The original version of this post appeared on the website of the Electronic Frontier Foundation.
Every day, when a person sends a Tweet, posts a photo to Flickr, or updates her Facebook page, she is making decisions about which companies to entrust with her thoughts, photos, contacts, identity and location data. In order to make informed decisions, users—especially those at risk of government repression—need to know if governments are asking companies for information about their online activities and what kinds of information the companies are handing over in response to these requests.
Earlier this year, Lebanese security researcher Nadim Kobeissi led a coalition of digital rights advocates, including GVA, in calling on Microsoft to report on government requests for Skype user data (Microsoft is the parent company for Skype). In an open letter to the company, the coalition pointed out that with 600 million users worldwide, Skype is effectively one of the world’s largest communication service providers.
Many users rely on Skype for secure and private communications and for some—whether they’re activists working in repressive environments or journalists communicating with sensitive sources—the stakes are high.
As a community, we're pleased that Microsoft has not only answered that letter on behalf of Skype, but has done so on behalf of the entire company. Last week Microsoft released its first transparency report, which covers all requests for user data from law enforcement and judicial authorities received in 2012. The report covers all of their online and cloud services, including Hotmail/Outlook.com, SkyDrive, Microsoft Account, and Messenger. Skype data gets it own separate report this year, because different laws apply. As the company notes, Microsoft is based in the United States, but Skype is a “ wholly-owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg [and EU] law.”
The report includes information about requests that the company fulfilled for both Skype and its other products. For non-Skype products, it also reports the number of requests that resulted in the disclosure of user data. This is a great step forward, since it gives more information about what user information is being sought and how often it is being turned over.
Australia, Brazil, France, Germany, Hong Kong, Italy, Mexico, Spain, Taiwan, Turkey, the UK and the US made the most requests for Microsoft user data in 2012 (including Skype and other products/services listed above). How does Microsoft determine the list of countries for which it will accept government requests for user data?
Microsoft maintains operations and a physical presence in more than 100 countries around the world, which makes it easier for law enforcement authorities and/or courts to contact local Microsoft offices with requests for customer data. However, we only disclose data in 46 countries where we have the ability to validate the lawfulness of the request.
Even when restricted to 46 countries, the quantity of requests is surprising. In 2012, Microsoft and Skype received a total of 75,378 requests from law enforcement agencies, potentially impacting 137,424 accounts. For comparison, in the same period Google received 42,327 requests. One possible explanation is that, especially when combined with Skype, Microsoft serves a significantly larger number of users than Google. More user accounts may translate into more requests for user data. Microsoft has also had an international presence for much longer than Google.
Other highlights include generalized information about the number of National Security Letters (NSLs) that Microsoft has received, going back to 2009, as well as generalized information about the total number of accounts that may have been affected by those requests. These letters — which are issued to communications service providers such as phone companies and ISPs and are authorized by US law (18 U.S.C. 2709) — allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. EFF just successfully argued that the NSL gag orders are unconstitutional, but that court order is on hold pending an appeal by the government.
Until recently, none of the companies that issue transparency reports included statistics on NSLs. But a few weeks ago, Google published these figures for the first time as part of their transparency report, shining some limited light on the ways in which the US government uses these secretive demands for data about users. We are happy to see Microsoft follow suit. Because the numbers are so generalized (Microsoft received 1,000-1,999 NSLs in 2011, affecting 3,000-3,999 accounts), it is difficult to make comparison with Google, but speaking broadly, the Microsoft appears to receive more NSLs than Google.
What’s even more interesting is the claim regarding Skype that out of 4,713 requests for user data that potentially affect 15,409 accounts, the number of requests resulting in the disclosure of user content is zero. The Skype report does not specify how often the company complied with government requests for transactional data, (this might include a user’s name, billing address, or IP history, but not the content of his or her communications) noting that Skype did not keep this information for 2012. We expect that this will be clarified in future reports. But for users who expressed concern that Microsoft might be turning over their Skype conversations and messages in response to a warrant, these figures may appear reassuring.
The Skype report goes one step further and offers the following clarification regarding its obligations under the Communications Assistance for Law Enforcement Act (CALEA), a US law that forces broadband Internet and interconnected voice over Internet Protocol (VoIP) services to become wiretap-friendly:
The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.
Does this mean that Skype is safe and secure for users who are concerned about the possibility of government surveillance? Not necessarily. Microsoft offers this important caveat:
While we may not receive law enforcement requests from some countries, or may not honor requests that do not follow our principles and policies, we nevertheless understand some users of our services may be subject to government monitoring or the suppression of ideas and speech. We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example Skype Out/In calls route through the existing telecommunications network for part of the call and users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments.
Filtering and censorship of TOMSkype in China is one example of the kind of monitoring and suppression of Skype traffic to which Microsoft alludes in its report.
Skype's 2005 external security audit indicated that “digital certificates created by the [central Skype] certificate authority are the basis for identity in Skype” and that, if falsified, these certificates could allow interception of Skype users’ communications (see section 3.4.1). Microsoft's Skype division still controls and operates this authority. A troubling question about the report's definition of “Disclosure of Content” is whether falsified certificates or disclosure of cryptographic secrets—which are perhaps not themselves seen as user content, but can be directly used by an outside party to intercept it—counts as “Disclosure of Content” or not. Observers including security expert Chris Soghoian worried that “leakage of crypto keys would…not be considered release of content” by the report, even though they result in content getting intercepted. It's important for Microsoft to clarify this point to make the information reported about Skype meaningful.
None of this should take away from the big credit that Microsoft deserves for publishing this report in the first place or for including as much information as it did. By joining the ranks of companies that issue transparency reports, Microsoft has cleared up some of the confusion about the risks users are taking when they use Microsoft products, and added to our body of knowledge about the scope of government surveillance. We hope that 2013 is the year that transparency reports become the new normal. Now that Microsoft has done it, perhaps it will be less and less acceptable for companies like Facebook and Yahoo! to leave their users in the dark about government requests for their data.