[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Joseph Lorenzo Hall joe at cdt.org
Thu Mar 21 09:56:16 PDT 2013 


On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> Two things seem particularly interesting: apparently zero requests for
>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>> (the US law that mandates intercept capability) does not apply to Skype.
>> That seems particularly encouraging to me.
>>
>> The FAQ is also interesting in that the non-content question mentions
>> "location" but then only lists state, country and ZIP code as fields
>> provided (I don't know how MSFT would have access to precise
>> geolocation, but that doesn't appear to be something they provide). Also
>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>> (hard to tell if that was just one more NSL or a bunch).
>>
>
> I don't agree with that reading of the report. There is likely a lot of
> word-smithing here - for example, Does Skype include SkypeIn and
> SkypeOut or just Peer to Peer video, text and storage of (other)
> meta-data? Does CALEA happen on the Skype side of things or on the
> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
> than the former.

Ok, I certainly agree there is probably a lot of wordsmithing here. 
CALEA certainly applies to PSTN interconnection but then presumably law 
enforcement would just go to the phone company which has 
CALEA-compliant switching hardware there. (I think.)

> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
> when they say they didn't provide content, did they provide the
> credentials? If so, the guidance could have allowed the "Law
> Enforcement" to simply login and restore the account data. Or perhaps
> merely disclosing a key?

They certainly don't describe what that means, which is strange because 
for a transparency report with quantitative data, one would want to 
bound what the categories of quantitative data are! I would hope that 
MSFT would consider providing ciphertext and session keys as "providing 
content" and increment the zeros in that column, but there's no 
definitive statement in all of this that I can see which would support 
that.

best, Joe

More information about the liberationtech mailing list