Law Enforcement Requests Report

The Microsoft mission is to empower every person and every organization on the planet to achieve more, and all of our technologies are designed to further that mission. We place a premium on respecting and protecting the privacy of our customers, and work to earn their trust every day. At the same time, Microsoft recognizes that law enforcement plays a critically important role in keeping our customers—and our technology—safe and free from abuse or exploitation. We are hopeful that this data disclosure can better inform all sides in the critically important public discussion about how best to strike the balance between the privacy of our customers and the legitimate needs of law enforcement agencies that protect and serve their citizens.

Governments play a critical role in keeping the public safe. They had the legal means to investigate and access people’s personal information before modern cloud technology existed. They continue to have those legal means today. Microsoft has a team that works around the clock to respond rapidly when governments’ demands for data are legal, valid, and compulsory. At the same time, we believe our customers deserve predictability in how and when a government can access their data, and it should be up to national laws and international human rights standards — not the discretion of any company — to determine where the line is drawn. Our customers own both their “content data” and “non-content data,” and we regularly challenge government requests for data where there is a lawful basis for doing so. By only responding to valid legal process, we strive to offer customers clear expectations for what happens with their data.

As our law enforcement requests reports have shown, the overwhelming majority of requests seek information related to our free consumer services. By comparison, we have received very few requests for data associated with our commercial services used by enterprise customers.

For data hosted in the US, Microsoft follows the Electronic Communications Privacy Act. We require at least a subpoena before turning over non-content records, such as basic subscriber information or IP connection history, and we require a warrant or its equivalent before producing content. Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland.

As our report shows, every year we reject a number of law enforcement requests. Challenges to government requests can take many forms. In many of these cases, we simply inform the requesting government that we are unable to disclose the requested information and explain our reason for rejecting the request. We also, where it is appropriate, challenge requests in court.

There are many reasons why Microsoft may reject or challenge a request. For example, we might reject a request if it is facially invalid, improperly served on us, or requests data of a type not supported by the order or of the incorrect technology company. We may reject requests when they exceed the authority or jurisdiction of the requesting agency. We may reject a request if it is not signed or not appropriately authorized, contains the wrong dates, is not properly addressed, contains material mistakes, or is overly broad. We may also reject requests when no legal reason exists why the government cannot seek the data from enterprise customers themselves, rather than from Microsoft.

Our Global Human Rights Statement outlines our commitment to respect the universal human rights of our customers. By verifying law enforcement entities followed the laws and procedures in their jurisdictions before we respond to a request, we seek to ensure we are disclosing customer data only in authorized criminal investigations. Even when compliant with the laws of the requesting agency’s jurisdiction, Microsoft challenges law enforcement requests for enterprise customer data when the privacy regulations of the jurisdiction where the data host is located conflict with the laws of the requesting jurisdiction.

Microsoft produces data in response to valid legal requests from governmental entities in countries where Microsoft Corporation is located. We conduct a local legal review of each request we receive against both the local laws and standards and our own standards. We also periodically review our screening processes around the world to ensure we are following local judicial procedures and applying our Global Human Rights Statement.

Non-content data includes basic subscriber information, such as an email address, name, state, country, ZIP code, and IP address at time of registration. Other non-content data may include IP connection history, an Xbox Gamertag, and credit card or other billing information. We require a valid legal demand, such as a subpoena or court order, before we will consider disclosing non-content data to law enforcement.

Content is what our customers create, communicate, and store on or through our services, such as the words in an email exchanged between friends or business colleagues or the photographs and documents stored on OneDrive (formerly called SkyDrive) or other cloud offerings such as Office 365 and Azure. We require a warrant or its equivalent before we will consider disclosing content to law enforcement.

No. We do not provide any government with direct access to emails or instant messages, nor do we provide government access to customer data on a voluntary basis. Like all providers of communications services, we are sometimes obligated to comply with lawful demands from governments to turn over content for specific accounts, pursuant to a search warrant or court order. Some documents disclosed in the summer of 2013 were interpreted to suggest we made product changes to enable greater government access to customer communication. There were significant inaccuracies in the interpretations of these leaked government documents, and the product changes referenced did not facilitate greater government access to audio, video, messaging, or any other customer data.

