US National Security Orders Report

No. Microsoft adheres to the same principles for all types of government demands for user data and does so across all Microsoft services.

The Foreign Intelligence Surveillance Act of 1978, or FISA, is a US law that authorizes certain types of foreign intelligence collection for national security purposes. A special independent federal court called the Foreign Intelligence Surveillance Court, or FISC, oversees such intelligence collection to ensure it is conducted consistent with the FISA statute and US Constitution, including the Fourth Amendment protection against unreasonable searches and seizures.

FISA includes authorities to compel telecommunications and technology providers to disclose certain communications and other content data as well as non-content data and also establishes important limitations on and oversight of those authorities.

Under FISA Section 702 (50 U.S. Code § 1881a et seq), the FISC may authorize the government to issue orders requiring companies to disclose content data, as well as non-content data, pertaining to specific non-US persons located outside the US in order to obtain certain judicially approved types of foreign intelligence information. This includes information to aid investigations into terrorism, weapons proliferation, and cybersecurity attacks. Based on a Presidential directive, Section 702 cannot be used to collect information for industrial espionage or to obtain a commercial advantage for US businesses. Nor can Section 702 be used to suppress or burden criticism or dissent, or disadvantage persons based on their ethnicity, race, gender, sexual orientation, or religion. In addition to approving an annual certification of the Section 702 surveillance program, the FISC reviews all compliance incidents to ensure that any access is conducted in accordance with approved targeting procedures, the FISA statute, as well as the Constitution. The Department of Justice is also required to report any compliance incidents to Congress.

Other provisions of FISA authorize the government, under the supervision of the FISC, to compel the production of certain non-content data. This includes pen register and trap and trace orders under 50 U.S.C. § 1842 as well as, under limited circumstances, business record orders under FISA Section 215. 

The number of user accounts impacted by Foreign Intelligence Surveillance Act (FISA) orders that were received or active during the period of time. Since individuals may have multiple accounts across different Microsoft services — all of which are counted separately to determine the number of accounts impacted — this number will likely overstate the number of individuals subject to government orders.

National Security Letters may require the disclosure of basic subscriber information such as the name, address and length of service of a customer who has subscribed to one of our services.  NSLs may not be used to require the disclosure of the content of a customer’s communications or data.  NSLs may only be used to request basic subscriber information that is relevant to U.S. national security and cannot be used for criminal, civil, or administrative investigations. 

The US government is required to report to Congress twice a year on how it uses NSLs and the Department of Justice audits the FBI’s use of NSLs to ensure compliance with the law. 

No. All such orders that were received or active during the reporting period are reflected in our biannual US National Security Orders Reports.

Executive Order (EO) 12333 is a Presidential directive that organizes US intelligence activities and regulates the foreign intelligence collection of certain components of the US Intelligence Community. EO 12333 does not include any authorization to compel private companies, such as Microsoft, to disclose customer data, and Microsoft would not comply with a request from the US government under EO 12333 for Microsoft to voluntarily provide personal data.

Microsoft applies the same principles to any government demand for data and will notify customers except when prohibited by law. Microsoft also provides notice to customers upon expiration of a valid and binding nondisclosure order.

Pursuant to 18 U.S.C. § 2709(c)(1), the FBI may prohibit Microsoft from disclosing the receipt of an NSL if it certifies that disclosure may result in “a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.” As a result of reforms in the USA FREEDOM Act, the FBI periodically reviews the need for non-disclosure provisions associated with previously issued NSLs. When we receive notice from the FBI that an NSL is no longer subject to a non-disclosure obligation and we are no longer prohibited from providing notice, we notify our customers.

Current law prohibits recipients of FISA orders from ever disclosing the existence of a FISA order.

US law prohibits us from disclosing more specific information regarding national security legal demands including FISA orders and NSLs. Microsoft disagrees with these laws and believes that greater transparency is critical to maintaining trust in the rule of law.  Both in courts and in Congress, Microsoft has a long and successful history of advocating for additional transparency, and we are committed to working with policy makers to continue expanding our ability to provide more meaningful information to the public.

Microsoft applies the same principles to any government demand for data. We believe that governments should never place global technology providers in the middle of state-on-state intelligence gathering.  Microsoft would challenge any demand for foreign public sector data from any government.

Countries around the world have legal authorities that allow governments to compel certain information from private companies in support of national security investigations. If Microsoft receives such a demand, we apply the same principles we do to any other government demand for data. These requests would be included in our biannual Law Enforcement Request Report.