Feeds

No Skype traffic released to cops or spooks, insists Microsoft

The numbers on Redmond's plod-spy squealing dealings

SANS - Survey on application security programs

Analysis Microsoft's Skype subsidiary didn't hand over any user content to law enforcement, according to the software giant's first ever report on how it deals with official requests for data.

As previously reported), Microsoft's transparency report revealed that Redmond received 75,378 requests from law enforcement agencies worldwide last year, involving 137,424 user accounts.

Microsoft supplied a separate set of figures for its Skype peer-to-peer VoIP subsidiary, which Redmond bought in late 2011 and operated until recently under a separate reporting structure and legal jurisdiction (Luxembourg law). Skype serviced 4,713 requests for data or information from law enforcement during 2012 that involved 15,409 accounts.

"Historically Skype only recorded instances in which it produced some data in response to a valid law enforcement request," Microsoft explained. "We are making changes to this practice so future disclosures will reflect rejections."

The UK (1,268) and US (1,154) accounted for a big slice of law enforcement requests handled by Skype globally, none of which are reported to have led to the release of user data. A detailed breakdown of all these figures and more can be found here (PDF).

Redmond plans to publish updated figures every six months, a blog post by Brad Smith, general counsel and executive vice president of legal & corporate affairs at Microsoft explains. Its next set of stats will combine figures from Skype with those for other Microsoft services.

Approximately 79.8 per cent of non-Skype related requests to Microsoft (or 56,388 cases) during 2012 resulted in the disclosure of only transactional or account information, while a much smaller number of law enforcement requests (1,558 or 2.2 per cent) resulted in the disclosure of content, such as an e-mail exchange. One in five - 18 per cent - of law enforcement requests to Microsoft resulted in the disclosure of no customer data. This may happen because no data was found, the paper work was not in order or because the request was too broad, among other reasons.

Redmond's first transparency report covers requests for information about users of services including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Office 365 and its recently retired Messenger IM service. Enterprise services such as Azure and Exchange Online are also covered by the figures. There's also a geographic breakdown in requests, so we learn that there were 11,073 requests from US law enforcement agencies involving 24,565 accounts and resulting in account info in 7,200 cases (65 per cent) and content in 1,544 (13.9 per cent) of cases.

There were 9,226 requests from UK law enforcement agencies involving 14,301 accounts and the yielding up of account info in 7,057 cases (76.5 per cent) and no releases of content. The non-release of content but high response rate to account info requests is repeated across other EU countries, such as France, Germany and Spain though not Ireland. Hotmail's European servers are hosted in Ireland and the 73 law enforcement request in Ireland led to Microsoft coughing up user content in five cases.

Microsoft's report comes after similar reports from Google and Twitter that covered how these other web giants handled requests for information from police and intelligence agencies. Twitter's figures also include stats on removal requests (infrequent) and copyright notices (better than three times more common than information requests).

The software giant explained that its practice is to require a valid subpoena or equivalent document before releasing non-content data and a court order or warrant before turning over content. It hopes its report on how it responds to law enforcement requests will inform debates on the topic.

Redmond's statistics offer only vague figures on so-called National Security Letters. A US District Court in California recently declared NSLs unconstitutional because recipients are prohibited from discussing them. The case against the gag orders was brought by the Electronic Frontier Foundation on behalf on an unnamed telco and may be subject to appeal.

If the ruling stands, then future transparency reports from Microsoft, Google and other may include the number of NSLs received by these web giants instead of simply stating they number is something less than a thousand per year or between a 1,000 and 2,000, the opaque range quoted to in both Microsoft and Google's recent transparency reports. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.