Microsoft seeks to be transparent with the public, for example by reporting on law enforcement requests for customer data, but for a long time it was not legally permitted to report on national security orders from the U.S. government.
With rising globalisation, national and international security is becoming an increasingly important area of law.
Following litigation that Microsoft and other technology companies filed in 2014, the U.S. government agreed for the first time to permit such companies to publish data about national security orders.
While there are constraints on what can be published, and ranges are provided rather than exact numbers of orders, Microsoft’s US National Security Orders Report presents the most comprehensive, legally permissible picture of the types of requests that it receives from the U.S. government pursuant to national security authorities.
Types of national security orders
Microsoft receives both Foreign Intelligence Surveillance Act Orders and National Security Letters.
Foreign Intelligence Surveillance Act (FISA) Orders
The Foreign Intelligence Surveillance Act of 1978, or FISA, is a U.S. law that authorises certain types of foreign intelligence collection for national security purposes.
Under FISA, authorities can compel telecommunications and technology providers to disclose certain communications and other content data (e.g. emails) as well as non-content data (e.g. IP addresses), pertaining to specific non-U.S. persons located outside the U.S., to aid investigations into areas including terrorism, weapons proliferation, and cyber-attacks.
National Security Letters (NSLs)
A National Security Letters (NSL) may require the disclosure of basic subscriber information such as the name, address, and length of service of a customer who has subscribed to one of Microsoft’s services.
NSLs may not be used to require the disclosure of content data; only basic subscriber information that is relevant to U.S. national security. NSLs cannot be used for criminal, civil, or administrative investigations.
How many FISA Orders and NSLs does Microsoft receive?
Microsoft reports in six-month periods on the number of FISA Orders and NSLs it has received from the U.S. government.
Details of the orders received by Microsoft between January – June 2021 are outlined below.
FISA Orders
Between January – June 2021 there were:
- 0 – 499 orders seeking disclosure of content.
- 11,500 – 11,999 accounts impacted by orders seeking content.
- 0 – 499 orders seeking disclosure of only non-content.
- 0 – 499 accounts impacted by non-content orders.
Such details are provided on the Microsoft website as far back as July – December 2011. It appears that since 2014, there has been a reduction in the number of orders seeking the disclosure of both content and non-content data. For example, in the reporting period July – December 2014, there were:
- 0 – 999 orders seeking disclosure of content.
- 18,000 – 18,999 accounts impacted by orders seeking content.
- 0 – 999 orders seeking disclosure of only non-content.
- 0 – 999 accounts impacted by non-content orders.
NSLs
Between January – June 2021 there were:
- 0 – 499 orders seeking disclosure of only non-content.
- 0 – 499 accounts impacted by non-content orders.
It appears that since 2015, there has been a reduction in the number of orders received. For example, in the reporting period January – June 2015, there were:
- 0 – 999 orders seeking disclosure of only non-content.
- 0 – 999 accounts impacted by non-content orders.
Is information always disclosed after an order is received?
No. Microsoft has successfully challenged requests in court where it believes there are reasonable grounds to do so, and it applies the same principles to any government demand for data regardless of whether it pertains to a criminal or national security investigation.
As outlined in its page on law enforcement requests for data, Microsoft may reject a request for various reasons including if it is invalid, improperly served on Microsoft, requests data of a type not supported by the order, exceeds jurisdiction, or does not meet procedural requirements such as being appropriately authorised.
National security orders from other governments
Countries around the world have legal authorities that allow governments to compel certain information from private companies in support of national security investigations. Microsoft states that if it receives such demands, it will apply the same principles it does to any other government demand for data.
Key takeaways
Microsoft and other technology companies can receive both Foreign Intelligence Surveillance Act (FISA) Orders and National Security Letters (NSLs) from the U.S. government, requesting information pertaining to national security. Microsoft publishes data about these orders on its website, however there are restrictions on the level of detail that may be published. It appears than since 2014-15, there has been a reduction in the number of FISA Orders and NSLs received by Microsoft from the U.S. government.