Microsoft
Microsoft earns three stars in this year’s Who Has Your Back report. This is Microsoft’s fifth year in the report, and it has adopted several of the best practices we are highlighting. We appreciate what Microsoft has done to stand up for user transparency and privacy, but it still has more work to do. In particular, Microsoft should make clear its data retention policies and disclose what government content removal requests it receives.
Industry-Accepted Best Practices. Microsoft requires a warrant before giving content to law enforcement, stating in its law enforcement guidelines:
Microsoft requires an official, signed document, issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content in response to a warrant or court order. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.
In addition to a law enforcement guide, Microsoft publishes a transparency report.
Inform users about government data demands. Microsoft promises to provide advance notice to users about government data demands and will delay notice only in limited circumstances:
Microsoft will give prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may also withhold notice in exceptional circumstances, such as emergencies, where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft will also provide delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.
Disclose data retention policies. Microsoft does not publish information about its data retention policies that includes information about retention of IP addresses and deleted content.
Disclose content removal requests. Microsoft does not disclose the number of times governments seek the removal of user content or accounts. Microsoft informs us that they will be publishing this in September.
Pro-user public policy: oppose backdoors. In a public, official written format, Microsoft opposes the compelled inclusion of deliberate security weaknesses. John Frank, Microsoft’s Deputy General Counsel and Vice President of Legal and Corporate Affairs, stated:
We’re also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone.
As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.
