US National Security Orders Report
Explore the Foreign Intelligence Surveillance Act Orders and National Security Letters reports dating back to 2011.
Prior to 2014, US technology providers were not allowed to report any information regarding US national security demands. As a result of litigation that Microsoft and other technology companies filed against the US government in 2014, the government agreed for the first time to permit technology companies to publish data about FISA orders. While there remain some constraints on what we can publish, this report presents the most comprehensive, legally permissible picture of the types of requests that we receive from the US government pursuant to national security authorities. We report on the number of orders received; however, receipt of an order does not mean Microsoft disclosed any information. We have successfully challenged requests in court, and will continue to do so, when we believe there are reasonable grounds for a challenge. Microsoft applies the same principles to any government demand for data regardless of whether that demand pertains to a criminal or national security investigation.
The data below reflects the most detailed information we may report pursuant to US law on the aggregate number of orders received pursuant to FISA, and the range of accounts impacted during the most recent six-month period that the law allows us to report. This aggregate FISA data covers six-month periods but may only be published six months after the end of a reporting period.
|
Reporting period |
Orders seeking disclosure of content |
Accounts impacted by orders seeking content |
Orders seeking disclosure of only non-content |
Accounts impacted by non-content orders |
|---|---|---|---|---|
|
Jan - June 2023 |
0 - 499 |
24,000 - 24,999 |
0 - 499 |
0 - 499 |
|
Jul - Dec 2022 |
0 - 499 |
20,500 - 20,999 |
0 - 499 |
0 - 499 |
|
Jan - June 2022 |
0 - 499 |
21,500 - 21,999 |
0 - 499 |
0 - 499 |
|
Jul - Dec 2021 |
0 - 499 |
21,000 - 21,499 |
0 - 499 |
0 - 499 |
|
Jan - June 2021 |
0 - 499 |
15,500 - 15,999 |
0 - 499 |
0 - 499 |
|
July - Dec 2020 |
0 - 499 |
15,000 - 15,499 |
0 - 499 |
0 - 499 |
|
Jan - June 2020 |
0 - 499 |
14,000 - 14,499 |
0 - 499 |
0 - 499 |
|
July - Dec 2019 |
0 - 499 |
14,500 - 14,999 |
0 - 499 |
0 - 499 |
|
Jan - June 2019 |
0 - 499 |
14,000 - 14,499 |
0 - 499 |
0 - 499 |
|
July - Dec 2018 |
0 - 499 |
13,500 - 13,999 |
0 - 499 |
0 - 499 |
|
Jan - June 2018 |
0 - 499 |
13,000 - 13,499 |
0 - 499 |
0 - 499 |
|
July - Dec 2017 |
0 - 499 |
12,500 - 12,999 |
0 - 499 |
0 - 499 |
|
Jan - June 2017 |
0 - 499 |
12,500 - 12,999 |
0 - 499 |
0 - 499 |
|
July - Dec 2016 |
0 - 499 |
13,000 - 13,499 |
0 - 499 |
0 - 499 |
|
Jan - June 2016 |
0 - 499 |
12,000 - 12,499 |
0 - 499 |
1,000 - 1,499 |
|
July - Dec 2015 |
0 - 499 |
17,500 - 17,999 |
0 - 499 |
0 - 499 |
|
Jan - June 2015 |
0 - 499 |
15,500 - 15,999 |
0 - 499 |
0 - 499 |
|
July - Dec 2014 |
0 - 999 |
18,000 - 18,999 |
0 - 999 |
0 - 999 |
|
Jan - June 2014 |
0 - 999 |
19,000 - 19,999 |
0 - 999 |
0 - 999 |
|
July - Dec 2013 |
0 - 999 |
18,000 - 18,999 |
0 - 999 |
0 - 999 |
|
Jan - June 2013 |
0 - 999 |
15,000 - 15,999 |
0 - 999 |
0 - 999 |
|
July - Dec 2012 |
0 - 999 |
16,000 - 16,999 |
0 - 999 |
0 - 999 |
|
Jan - June 2012 |
0 - 999 |
11,000 - 11,999 |
0 - 999 |
0 - 999 |
|
July - Dec 2011 |
0 - 999 |
11,000 - 11,999 |
0 - 999 |
0 - 999 |
No. Microsoft adheres to the same principles for all types of government demands for user data and does so across all Microsoft services.
