Today, Microsoft finally caved. After mounting criticism over its lack of transparency, the company has for the first time detailed government surveillance of services like Skype, Hotmail, and SkyDrive.
Earlier this year, I and other Internet freedom advocates backed a letter calling on Microsoft to clarify the security policies around Skype due to “persistently unclear and confusing” statements about the access it can provide governments for surveillance conversations. Now, Microsoft has responded by publishing a transparency report—recognizing what it calls “broadening public interest in how often law enforcement agencies request customer data,” and following a trend set by Google and Twitter.
The report reveals that in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests, 4,713 of which were specific requests targeting Skype. These requests affected some 137,424* user accounts of services including Skype, Hotmail, Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, and Office 365. The exact number of Skype users targeted was 15,409, and the top five requesting countries were Turkey (11,434), United States (12,227), United Kingdom (10,494), Germany (9,105), and France (9,005). Microsoft says that in 18 percent of the cases, no customer data was disclosed; about 79.8 percent of requests resulted in the disclosure of non-content information (metadata like IP addresses and “to” and “from” fields in an email); and 2.2 percent of the requests to Microsoft resulted in communications content (like the content of an email) being disclosed.
Interestingly, an FAQ published as part of the report notes that Skype-to-Skype calls made using the “full client” are encrypted peer-to-peer. In theory, this means calls made from one person to another using the computer version of Skype remain difficult for governments to eavesdrop on without the use of a spy Trojan. This appears to address, at least in part, a question Skype has previously refused to answer about its eavesdropping capabilities. The FAQ also acknowledges that a “thin” version of Skype used as an app on a cellphone or tablet device is not as secure and can be subject to snooping because it routes calls over a wireless or mobile network.
Microsoft says it did not disclose content of any Skype communications in 2012, and data that were disclosed included “SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number.” However, security expert Chris Soghoian of the ACLU has already expressed some reservations about this. “Microsoft's response on Skype is very carefully worded,” he tweeted today, adding that Skype leaking cryptography keys to help authorities decrypt communications would “not be considered release of content.”
More questions will no doubt surface in the days ahead as the report comes under closer scrutiny. But it is certainly a positive step for Microsoft to have listened to criticism and embraced greater transparency—albeit belatedly. Notably, the company has also followed a recently applauded decision by Google to disclose some vague details about secret FBI national security letters that it has received. Microsoft says the feds requested data such as “the name, address, length of service, and local and long distance toll billing records” of between 11,000 and 14,996 of its users in a four-year period spanning 2009 to 2012. This information is requested by the authorities if it is deemed “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” A controversial clause of NSLs that gags companies from revealing specific details about them was last week ruled unconstitutional by a California judge.
Microsoft says it will continue to release updated transparency reports every six months, in line with what Google has been doing since 2010. “As we continue to move forward, Microsoft is committed to respecting human rights, free expression, and individual privacy,” Brad Smith, Microsoft general counsel, wrote in a blog post.
Correction, March 21, 2013: Due to an editing error, this post originally misstated the number of Microsoft user accounts affected by law enforcement requests.