enforcement requests?

A

Our Global Human Rights Statement outlines our commitment to respect the human rights of our customers. By verifying law enforcement entities followed the laws and procedures in their jurisdictions before we respond to a request, we seek to ensure we are disclosing customer data in authorized criminal investigations. We respect the fact that law enforcement entities have the very difficult job of keeping us all safe and bringing to justice those who commit crimes. At the same time, we remain cognizant of the potential for law enforcement activities to infringe upon human rights and free expression.

Q

Does Microsoft provide any data to governments absent a formal legal demand?

A

Only in limited circumstances. Pursuant to United States law, we are required to report identified or suspected images exploiting children to the United States’ National Center for Missing and Exploited Children (NCMEC). We also, on occasion, report some limited information about a user when we have reason to believe the individual is about to harm themselves or someone else due to a public posting on one of our forums, on Xbox LIVE, or through referrals from other customers. If one of our customers or employees, or Microsoft itself, is the victim of a crime, we may report some limited information to law enforcement. Additionally, consistent with applicable law and industry practice, Microsoft sometimes discloses limited information to law enforcement where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world. Those requests must be in writing on official letterhead, and signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Every six months, we publish information about the emergency requests we receive here.

Q

Does Microsoft charge governments for providing data and content?

A

Sometimes. Pursuant to U.S. law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demand. We only charge in an attempt to recover some costs associated with the need to comply with U.S. legal demands. To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders. We do not, however, charge in emergency situations or in known child exploitation investigations.

For additional information about how we use and protect customer information, please read the Microsoft Privacy Statement.

Q

Does Microsoft notify users of its consumer services, such as Outlook.com, when law enforcement or another governmental entity in the U.S. requests their data?

A

Yes. Microsoft will give prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may also withhold notice in exceptional circumstances, such as emergencies, where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft will also provide delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.

Q

Does Microsoft notify its enterprise customers when law enforcement or another governmental entity requests their data?

A

Yes. Microsoft gives prior notice to its enterprise customers of any third party requests for their data, except where prohibited by law. We also provide our enterprise customers with notice upon expiration of a valid and applicable nondisclosure order. Except in the most limited circumstances, we believe governments can obtain information directly from our enterprise customers without jeopardizing its investigation or risking harm to individuals, just as they did before the customer moved to the cloud. For the same reason, we believe that our enterprise customers can, except in the most exceptional circumstances, be notified about government requests for their data.