The Foreign Intelligence Surveillance Act of 1978, or FISA, is a US law that authorizes certain types of foreign intelligence collection for national security purposes. A special independent federal court called the Foreign Intelligence Surveillance Court, or FISC, oversees such intelligence collection to ensure it is conducted consistent with the FISA statute and US Constitution, including the Fourth Amendment protection against unreasonable searches and seizures.
FISA includes authorities to compel telecommunications and technology providers to disclose certain communications and other content data as well as non-content data and also establishes important limitations on and oversight of those authorities.
Under FISA Section 702 (50 U.S. Code § 1881a et seq), the FISC may authorize the government to issue orders requiring companies to disclose content data, as well as non-content data, pertaining to specific non-US persons located outside the US in order to obtain certain judicially approved types of foreign intelligence information. This includes information to aid investigations into terrorism, weapons proliferation, and cybersecurity attacks. Based on a Presidential directive, Section 702 cannot be used to collect information for industrial espionage or to obtain a commercial advantage for US businesses. Nor can Section 702 be used to suppress or burden criticism or dissent, or disadvantage persons based on their ethnicity, race, gender, sexual orientation, or religion. In addition to approving an annual certification of the Section 702 surveillance program, the FISC reviews all compliance incidents to ensure that any access is conducted in accordance with approved targeting procedures, the FISA statute, as well as the Constitution. The Department of Justice is also required to report any compliance incidents to Congress.
Other provisions of FISA authorize the government, under the supervision of the FISC, to compel the production of certain non-content data. This includes pen register and trap and trace orders under 50 U.S.C. § 1842 as well as, under limited circumstances, business record orders under FISA Section 215.
The number of user accounts impacted by Foreign Intelligence Surveillance Act (FISA) orders that were received or active during the period of time. Since individuals may have multiple accounts across different Microsoft services — all of which are counted separately to determine the number of accounts impacted — this number will likely overstate the number of individuals subject to government orders.
National Security Letters may require the disclosure of basic subscriber information such as the name, address and length of service of a customer who has subscribed to one of our services. NSLs may not be used to require the disclosure of the content of a customer’s communications or data. NSLs may only be used to request basic subscriber information that is relevant to U.S. national security and cannot be used for criminal, civil, or administrative investigations.
The US government is required to report to Congress twice a year on how it uses NSLs and the Department of Justice audits the FBI’s use of NSLs to ensure compliance with the law.
No. All such orders that were received or active during the reporting period are reflected in our biannual US National Security Orders Reports.
Executive Order (EO) 12333 is a Presidential directive that organizes US intelligence activities and regulates the foreign intelligence collection of certain components of the US Intelligence Community. EO 12333 does not include any authorization to compel private companies, such as Microsoft, to disclose customer data, and Microsoft would not comply with a request from the US government under EO 12333 for Microsoft to voluntarily provide personal data.
Microsoft applies the same principles to any government demand for data and will notify customers except when prohibited by law. Microsoft also provides notice to customers upon expiration of a valid and binding nondisclosure order.
Pursuant to 18 U.S.C. § 2709(c)(1), the FBI may prohibit Microsoft from disclosing the receipt of an NSL if it certifies that disclosure may result in “a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.” As a result of reforms in the USA FREEDOM Act, the FBI periodically reviews the need for non-disclosure provisions associated with previously issued NSLs. When we receive notice from the FBI that an NSL is no longer subject to a non-disclosure obligation and we are no longer prohibited from providing notice, we notify our customers.
Current law prohibits recipients of FISA orders from ever disclosing the existence of a FISA order.
US law prohibits us from disclosing more specific information regarding national security legal demands including FISA orders and NSLs. Microsoft disagrees with these laws and believes that greater transparency is critical to maintaining trust in the rule of law. Both in courts and in Congress, Microsoft has a long and successful history of advocating for additional transparency, and we are committed to working with policy makers to continue expanding our ability to provide more meaningful information to the public.
Microsoft applies the same principles to any government demand for data. We believe that governments should never place global technology providers in the middle of state-on-state intelligence gathering. Microsoft would challenge any demand for foreign public sector data from any government.
Countries around the world have legal authorities that allow governments to compel certain information from private companies in support of national security investigations. If Microsoft receives such a demand, we apply the same principles we do to any other government demand for data. These requests would be included in our biannual Law Enforcement Request Report.
