On Thursday, Microsoft released its latest batch of semi-annual transparency reports, which revealed that global law enforcement legal requests for Microsoft user data decreased by more than 17 percent from 2015 to 2016, while U.S. Foreign Intelligence Surveillance Act (FISA) orders seeking content from the tech company jumped significantly in the first six months of 2016.
According to the company's U.S. National Security Orders Report, FISA requests for content increased from a range of 0-499 in the second half of 2015 to 1,000-1,499 in the following six months. (More specific data is not available to the public.)
Even though the number of these requests at least doubled, if not tripled, only 12,000-12,499 accounts were actually impacted by these orders in the first half of 2016, compared to 17,500 – 17,999 during the previous six months. This suggests that that FISA content orders issued from January to June 2016 were narrower in scope than the FISA content orders that were issued over the previous six-month period.
There were 0-499 FISA orders seeking non-content data in the first six months of 2016 – same as the previous six months. Altogether, 1,000 – 1,499 accounts were impacted by the most recently reported orders – the largest total for any six month period since Microsoft debuted its National Security Orders Report in the second half of 2011.
Meanwhile, in its Law Enforcement Requests Report, Microsoft disclosed that in the second half of 2016 it received 25,837 legal requests for customer information from law enforcement agencies, with 44,876 account users specified in these requests. Of these requests, 4,739 of came from U.S.-based agencies, and nearly 3.7 percent resulted in the disclosure of content, as opposed to only subscriber and transactional data. Altogether, there were 61,409 legal requests in 2016, which represents a decrease from 2015's total of 74,311.
As part of these disclosures, Microsoft also released a January 2014 National Security Letter (NSL) that it received from the FBI, which demanded data pertaining to a specific customer under investigation. Microsoft reported receiving between 0 and 499 NSL orders in the second half of 2016.
Microsoft became one of the latest tech companies to publish an NSL following the enactment of the USA Freedom Act of 2015, which sets guidelines for terminating nondisclosure requirements imposed by NSLs.
"The reforms in the USA Freedom Act were a positive step forward and we believe reasonable limits on the routine use of government secrecy should be adopted more broadly," said Steve Lippman, Microsoft's director of corporate responsibility, in a corporate blog post. "There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over. That's why we asked a federal court to weigh in on the increasing frequency of these orders. Our hope is this lawsuit will lead to new rules or laws that keep secrecy for times when it is truly essential."
The lawsuit to which Lippman is referring was filed by Microsoft last April against the Department Of Justice. The suit challenged restrictions that prevent the tech company from disclosing to its customers when the government issues a warrant seeking users' email content or other sensitive information.
In that filing with the U.S. District Court in Western Washington, Microsoft contended that the DOJ is abusing Section 2705(b) of the ECPA, which allows government agencies to delay notification of content information requests if such a disclosure could threaten an ongoing government inquiry.
Microsoft acknowledged that disclosure in certain instances might hinder a sensitive investigation and tip off a suspect. However, the company contends that Section 2705(b) is being applied far too broadly to cases where there is no compelling reason to withhold disclosure, and that it essentially gives federal agencies the power to place indefinite gag orders on third-party service providers.
"As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft," the lawsuit states. "At the same time, the government seeks secrecy orders under 18 U.S.C. § 2705(b) to prevent Microsoft from telling its customers (or anyone else) of the government's demands. These secrecy orders generally assert that abiding by the centuries-old requirement of seeking evidence directly from its owner would jeopardize the government's investigation."
According to Microsoft, federal courts in the 18 months prior the lawsuit's filing issued close to 2,600 secrecy orders preventing the company from referencing warrants and other legal processes that requested the company's customer data. Of these gag orders, about 68 percent had no fixed end date applied to them.
The DOJ declined to comment on the pending litigation.
CORRECTION April 15, 2017: The original version of the story stated that Microsoft's lawsuit against the DOJ was filed on April 14 of this year (yesterday). However, the lawsuit was actually filed in 2016. SC Media changed the story accordingly.