We recently reported that a watchdog site, Cryptome, was removed from the Web for refusing to take down a copy of a Microsoft document.
This document, called the Microsoft Online Services Global Criminal Compliance Handbook, or “spy guide,” gives details on how law enforcement can grab user data from a wide range of Microsoft services, from Windows Live ID to Xbox Live to Hotmail. Microsoft holds and can reveal a huge amount of data on individuals through their social networking and file-sharing services, too. These data include IP addresses, credit cards, chat logs and much more.
How does a large corporation balance end user privacy balance with the need to cooperate and comply with law enforcement? Read on to see how Microsoft handles this issue.
On the Surface
After a quick read-through of Microsoft’s guide, everything initially made sense. They’ve got a lot of data – IM logs that can help find missing kids, gaming records that can help return a stolen Xbox, emails that can help track down terrorists.
There’s an emergency hotline for urgent or life-threatening incidents, “situations like kidnapping, murder threats, bomb threats, terrorism threats, etc.”
The full list of services includes email, authentication (Windows Live ID), IM, social networking (Windows Live Spaces and MSN Groups), custom domains, online file storage and gaming (Xbox Live). For each service, data is accessible through a series of web interface that allow law enforcement to browse through relevant data in tables or forms.
And there are procedures for accessing all this information, too. Law enforcement can’t simply ask for the information, according to the document. They have to have a subpoena, a court order or a warrant to gain access to data such as usernames, linked accounts and email address books.
But after talking to a few sources who have worked in law enforcement (LE) and government agencies – none of whom wanted to be quoted, for obvious reasons – these procedures are a far cry from the day-to-day realities of data access.
In other words, there’s a reason it’s called a “spy guide.”
For one thing, federal and LE officers tend to have a much easier time getting access to user data than their corporate conspirators might let on, our sources told us. In ticking time bomb scenarios, this can be a good thing, as quick and unobstructed access to data can save people from imminent harm.
Where Are All Those Warrants?
However, we’ve been told by people who have handled such issues that government and LE often request and are given data without having to go through the proper procedures, often because of corporations’ fear of government retribution.
For example, not too long ago, Sprint was revealed to have complied with 8 million LE requests for GPS data in 2009. This figure doesn’t include any other type of data from anyone other than LE for any network other than Sprint – this is just for LE GPS data requests from Sprint.
The implications of this are staggering, but the most confounding of them all is that there could not possibly be enough warrants to justify the sum total of requests that digital companies are handed by law enforcement seeking user data. Our sources all confirmed that without question, LE and government officials are often given user data by companies such as Microsoft without having to provide any kind of justification – not legal documents, not proof of criminal activity and not evidence of guilt.
What About the Fourth Amendment?
And then, there are the less widely known reasons that LE or federal agencies would gain access to user data – programs such as government data mining or Project Carnivore (which is essentially the wiretapping scandal of the digital sphere). Again, our sources confirmed that LE’s desire to see user data is often the only reason a digital company would need to turn over information – warrantless wiretapping all over again.
In conclusion, Microsoft’s spy guide does state that certain steps much be taken for law enforcement to access data – steps that require law enforcement to prove that their searches and seizures in the digital world are legally justifiable. Whether or not anecdotal evidence supports this claim we will leave to our readers to judge.
What the document does show us, however, is the extraordinary breadth and depth of information that Microsoft has and is willing to give to government and law enforcement agencies. And that alone is enough to make us put on our tin foil hats.
Note: We have contacted Microsoft’s Rapid Response media team with several questions and are awaiting a response.
UPDATE: 9.30 a.m. PST, We have received a response from Microsoft. They claim the document’s purpose is to “respond to lawful requests from law enforcement agencies to provide information related to criminal investigations” and state that they “take our responsibility to protect our customers privacy very seriously.” Moreover, they have requested that Cryptome be restored. See our update here.