Microsoft publishes first National Security Letter in transparency report

Microsoft’s biannual transparency report was just released and, like many other major tech companies that have been putting out their reports recently, the company has revealed its first National Security Letter.

The FBI uses NSLs to secretly obtain from tech companies investigative information about their customers. The letters do not require judicial approval and are often accompanied by gag orders that prevent companies from ever speaking about the legal process, but with the passage of the USA Freedom Act in 2015, the FBI is now required to periodically review the gag orders. Yahoo, Google, Cloudflare and the Internet Archive have all published NSLs over the last year.

Microsoft’s fight to be more transparent about government requests for user data has been brewing for years. In 2014, the company successfully pressured the FBI into withdrawing an NSL targeting an enterprise customer, and last year it sued the Justice Department over gag orders pertaining to other types of requests for user data. (Other companies are challenging NSLs too — Cloudflare and CREDO Mobile recently argued against NSL gag orders in the 9th Circuit.)

The NSL published by Microsoft was issued in January 2014 and targeted a user of its consumer products, the company says.

“Microsoft is the latest in a series of companies able to disclose an NSL due to provisions in the USA Freedom Act requiring the FBI to review previously issued non-disclosure orders,” Microsoft director of corporate responsibility Steve Lippman said in a blog post. “The reforms in the USA Freedom Act were a positive step forward and we believe reasonable limits on the routine use of government secrecy should be adopted more broadly. There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over.”

Between July and December 2016, Microsoft received 25,837 requests for data from law enforcement agencies around the world. The requests targeted 44,876 user accounts; Microsoft provided metadata for 64.33 percent of the requests and content for 3.66 percent of requests. It rejected 15.54 percent of requests and found no responsive data for the remaining requests. Lippman said that the majority of the requests came from the U.S., United Kingdom, France and Germany. The total number of requests fell slightly in 2016 to 61,409, down from 74,311 in 2015.

Microsoft also disclosed data about content removal requests from governments and users. China was the most frequent requester for content removal, issuing 418 take-down requests.

Following the passage of the Right To Be Forgotten in the E.U., many individuals in Europe have begun requesting that search engines scrub their data. U.K. residents were the most frequent requesters, followed by France and Germany — but Microsoft doesn’t honor most of the requests, with acceptance rates hovering around 30 percent.

Microsoft tallies requests from revenge porn victims, as well, a process it started in 2015. During the six-month reporting period, it received 580 requests to take down revenge porn and complied with 51 percent of them.

So what are we supposed to make of all this data?

“We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens,” Microsoft says.