No. We believe that you should control your own data. Microsoft does not give any government (including law enforcement, or other government entities) direct or unfettered access to customer data.

No. Microsoft does not build back doors into any of its products. We’ve been clear that we do not provide direct, unfettered access to customer data, and history shows we have a track record of declining requests to give voluntary access to customer data.

No. We do not design tools to enable voluntary surveillance of our customers. If we ever provide third parties with access to data about our customers, we expect those third parties to handle that data appropriately, meaning that they should not assist governments in voluntary, widespread surveillance of customers. Instead, these third parties should ensure that they only disclose personal data about customers in compliance with applicable law or in response to valid legal orders.

The US law, Communications Assistance for Law Enforcement Act, does not currently apply to many Microsoft services, including Skype, because they are not considered telecommunications services.

We announced in 2013 that we would increase encryption across our services both when data is traveling and when it is at rest, and we’ve provided updates along the way. Details on the encryption deployed in our products are regularly updated and can often be viewed by visiting the website associated with that product.

Many of our products use end-to-end encryption or deploy encryption extensively. We invest in encryption because it protects our customers from a range of threats including cybercrime. However, sometimes our customers wish to deploy technologies to fight cybercrime that require content to be decrypted in a secure environment somewhere in the process. For example, some customers may wish to run enterprise software that scans emails to detect phishing attacks or malicious code. Customers may also wish to take advantage of features like real-time language translation in Skype calls, which require us to temporarily and securely decrypt data. Our approach is to give customers choices while continuously working to improve encryption and other security measures so they can be applied broadly.

We do not provide any government with Microsoft’s encryption keys or the ability to break our encryption. In most cases, our default is for Microsoft to securely store customers’ encryption keys. Even Microsoft’s largest enterprise customers usually prefer we keep their keys to prevent accidental loss or theft. However, in many circumstances we also offer the option for consumers or enterprises to keep their own keys, in which case Microsoft does not maintain copies.

No. We do not provide any government with Microsoft’s encryption keys or the ability to break our encryption.

Yes. All government requests for data, including any that were accompanied by non-disclosure orders, also known as secrecy orders, are included in our transparency reports. Microsoft has a long history of successfully challenging unnecessary secret surveillance, both directly in communications with law enforcement and formally in court. Microsoft has also advocated in Congress to reform the US non-disclosure order statute, 18 U.S.C. § 2705, to ensure that such orders are properly narrowed, time-limited, and only approved by judges when truly necessary to protect a criminal investigation.

Microsoft requires official, signed, legally valid process issued pursuant to federal or local law and rules. Specifically, we require a subpoena or its equivalent before disclosing non-content, and only disclose content to law enforcement in response to a warrant (or its local equivalent). Microsoft’s compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order. Moreover, Microsoft redirects the government to seek data from enterprise customers themselves when legally permitted. All law enforcement requests arrive at Microsoft through a secure portal, for which only vetted law enforcement agencies receive access. Once Microsoft reviews the demand and determines that it must provide data, the data specified in the valid legal order is provided to law enforcement through the same, secure portal.

We do this only in limited, defined circumstances. Pursuant to US law, we are required to report identified or suspected images exploiting children to the US National Center for Missing and Exploited Children (NCMEC). On occasion, we also report some limited information about a user when we have reason to believe the individual is about to harm themselves or someone else due to a public posting on one of our forums, on Xbox LIVE, or through referrals from other customers. If one of our customers or employees, or Microsoft itself, is the victim of a crime, we may report some limited information to law enforcement. Additionally, consistent with applicable law and industry practice, Microsoft sometimes discloses limited information to law enforcement where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person.

Microsoft considers emergency requests from law enforcement agencies around the world, and requires these requests be in writing on official letterhead, signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. Every six months, we publish information about the emergency requests we receive in this Law Enforcement Requests Report.

