Microsoft released its biannual transparency report that covers the period from July-December 2016. In the report, the company was also able to disclose the contents of a National Security Letter for the first time due to the passage of the USA Freedom Act back in 2015.
Microsoft’s Transparency Report
Microsoft received 25,837 requests for customer information in the second half of 2016, which brought the total for the year to 61,409. This represents a significant drop for the year, compared to the 74,311 requests received in 2015. The company’s lawsuit against the U.S. government’s abuse of data requests and gag orders may have something to do with this.
Globally, the majority of requests (71%) came from the U.S., France, and Germany.
Microsoft also received 1,000-1,499 Foreign Intelligence Surveillance Act (FISA) orders in the second half of 2016, exposing the information of 12,000-12,499 accounts to the U.S. government. This seems to be an increase in FISA orders compared to the same period in 2015, when the company received only 0-499 FISA orders.
The company also added that it received 0-499 NSLs in this period, which is the same reported range of received NSLs as for the last period. However, because Microsoft is not allowed to give an exact number or even a closer range for how many NSLs it received, we’re left guessing whether it received 0, 499, or any number of NSLs in between that range.
Microsoft Discloses NSL Contents
The USA Freedom Act made some minor, and according to the EFF, largely insufficient changes to how the FBI should handle NSLs. The main change seems to be that the recipient of NSLs can ask the FBI to go back to a judge to review the NSL. However, once an NSL is delivered, the FBI has full latitude for when it’s going to remove the gag order.
The agency is supposed to regularly review the NSLs to see where a gag order is still necessary, but out of the hundreds of thousands of NSLs it has sent in the past 16 years, so far we’ve seen the contents of less than 20 (fewer than 0.01%). Some of those were obtained only after many years of legal battles with the FBI and the Department of Justice.
Microsoft seems to have been able to convince the FBI to release the contents for one of the NSLs it has received in the past few years. The NSL in question was issued in 2014, and it sought to obtain the data belonging to a customer of Microsoft’s consumer services. This NSL was part of a previous aggregate transparency report, but the company could only now release the contents of it. The name of the NSL target was not disclosed.
The NSL in question seems to have been issued under the authority of the Executive Order 12333 (last amended in 2008 by President Bush); Title 18 of the United States Code, which deals with federal crimes; and the Electronic Communications Protection Act (ECPA), which Microsoft, as well as the whole U.S. House, are trying to reform.
Microsoft To Continue Fighting For More Transparency
Although Microsoft believes the the USA Freedom Act was a step in a positive direction, the company also said that more limits to secrecy are necessary, so that gag orders are used only when they're truly essential.
Microsoft sued the U.S. government last year because the government seems to have gotten to a point where almost half of its data requests are accompanied by indefinite gag orders. Microsoft believes that transparency and accountability is essential for building trust in technology, so it hopes the lawsuit will lead to saner rules around secret orders.
Updated, 4/26/2017, 2:25pm PT: Microsoft updated the range of FISA orders it received from January 1 to June 30, 2016, with the following statement:
Our latest U.S. National Security Orders Report and accompanying blog post contained an error, reporting that from Jan. 1 – June 30, 2016 Microsoft received 1,000 – 1,499 FISA orders seeking disclosure of customer content. The correct range is 0 – 499 FISA orders seeking disclosure of customer content. All the other data disclosed in the National Security Orders Report was correct.
Microsoft corrected the mistake as soon as we realized it was made to ensure the accuracy of our reporting. We’ve put additional safeguards in place to ensure the numbers we report are correct. We apologize for the error.