Twice a year, Microsoft publishes a report online detailing the legal requests it receives from governments around the world for customer data. Each report documents one half of the calendar year. The most recent report covers the period of January-June 2024.
Content Types
The data that governments and law enforcement agencies can request from Microsoft comes in two forms: content data and non-content data.
Content data: includes information such as emails, photos, phone contacts, etc.
Non-Content data: information such as financial transaction data, IP connection history, and account connections.
Non-content data reveals nothing personal about the user but does provide some idea of their activities, whereas content data can reveal information such as their emails, calendars, photos, etc.
Data Request Principle
In its desire to strike a balance between acknowledging and servicing real and serious governmental and law enforcement requests to “protect and serve their citizens” and protecting the privacy of their users, Microsoft insists that the same protocols be followed for all customer data requests, regardless of the issuer.
To that end, Microsoft’s principles state that:
- All requests are reviewed to ensure their validity and compliance with relevant laws.
- Microsoft does not provide governments with complete and unrestrained access to data, nor will it ever provide them with encryption keys or decryption opportunities.
- Non-content data requests require subpoenas or local equivalents, and access to content data requires “a warrant of its local equivalent”.
Types of Requests
Microsoft’s half-yearly reports take all possible types of requests that can be issued and groups them into three categories: civil, criminal, emergencies. The types of requests that can be issued include:
Consumer data requests: a service used by an individual person, like Outlook, X-Box Live, etc.
Enterprise customer data requests: companies or organisations that purchase 50 or more “per user licenses” (sometimes referred to as “seats”) for one of Microsoft’s cloud service products – such as Azure or 365.
U.S. National Security Orders: requests issued by the US government in relation to national security authorities.
Data access agreement requests: foreign law enforcement requests.
Civil requests: civil litigation requests, such as disputes between organisations, individuals, businesses, etc.
User Rights
Whenever a data request is made regarding a one of their customers, Microsoft’s policy is to notify that user that a request was issued in relation to their data. A notice may be withheld under exceptional circumstances – such as ones that could result in danger to a person or group or “would be counterproductive (e.g. where the user’s account has been hacked”).
Access Granted
The U.S. currently has existing relationships data-sharing relationships with the UK and Australia that are authorised under the CLOUD Act, which also enables the possibility of resolving potential legal conflicts and institutes clear “privacy-protective rules to govern cross-border requests for digital evidence when investigating serious crime”.
Access Denied
If Microsoft believes that there are “reasonable grounds for a challenge”, it will seek to challenge a legal request – especially if the request from a given government is at odds with the wording of their agreement with Microsoft.
Furthermore, Microsoft identifies the principles of comity (a legal doctrine in which “courts recognise and enforce each others’ legal decisions as a matter of courtesy”) as a means to challenge requests – particularly those with existing data access agreements.
Transparency Values
Occasionally, Microsoft receives requests from the United States government for data concerning other countries. These requests are treated with and are subject to the same principles and review processes as all other requests. Microsoft further states that in their view “governments should never place global technology providers in the middle of state-on-state intelligence gathering”.
Australian Data Statistics
Between January and June 2024, Australia issued Microsoft with a total of 555 requests relating to 939 identified users or accounts. The results from this were:
- 0 instances of disclosures of content
- 449 disclosures of non-content data
- 64 instances of no data found
- 44 requests rejected for not meeting legal requirements
Key Takeaways
With its reports, Microsoft reiterates its commitment to transparency whilst acknowledging the fine line it regularly walks as it seeks to serve the competing interests and needs of governments and public safety and the privacy rights of individual citizens.
