[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Cynthia Wong wongc at hrw.org
Fri Mar 22 08:43:15 PDT 2013 

The glossary indicates the reporting only covers criminal law enforcement matters, so it probably excludes national security requests.  Another thing to ask for in future iterations, given Google's precedent on NSLs.  




//
Cynthia M. Wong
Senior Researcher on the Internet
Business & Human Rights Division
Human Rights Watch




-----Original Message-----
From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Dan Auerbach
Sent: Thursday, March 21, 2013 4:14 PM
To: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> > 
>> > 
>> > On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>>> >> Joseph Lorenzo Hall:
>>>> >>> Two things seem particularly interesting: apparently zero 
>>>> >>> requests for content were fulfilled for Skype and the 
>>>> >>> associated FAQ [1] says CALEA (the US law that mandates intercept capability) does not apply to Skype.
>>>> >>> That seems particularly encouraging to me.
>>>> >>>
>>>> >>> The FAQ is also interesting in that the non-content question 
>>>> >>> mentions "location" but then only lists state, country and ZIP 
>>>> >>> code as fields provided (I don't know how MSFT would have 
>>>> >>> access to precise geolocation, but that doesn't appear to be 
>>>> >>> something they provide). Also the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>>> >>> so in 2009 they report receiving 0-999 NSLs and in 2010 
>>>> >>> 1000-1999 NSLs (hard to tell if that was just one more NSL or a bunch).
>>>> >>>
>>> >>
>>> >> I don't agree with that reading of the report. There is likely a 
>>> >> lot of word-smithing here - for example, Does Skype include 
>>> >> SkypeIn and SkypeOut or just Peer to Peer video, text and storage 
>>> >> of (other) meta-data? Does CALEA happen on the Skype side of 
>>> >> things or on the PTSN/VoIP service side of Skype{In,Out}? My 
>>> >> guess is the latter rather than the former.
>> > 
>> > Ok, I certainly agree there is probably a lot of wordsmithing here. 
>> > CALEA certainly applies to PSTN interconnection but then presumably 
>> > law enforcement would just go to the phone company which has 
>> > CALEA-compliant switching hardware there. (I think.)
>> > 
>>> >> Also, note that Microsoft "Provided Guidance to Law Enforcement" 
>>> >> - so when they say they didn't provide content, did they provide 
>>> >> the credentials? If so, the guidance could have allowed the "Law 
>>> >> Enforcement" to simply login and restore the account data. Or 
>>> >> perhaps merely disclosing a key?
>> > 
>> > They certainly don't describe what that means, which is strange 
>> > because for a transparency report with quantitative data, one would 
>> > want to bound what the categories of quantitative data are! I would 
>> > hope that MSFT would consider providing ciphertext and session keys 
>> > as "providing content" and increment the zeros in that column, but 
>> > there's no definitive statement in all of this that I can see which 
>> > would support that.
> I wrote to them and asked these questions, as well as a few others.
>
> What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information about US FISA court orders, so that might be something to ask them about. I am concerned about the possibility that FISA is being abused to access large swaths of user data (esp given FAA provisions and secret interpretation of section 215 of Patriot Act). You could suggest general rounded numbers for FISA like for NSLs. Doubt you'll get any info, though.

That said, kudos to MS for releasing this info and to people for pushing them on Skype!

--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
dan at eff.org
415 436 9333 x134

--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list