EFF has long called on companies to publish the number and type of government demands they receive for user data. We think it's important enough to be one of the stars we award in our Who Has Your Back? campaign started in 2010. Users make decisions every day about which companies they entrust with their thoughts, photos, contacts, identities and location data. In order to make informed decisions users -- especially those at risk from repressive governments or engaging in political activism -- need to know how often the government is seeking that information from their providers.
In January of this year, EFF was part of a coalition led and organized by Nadim Kobeissi that called for Microsoft to release publish a report on government requests for Skype user data. The letter pointed out that with 600 million users worldwide, Skype is effectively one of the world’s largest telecommunications companies. Many users rely on Skype for secure and private communications and for some of them—whether they’re activists working in states governed by authoritarian regimes or journalists communication with sensitive sources—the stakes are high.
We are pleased to see that Microsoft has not only answered that letter on behalf of Skype, it has answered on behalf of the entire company. Yesterday the company released its first transparency report, which covers all law enforcement requests and court orders received in 2012 related to all of their online and cloud services, including Hotmail/Outlook.com, SkyDrive, Microsoft Account, and Messenger. Skype data gets it own separate report this year, because different laws apply. As the company notes, Microsoft is based in the United States, but Skype is “ wholly-owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg law.”
Microsoft also includes a category in its report that goes beyond Google's report, separately reporting the requests resulting in the disclosure of content for both Skype and its other products. For the non-Skype products it also reports the number of request resulting in the disclosure of subscriber/transactional data. This is a great step forward, since it gives more information about what user information is being sought and how often it is being turned over. For instance, the report notes that for the U.S., 7,196 government requests resulted in the disclosure of subscriber/transactional data and 1,544 requests resulted in the disclosure of content. Congress is debating changing the privacy laws protecting both content and noncontent stored by providers like Microsoft. This data indicates that if Congress only succeeds in adding protections for content, it is missing the much bigger issue. Over to you Google and others to match Microsoft on this one.
One noteworthy feature of the report is the sheer number of requests. In 2012, Microsoft and Skype received a total of 75,378 law enforcement requests, potentially impacting 137,424 accounts. For comparison, in the same period Google received 42,327, potentially impacting 68,249 accounts. One possible explanation is that, especially when combined with Skype, Microsoft is significantly larger than Google. More user accounts may translate into more requests for user data. Microsoft has also had an international presence for much longer than Google, but this difference is a good question for someone, perhaps a member of Congress, to put to law enforcement.
Other highlights include generalized information about the number of National Security Letters (NSLs) that Microsoft has received, going back to 2009, as well as generalized information about the total number of accounts that may have been affected by those requests. These letters--the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709--allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone. EFF just successfully argued that the NSL gag orders are unconstitutional, but that Order is on hold pending appeal.
Until recently, none of the companies that issue transparency reports included statistics on NSLs. But a few weeks ago, Google published these figures for the first time as part of their transparency report, shining some limited light on the ways in which the US government uses these secretive demands for data about users. We are happy to see Microsoft follow suit. Because the numbers are so generalized (Microsoft received 1,000-1,999 NSLs in 2011, affecting 3,000-3,999 accounts), it is difficult to make comparison with Google, but speaking broadly, the Microsoft appears to receive more NSLs than Google.
What’s even more interesting is the claim regarding Skype that out of 4,713 requests for user data potentially affect 15,409 accounts, the number of requests resulting in the disclosure of user content is zero. The Skype report does not specify how often the company complied with government requests for transactional data, such as a user’s name, billing address, or IP history, noting that Skype did not keep this information for 2012. We expect that this will be clarified in future reports. But for users who expressed concern that Microsoft might be turning over their Skype conversations and messages in response to a warrant, these figures may appear reassuring, although some have raised good questions about them.
The Skype report goes one step further and offers the following clarification regarding its obligations under the Communications Assistance for Law Enforcement Act (CALEA), a U.S. law that forces broadband Internet and interconnected voice over Internet Protocol (VoIP) services to become wiretap-friendly.
The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.
Does this mean that Skype is safe and secure for users who are concerned about the possibility of government surveillance? Not necessarily. Microsoft offers this important caveat:
While we may not receive law enforcement requests from some countries, or may not honor requests that do not follow our principles and policies, we nevertheless understand some users of our services may be subject to government monitoring or the suppression of ideas and speech. We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example Skype Out/In calls route through the existing telecommunications network for part of the call and users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments.
Chinese filtering and censorship of TOMSkype is just one example of the kinds of monitoring and suppression of Skype traffic to which Microsoft alludes in its report.
Skype's 2005 external security audit indicated that "digital certificates created by the [central Skype] certificate authority are the basis for identity in Skype" and that, if falsified, these certificates could allow interception of Skype users' communications (see section 3.4.1). Microsoft's Skype division still controls and operates this authority. A troubling question about the report's definition of "Disclosure of Content" is whether falsified certificates or disclosure of cryptographic secrets—which are perhaps not themselves seen as user content, but can be directly used by an outside party to intercept it!—counts as "Disclosure of Content" or not. Observers including ACLU's Chris Soghoian worried that "leakage of crypto keys would ... not be considered release of content" by the report, even though they result in content getting intercepted. It's important for Microsoft to clarify this point to make the information reported about Skype meaningful.
None of this should take away from the big credit that Microsoft deserves for publishing this report in the first place or for including as much information as it did. By joining the ranks of companies that issue transparency reports, Microsoft has cleared up some of the confusion about the risks users are taking when they use Microsoft products, and added to our body of knowledge about the scope of government surveillance. We hope that 2013 is the year that transparency reports become to new normal. Now that Microsoft has done it, perhaps it will be less and less acceptable for companies like Facebook and Yahoo! to leave their users in the dark about government requests for their data.