Hands typing on a keyboard

Law Enforcement Requests Report

About

Icon of a globe

Twice a year we publish the number of legal demands for customer data that we receive from law enforcement agencies around the world. While this report only covers law enforcement requests, Microsoft follows the same principles for responding to government requests for customer data.

Icon of a government building

Government requests for customer data must comply with applicable laws. A subpoena or its local equivalent is required to request non-content data, a court order or warrant, or its local equivalent, is required for content data.

Requests by country

Apply filtersApply filters

{[GlobalHead]}

Requests

Total number of requests

{[numReq]}

Accounts/users specified in request

{[accReq]}

Disclosures

{[no_chart]}
{[chartVal1]}%{[chartVal2]}%{[chartVal3]}%{[chartVal4]}%
  • % Content
  • % Non-Content data
  • % No data found
  • % Rejected
DOWNLOAD REPORT

FAQ's

Expand all |  Collapse all

The below are frequently asked questions concerning requests we receive from law enforcement agencies around the world. Additional information and FAQs related Microsoft’s policies and procedures for responding to government requests for data can be found here.

A:

Non-content data include basic subscriber information, such as email address, name, state, country, ZIP code, and IP address at time of registration. Other non-content data may include IP connection history, an Xbox gamertag, and credit card or other billing information. We require a valid legal demand, such as a subpoena or court order, before we will consider disclosing non-content data to law enforcement.

Content is what our customers create, communicate, and store on or through our services, such as the words in an email exchanged between friends or business colleagues or the photographs and documents stored on OneDrive (formerly called SkyDrive) or other cloud offerings such as Office 365 and Azure. We require a court order or warrant before we will consider disclosing content to law enforcement.

Below is an example of exactly what law enforcement receives when Microsoft produces basic subscriber information, using a test account registered by a Microsoft employee. Although we changed the name and are masking the extension for security reasons, all other information is exactly what Microsoft produces to law enforcement.

FieldValue
LoginFirst.Last@xxxxxxx.com
PUID0006BFFDA0FF8810
First NameFirst
Last NameLast
StateWashington
Zip98052
CountryUS
TimezoneAmerica/Los_Angeles
Registered from IP65.55.161.10
Date Registered {Pacific}10/24/2007 1:05:18 PM
GenderM
Last Login IP64.4.1.11

The PUID in the above table stands for “Personal User ID,” which is a unique alphanumeric code generated for each registered Microsoft account.


A:

Microsoft requires an official, signed document issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content in response to a warrant or court order. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.




A:

Not necessarily. While no customer information is provided to governments in response to a rejected request, it is possible that the government later submitted a valid request for the same information.


A:

Yes, consistent with industry practice and as permitted by law, we do, in limited circumstances, disclose information to criminal law enforcement agencies where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world. Those requests must be in writing on official letterhead, and signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. A summary of the emergency requests received in the second half of 2017 is included in the downloadable version of this report.


A:

Yes. Except where prohibited by law, Microsoft will give prior notice to users of consumer services and our enterprise customers whose data is sought by a civil proceeding litigant. Microsoft sometimes receives civil proceeding legal demands that prohibit us from notifying our customer. In some cases, we request permission to notify our customer or even challenge the nondisclosure order. In some cases, Microsoft has persuaded the requesting party that its interests in the underlying litigation will not be prejudiced by Microsoft’s proving notice.


A:

No. This report covers requests from law enforcement agencies – usually local or national police departments investigating a range of criminal activity. The aggregate number of requests we receive under U.S. national security laws, such as the Foreign Intelligence Surveillance Act (FISA), are published here.


A:

Fewer users are impacted than the number of accounts impacted, but for a variety of reasons, it is difficult to determine an exact number. For example, a single request may seek information about multiple accounts belonging to one user, or the same accounts may also be subject to repeat orders in different time frames and, as a result, be “double counted.”


A:

A consumer service is generally one subscribed to and used by an individual in his or her personal capacity. Some examples include Hotmail/Outlook.com, OneDrive (which was previously called SkyDrive), Xbox Live and Skype. For purposes of this report, “enterprise customer” generally includes those organizations or entities (commercial, government or educational) that purchase more than 50 “seats” for one of our commercial cloud offerings, such as Office 365, Azure, Exchange Online and CRM Online. Those organizations, in turn, may provide services, such as email, to individual employees, students or others.


A:

Microsoft’s mission is to empower every person and every organization on the planet to achieve more, and all of our technologies are designed to further that mission. We place a premium on respecting and protecting the privacy of our users, and work to earn their trust every day. At the same time, Microsoft recognizes that law enforcement plays a critically important role in keeping our users – and our technology – safe and free from abuse or exploitation. We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens.


A:

We are aware of reports that some providers have developed tools that third parties use to voluntarily assist governments in conducting surveillance of that provider’s users. We do not design tools to enable voluntary surveillance of our users. If we ever provide third parties with access to data about our customers, we expect those third parties to handle that data appropriately, meaning that they should not assist governments in voluntary, widespread surveillance of users. Instead, these third parties should ensure that they only disclose personal data about users in compliance with applicable law or in response to valid legal orders.