Yes. We require a warrant (or equivalent process) before we will consider releasing content. Like other companies, we’ve implemented the holding of US v. Warshak, which says that email users maintain a reasonable expectation of privacy in the content of their emails. In order to obtain a warrant for data, the government must present the evidence it possesses to a judge and convince that judge that probable cause exists to believe a crime has been committed, and evidence of that crime will be found in the data it seeks.  Moreover, the alleged crime must have some connection with the jurisdiction seeking the warrant. Because the government can obtain a subpoena with much less rigor, the law prohibits the disclosure of content data via subpoena. Microsoft would similarly reject any other court order for content that falls below the warrant, or equivalent, standard based on probable cause.

No. Sometimes we seek to narrow the scope of requests, either by seeking to limit the type or amount of data to be provided or by requesting the government seek the data directly from the customer. When a request addresses our commercial services, we always attempt to redirect the government to obtain the information directly from our customer. Except in the most limited circumstances, we believe that government agencies can go directly to business or government customers for information about one of their employees — just as they did before these customers moved to the cloud — and that they can do so without undermining their investigation or national security. If appropriate, we may also file a formal legal challenge in court seeking to modify or quash a legal order.

Not necessarily. While no customer information is provided to governments in response to a rejected request, it is possible that the government later submitted a valid request for the same information.

Yes, consistent with industry practice and as permitted by law, we do, in limited circumstances, disclose information to criminal law enforcement agencies where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world. Those requests must be in writing on official letterhead and signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. A summary of the emergency requests received is included in the downloadable version of this report.

Microsoft has long believed that secrecy should be the exception, used only temporarily and when clearly necessary to protect sensitive investigations, rather than the norm. Microsoft has repeatedly and successfully challenged the U.S. government to limit its use of non-disclosure or secrecy orders, which prevent us from notifying our customers of a government demand for their data. See Ensuring secrecy orders are the exception not the rule when the government seeks data owned by our customers - Microsoft On the Issues and Continued progress and support in fighting secrecy orders - Microsoft On the Issues. And, in 2021, Microsoft provided testimony to the U.S. House of Representatives Committee on the Judiciary in support of statutory reforms to the secrecy order statute. See The need for legislative reform on secrecy orders - Microsoft On the Issues.

In the second half of 2022, Microsoft received secrecy orders attached to 28% percent of U.S. legal demands, including federal, state, and local law enforcement demands, totaling 1,465 secrecy orders. Of these, 1,184 were issued by federal law enforcement authorities.

Sometimes. Pursuant to US law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demand. We only charge in an attempt to recover some costs associated with the need to comply with US legal demands. To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders. We do not, however, charge in emergency situations or in known child exploitation investigations. For additional information about how we use and protect customer information, please read the Microsoft Privacy Statement.

Fewer customers are impacted than the number of accounts impacted, but for a variety of reasons, it is difficult to determine an exact number. For example, a single request may seek information about multiple accounts belonging to one user, or the same accounts may also be subject to repeat orders in different time frames and, as a result, be "double counted."

Yes. Microsoft gives prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may withhold notice in exceptional circumstances, such as emergencies where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft also provides delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.

In December 2015 we announced that we will notify customers if we have evidence they have been the target of an attempted “state-sponsored” attack. These notifications do not mean that Microsoft’s own systems have in any way been compromised.

Microsoft receives legal demands for customer data from civil litigation parties around the world. Microsoft does not respond to private requests other than those received through a valid legal process. Microsoft adheres to the same principles for all civil proceeding legal requests as it does for government agency requests for user data, requiring nongovernmental civil litigants to follow the applicable laws, rules, and procedures for requesting customer data.

If a nongovernmental party wants customer data, it needs to follow applicable legal process–meaning, it must serve us with a valid subpoena or court order for content or subscriber information or other non-content data. For content requests, we require specific lawful consent of the account owner and for all requests we provide notice to the account owner unless prohibited by law from doing so. We require that any requests be targeted at specific accounts and identifiers. The Microsoft compliance team reviews civil proceeding legal requests for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order. A summary of the Microsoft team’s responses to civil litigation requests for customer data is included in the downloadable version of this report.

