Thursday, March 21, 2013

Microsoft joins the transparency movement (with an important Irish dimension)

Kudos to Microsoft for today publishing their first annual Transparency Report setting out details of how often national police forces seek to read customer content (such as emails) or to access other information on customers. This is done as part of their commitment as a member of the Global Network Initiative and it's striking, but alas not surprising, that this makes Microsoft considerably more transparent than the Irish government which refuses to reveal even this basic statistical information.

On to the data. In 2012, in relation to Microsoft products generally (Hotmail, Outlook.com, Messenger, etc.) Gardaí sought information in 72 different requests, relating to 222 different accounts. Of these requests, 5 resulted in user content being revealed (such as the actual contents of emails), 46 resulted in non-content user information being revealed (such as the IP address last used), 19 resulted in no data being found and 2 were rejected for not meeting legal requirements.

Skype, which Microsoft now owns, was treated separately. In relation to Skype Gardaí made 4 requests relating to 7 different accounts and there was no data disclosed in relation to any of those requests. (This mostly seems to be due to no data being found but records aren't available for the entire year.). Also, in 2 cases the Skype support team provided general guidance to Gardaí regarding the procedures for accessing customer data.

There's an interesting comparison here with Google's Transparency Report. The overall numbers of requests by Gardaí to Microsoft and Google are very close (76 total for Microsoft for all of 2012; 34 for Google for the first six months of 2012). However the numbers of requests which result in information being provided are very different. In the case of Google data was provided in reply to just 2 of 34 requests (6%), while Microsoft provided data in response to 51 of 76 requests (67%). It's impossible to know without more information why that is and the low Google response rate might be just a blip for the particular six month period - nevertheless the difference is striking.

Significantly, Ireland was one of only four countries other than the US where user content was disclosed, the others being Brazil, Canada and New Zealand. The report doesn't make it clear why this is, but the FAQs imply that this may be due to Hotmail and Outlook.com accounts being hosted in Ireland and therefore being subject to local law.

The report also glosses over a question which has long interested me - what's the legal basis on which Microsoft will provide the contents of emails to Gardaí? Here's what the FAQs have to say:

What laws apply to Microsoft and Skype customer records and content? 

Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland...

How does Microsoft and Skype determine what law enforcement entities are able to request data? 

Microsoft must produce data in response to valid legal requests from U.S. and Irish law enforcement entities because we are headquartered in those jurisdictions or because we host data in those countries. Microsoft may disclose non-content data pursuant to a law enforcement request after it is validated locally and transmitted to our compliance teams in the U.S. and Ireland...
So - what exactly is a "valid legal request"? Irish law on interception doesn't seem to extend to webmail, suggesting that Microsoft are simply acting in response to non-statutory Garda requests rather than requiring a Ministerial warrant as would be required for telephone tapping. If so, the relevant law would be s.8 of the Data Protection Acts 1988 and 2003, which allows (but doesn't require) voluntary disclosures of user information in the context of criminal investigations. This would, however, be worrying if true as it would allow Garda access to email contents without any outside scrutiny (no Ministerial warrant or court order required) and without the other safeguards which would apply to telephone tapping - so no judicial oversight after the fact and no complaints mechanism available.

If this is the case then it would also put Ireland in breach of our obligations under Article 8 of the European Convention on Human Rights, which states that interferences with private communications must be "in accordance with the law", requiring that there should be a clear legal basis along with adequate mechanisms in place to oversee and guard against abuses of surveillance. (See in particular Klass v. Germany and Malone v. UK.)

More clarity on this point is required, and as soon as possible the law should be changed to ensure that emails enjoy the same protections as telephone calls.

1 comment:

  1. Thanks for this very interesting information. One question, how can you make them change the law?

    ReplyDelete