[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Jacob Appelbaum
jacob at appelbaum.net
Thu Mar 21 10:37:25 PDT 2013
Joseph Lorenzo Hall:
>
>
> On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>> Joseph Lorenzo Hall:
>>> Two things seem particularly interesting: apparently zero requests for
>>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>>> (the US law that mandates intercept capability) does not apply to Skype.
>>> That seems particularly encouraging to me.
>>>
>>> The FAQ is also interesting in that the non-content question mentions
>>> "location" but then only lists state, country and ZIP code as fields
>>> provided (I don't know how MSFT would have access to precise
>>> geolocation, but that doesn't appear to be something they provide). Also
>>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>>> (hard to tell if that was just one more NSL or a bunch).
>>>
>>
>> I don't agree with that reading of the report. There is likely a lot of
>> word-smithing here - for example, Does Skype include SkypeIn and
>> SkypeOut or just Peer to Peer video, text and storage of (other)
>> meta-data? Does CALEA happen on the Skype side of things or on the
>> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>> than the former.
>
> Ok, I certainly agree there is probably a lot of wordsmithing here.
> CALEA certainly applies to PSTN interconnection but then presumably law
> enforcement would just go to the phone company which has
> CALEA-compliant switching hardware there. (I think.)
>
>> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>> when they say they didn't provide content, did they provide the
>> credentials? If so, the guidance could have allowed the "Law
>> Enforcement" to simply login and restore the account data. Or perhaps
>> merely disclosing a key?
>
> They certainly don't describe what that means, which is strange because
> for a transparency report with quantitative data, one would want to
> bound what the categories of quantitative data are! I would hope that
> MSFT would consider providing ciphertext and session keys as "providing
> content" and increment the zeros in that column, but there's no
> definitive statement in all of this that I can see which would support
> that.
I wrote to them and asked these questions, as well as a few others.
What other questions should we pose to them, I wonder?
All the best,
Jacob
More information about the liberationtech
mailing list