Feeds

No Skype traffic released to cops or spooks, insists Microsoft

The numbers on Redmond's plod-spy squealing dealings

Security for virtualized datacentres

Analysis Microsoft's Skype subsidiary didn't hand over any user content to law enforcement, according to the software giant's first ever report on how it deals with official requests for data.

As previously reported), Microsoft's transparency report revealed that Redmond received 75,378 requests from law enforcement agencies worldwide last year, involving 137,424 user accounts.

Microsoft supplied a separate set of figures for its Skype peer-to-peer VoIP subsidiary, which Redmond bought in late 2011 and operated until recently under a separate reporting structure and legal jurisdiction (Luxembourg law). Skype serviced 4,713 requests for data or information from law enforcement during 2012 that involved 15,409 accounts.

"Historically Skype only recorded instances in which it produced some data in response to a valid law enforcement request," Microsoft explained. "We are making changes to this practice so future disclosures will reflect rejections."

The UK (1,268) and US (1,154) accounted for a big slice of law enforcement requests handled by Skype globally, none of which are reported to have led to the release of user data. A detailed breakdown of all these figures and more can be found here (PDF).

Redmond plans to publish updated figures every six months, a blog post by Brad Smith, general counsel and executive vice president of legal & corporate affairs at Microsoft explains. Its next set of stats will combine figures from Skype with those for other Microsoft services.

Approximately 79.8 per cent of non-Skype related requests to Microsoft (or 56,388 cases) during 2012 resulted in the disclosure of only transactional or account information, while a much smaller number of law enforcement requests (1,558 or 2.2 per cent) resulted in the disclosure of content, such as an e-mail exchange. One in five - 18 per cent - of law enforcement requests to Microsoft resulted in the disclosure of no customer data. This may happen because no data was found, the paper work was not in order or because the request was too broad, among other reasons.

Redmond's first transparency report covers requests for information about users of services including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Office 365 and its recently retired Messenger IM service. Enterprise services such as Azure and Exchange Online are also covered by the figures. There's also a geographic breakdown in requests, so we learn that there were 11,073 requests from US law enforcement agencies involving 24,565 accounts and resulting in account info in 7,200 cases (65 per cent) and content in 1,544 (13.9 per cent) of cases.

There were 9,226 requests from UK law enforcement agencies involving 14,301 accounts and the yielding up of account info in 7,057 cases (76.5 per cent) and no releases of content. The non-release of content but high response rate to account info requests is repeated across other EU countries, such as France, Germany and Spain though not Ireland. Hotmail's European servers are hosted in Ireland and the 73 law enforcement request in Ireland led to Microsoft coughing up user content in five cases.

Microsoft's report comes after similar reports from Google and Twitter that covered how these other web giants handled requests for information from police and intelligence agencies. Twitter's figures also include stats on removal requests (infrequent) and copyright notices (better than three times more common than information requests).

The software giant explained that its practice is to require a valid subpoena or equivalent document before releasing non-content data and a court order or warrant before turning over content. It hopes its report on how it responds to law enforcement requests will inform debates on the topic.

Redmond's statistics offer only vague figures on so-called National Security Letters. A US District Court in California recently declared NSLs unconstitutional because recipients are prohibited from discussing them. The case against the gag orders was brought by the Electronic Frontier Foundation on behalf on an unnamed telco and may be subject to appeal.

If the ruling stands, then future transparency reports from Microsoft, Google and other may include the number of NSLs received by these web giants instead of simply stating they number is something less than a thousand per year or between a 1,000 and 2,000, the opaque range quoted to in both Microsoft and Google's recent transparency reports. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.