Yes. Except where prohibited by law, Microsoft will give prior notice to customers whose data is sought by a civil proceeding litigant. Microsoft sometimes receives civil proceeding legal demands that prohibit us from notifying our customer. In some cases, we request permission to notify our customer or even challenge the nondisclosure order. In some cases, Microsoft has persuaded the requesting party that its interests in the underlying litigation will not be prejudiced by Microsoft providing notice.

No. This report covers requests from law enforcement agencies—usually local or national police departments investigating a range of criminal activity. The aggregate number of requests we receive under US national security laws, such as the Foreign Intelligence Surveillance Act (FISA), are published online every six months in our US National Security Orders Reports.

In the first half of 2023, Microsoft received 172 requests from law enforcement around the world for accounts associated with enterprise cloud customers. In 107 cases, these requests were rejected, withdrawn, there was no data, or law enforcement was successfully redirected to the customer. In 65 cases, Microsoft was compelled to provide responsive information: 28 of these cases required the disclosure of some customer content and in 37 of the cases we were compelled to disclose non-content information only. Of the 28 instances that required disclosure of content data, 22 of those requests were associated with U.S. law enforcement.

In the second half of 2022, Microsoft received 147 requests from law enforcement around the world for accounts associated with enterprise cloud customers. In 76 cases, these requests were rejected, withdrawn, no data, or law enforcement was successfully redirected to the customer. In 71 cases, Microsoft was compelled to provide responsive information: 38 of these cases required the disclosure of some customer content and in 33 of the cases we were compelled to disclose non-content information only. Of the 38 instances that required disclosure of content data, 33 of those requests were associated with U.S. law enforcement.

A consumer service is generally one subscribed to and used by an individual in their personal capacity. Some examples include Hotmail/Outlook.com, OneDrive, Xbox Live and Skype. For purposes of this report, “enterprise customer” generally includes those organizations or entities (commercial, government or educational) that purchase more than 50 “seats” for one of our commercial cloud offerings, such as Microsoft 365, Exchange Online, and CRM Online. Those organizations, in turn, may provide services, such as email, to individual employees, students or others.

No. The CLOUD Act amends US law to make clear that law enforcement may compel US-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data – and those protections continue to apply. Microsoft adheres to the same principles and customer commitments related to government demands for user data.

In the second half of 2022, Microsoft received 4,908 legal demands for consumer data from law enforcement in the United States. Of those, 53 warrants sought content data which was stored outside of the United States.

In the same time frame, Microsoft received 62 legal demands from law enforcement in the United States for commercial enterprise customers who purchased more than 50 seats. Of those demands, there were content data disclosures related to 4 non-US enterprise customers whose data was stored outside of the United States.

In the first half of 2023, Microsoft received 58 legal demands from law enforcement in the United States for commercial enterprise customers who purchased more than 50 seats. Of those demands, there were content data disclosures related to 4 non-US enterprise customers whose data was stored outside of the United States.

In the first half of 2023, there were zero disclosures of Dynamics 365 data belonging to a commercial, public sector, or educational customer.

In the second half of 2022, there were zero disclosures of Dynamics 365 data belonging to a commercial, public sector, or educational customer.

In the first half of 2023, there were zero disclosures of Azure content data belonging to a commercial, public sector, or educational customer.

In the second half of 2022, there were zero disclosures of Azure content data belonging to a commercial, public sector, or educational customer.

Yes. Microsoft gives prior notice to its enterprise customers of any third-party requests for their data, except where prohibited by law. We also provide our enterprise customers with notice upon expiration of a valid and applicable nondisclosure order. Except in the most limited circumstances, we believe governments can obtain information directly from our enterprise customers without jeopardizing investigations or risking harm to individuals, just as they did before the customer moved to the cloud. For the same reason, we believe that our enterprise customers can, except in the most exceptional circumstances, be notified about government requests for their data.