«

»

Now Microsoft has raised the bar on transparency it’s time for governments to stop living in the past

online internet graphics image

By Simon Davies

Yesterday Microsoft published a breakdown of more than 75,000 requests issued to the company last year by law enforcement agencies for access to information about its customers.

(The report) highlights both an emerging transparency gap between companies and agencies and an imminent privacy issue of vast proportions.

The new data provides important insights into the nature of data being sought by police and other bodies. It also highlights both an emerging transparency gap between companies and agencies and an imminent privacy issue of vast proportions.

Police, security and other entities routinely approach companies to access stored data about customers. In 2012 Microsoft and Skype received a combined 75,378  such requests for customer information, which potentially involved data from 137,424 accounts from services such as Hotmail, SkyDrive, Outlook.com, Xbox LIVE and Skype. This 6:10 ratio of requests to targeted accounts is roughly comparable to other industry figures.

These requests – or demands – are often channeled through warrants, court orders or subpoenas. In many cases – conscious of legal and ethical constraints – agencies will specify primary “non content” transactional data such as usernames, e-mail addresses, gender, geographic location, IP addresses and dates and times of online traffic rather than the secondary content such as the body of messages which often carry a higher legal test for disclosure. There’s a growing awareness among prescient companies that this covert disclosure process needs the disinfectant of sunshine. The majority of companies however have failed to grasp why transparency will be crucial to public trust.

There’s a growing awareness among prescient companies that this covert disclosure process needs the disinfectant of sunshine. The majority of companies however have failed to grasp why transparency will be crucial to public trust.

The Microsoft figures produced a few surprises. First among these for me was the finding that over eighteen percent of requests were rejected, either because of concerns over procedure and legality, or because no data were found. This raises disquieting questions over the competence of the agencies making such requests.

A second notable conclusion was that Microsoft received only eleven requests relating to Enterprise customers, most of which the company rejected or diverted. It would be interesting to read further analysis of this situation. Interestingly, no content data was released by Skype.

Microsoft’s analysis follows the publication of transparency reports by companies such as Twitter, however the company’s contribution is deceptively significant. Because of its size and nature Microsoft could inadvertently trigger pressure on financial institutions, retail chains and communications companies to follow suit. Microsoft is a geographically far reaching organisation with a ubiquitous physical presence and an established and complex disclosure regime. In the light of its transparency initiative giant global institutions such as banks – which have similar dynamics – may find it hard to justify maintaining secrecy.

There’s an overwhelming need for further transparency of disclosures. Without care the number of requests could soon skyrocket as agencies become more familiar with the global online ecosystem. Currently the disclosures from Microsoft are dwarfed, for example, by requests to ISPs for communications data made by UK public authorities. This figure now approaches half a million requests a year. Of equal significance is the trend toward enhanced and automated deep packet access to communications that will reach far into the social networking environment.

Over eighteen percent of requests were rejected, either because of concerns over procedure and legality, or because no data were found. This raises disquieting questions over the competence of the agencies making such requests.

Transaction data – sometimes called “non content” or “communications data” – is often viewed as less sensitive than content data such as the body of emails. This perception is a legacy from the era of landline telephones. Modern analytics software can generate a highly detailed set of conclusions and inferences about a person’s interests, associations, transactions and movements. One of the most valuable elements of the Microsoft report is that it highlights the extent to which agencies are demanding transactional data and shows some of the related trends.

It’s worth reflecting for a moment however on the remarkably low figure of 14 content disclosures to non-US authorities. As the online environment becomes more pervasive this figure will not be sustainable. As procedures for requests become less cumbersome and more harmonised, governments are likely to make increasing use of content access facilities. The US requested over 1,500 content disclosures, more than a hundred times the number of requests from the rest of the world combined.

The rest of the world will, however, quickly catch up – particularly with the emergence of more surveillance-friendly international legal assistance treaties. These new global arrangements – particularly those between Europe and the US – have a lower degree of accountability and transparency than previous iterations, placing companies in a no-win situation.

The Microsoft report, like those preceding it, is a heartening advance for transparency, but unless sufficient attention is paid to the legal instruments that permit these disclosures even the most dilligent companies will soon be outflanked.