Law Enforcement Requests Report

Non-content data include basic subscriber information, such as email address, name, state, country, ZIP code, and IP address at time of registration. Other non-content data may include IP connection history, an Xbox gamertag, and credit card or other billing information. We require a valid legal demand, such as a subpoena or court order, before we will consider disclosing non-content data to law enforcement.

Microsoft requires an official, signed document issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content to law enforcement in response to a warrant (or its local equivalent). Microsoft's compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.

The U.S. law, Communications Assistance for Law Enforcement Act, does not currently apply to many Microsoft services, including Skype, because they are not considered telecommunications services.

As our report shows, every year we reject a number of law enforcement requests. Challenges to government requests can take many forms. In many of these cases, we simply inform the requesting government that we are unable to disclose the requested information and explain our reason for rejecting the request. We also, where it is appropriate, challenge requests in court. 

Not necessarily. While no customer information is provided to governments in response to a rejected request, it is possible that the government later submitted a valid request for the same information.

Yes, consistent with industry practice and as permitted by law, we do, in limited circumstances, disclose information to criminal law enforcement agencies where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world. Those requests must be in writing on official letterhead, and signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. A summary of the emergency requests received is included in the downloadable version of this report.

Microsoft receives legal demands for customer data from civil litigation parties around the world. Microsoft does not respond to private requests other than those received through a valid legal process. Microsoft adheres to the same principles for all civil proceeding legal requests as it does for government agency requests for user data, requiring nongovernmental civil litigants to follow the applicable laws, rules, and procedures for requesting customer data.

Yes. Except where prohibited by law, Microsoft will give prior notice to customers whose data is sought by a civil proceeding litigant. Microsoft sometimes receives civil proceeding legal demands that prohibit us from notifying our customer. In some cases, we request permission to notify our customer or even challenge the nondisclosure order. In some cases, Microsoft has persuaded the requesting party that its interests in the underlying litigation will not be prejudiced by Microsoft providing notice.

No. This report covers requests from law enforcement agencies—usually local or national police departments investigating a range of criminal activity. The aggregate number of requests we receive under U.S. national security laws, such as the Foreign Intelligence Surveillance Act (FISA), are published in the U.S. National Security Orders Reports online summary.

Fewer customers are impacted than the number of accounts impacted, but for a variety of reasons, it is difficult to determine an exact number. For example, a single request may seek information about multiple accounts belonging to one user, or the same accounts may also be subject to repeat orders in different time frames and, as a result, be "double counted."

In the second half of 2019, Microsoft received 83 requests from law enforcement around the world for accounts associated with enterprise cloud customers. In 33 cases, these requests were rejected, withdrawn, no data, or law enforcement was successfully redirected to the customer. In 50 cases, Microsoft was compelled to provide responsive information: 27 of these cases required the disclosure of some customer content and in 23 of the cases we were compelled to disclose non-content information only. Of the 27 instances that required disclosure of content data, 19 of those requests were associated with U.S. law enforcement.

No. The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data – and those protections continue to apply. Microsoft adheres to the same principles and customer commitments related to government demands for user data.

A consumer service is generally one subscribed to and used by an individual in his or her personal capacity. Some examples include Hotmail/Outlook.com, OneDrive, Xbox Live and Skype. For purposes of this report, “enterprise customer” generally includes those organizations or entities (commercial, government or educational) that purchase more than 50 “seats” for one of our commercial cloud offerings, such as Office 365, Azure, Exchange Online and CRM Online. Those organizations, in turn, may provide services, such as email, to individual employees, students or others.

The Microsoft mission is to empower every person and every organization on the planet to achieve more, and all of our technologies are designed to further that mission. We place a premium on respecting and protecting the privacy of our customers, and work to earn their trust every day. At the same time, Microsoft recognizes that law enforcement plays a critically important role in keeping our customers—and our technology—safe and free from abuse or exploitation. We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens.

We are aware of reports that some providers have developed tools that third parties use to voluntarily assist governments in conducting surveillance of that provider’s customers. We do not design tools to enable voluntary surveillance of our customers. If we ever provide third parties with access to data about our customers, we expect those third parties to handle that data appropriately, meaning that they should not assist governments in voluntary, widespread surveillance of customers. Instead, these third parties should ensure that they only disclose personal data about customers in compliance with applicable law or in response to valid legal orders.

We believe that you should control your own data. Microsoft does not give any government (including law enforcement, or other government entities) direct or unfettered access to customer data.

We do not provide any government with our encryption keys or the ability to break our encryption.