Microsoft has followed the lead of numerous tech companies and released its first ever National Security Letter (PDF). The company introduced the latter as part of its biannual transparency report, while was released today.
National Security Letters are used by the FBI and other US departments to obtain investigative information. These data requests are secret and do not require a judicial process of approval. In other words, they are demands for companies to hand over customer data.
Tech companies are also issued with gag orders to prevent them from revealing these requests. The laws regarding were changed in a passage of the USA Freedom Act in 2015. Under the new legislation, the FBI is required by law to review the gag orders and companies can publish them.
In recent months, companies such as Yahoo and Google have published their security letters. Microsoft is the latest, and one of the most important considering how vocal the company has been about government requests.
Microsoft and the Justice Department have been locked in several legal battles over the last three years. The company denied a NSL request for customer information in 2015. DoJ officials requested data related to the San Bernardino terror attacks. The data was held in an Irish center and Microsoft refused the request.
The company argues a government has no right to demand data from centers not located within its borders. Microsoft urged the DoJ to pursue legal channels in Ireland in a bid to get the data. The company won its appeal in courts last year.
Publishing NSL Requests
With its decision to publish its first National Security Letter, Microsoft is opening a door to more releases. The NSL revealed today is from January 2014 and is requesting user data from Microsoft. The company says that the new law makes it possible for companies to be more transparent:
“Microsoft is the latest in a series of companies able to disclose an NSL due to provisions in the USA Freedom Act requiring the FBI to review previously issued non-disclosure orders,” Microsoft director of corporate responsibility Steve Lippman said in a blog post.
“The reforms in the USA Freedom Act were a positive step forward and we believe reasonable limits on the routine use of government secrecy should be adopted more broadly. There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over.”
In its post, Microsoft also detailed the scale of data requests. Focusing on a period between July and December 2016, the company received 25,837 data requests. These were from law enforcement around the world, not just in the US.
These requests sought information from 44,876 user accounts. Microsoft says it provided metadata on 64.33 percent of the requests, and content on 3.66 percent. 15.54 percent of requests were rejected, while the remaining percentage was taken for requests with no pertaining information.
“We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens,” Microsoft says.