I’ve got my hands on a copy of the leaked, confidential Microsoft “Global Criminal Compliance Handbook,” which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed.
What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.
The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.
The handbook is available at the Wikileaks site. That’s where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.
The report, published in March 2008, is labeled “U.S. Domestic Version,” which makes one wonder whether there’s also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don’t know whether such a document exists. Also, the document may have been superseded by a later one, although I don’t know that, either.
The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:
Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves “the danger of death or physical injury to any person…” as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299.
The report describes what information is available from Microsoft Online services for police and intelligence services, including:
Authentication Service: Windows Live ID
Instant Messaging: Windows Live Messenger
Social Networking Services: Windows Live Spaces & MSN Groups
Custom Domains: Windows Live Admin Center & Office Live Small Business
Online File Storage: Office Live Workspace & Windows Live SkyDrive
Gaming: Xbox Live
What’s available is the actual content of your communications — for example, copies of your emails — as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here’s an excerpt that details what emails are available from people who are MSN Premium subscribers:
Stored E-mail Records for MSN Premium Customers:
Microsoft’s systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the “Folders on MSN” section of a user’s account.
Be aware that users may also store e-mail content on their computer’s hard drive. Microsoft will not be able to disclose e-mail content stored on a user’s computer — only e-mail content stored on Microsoft’s e-mail servers.
The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.
Interestingly, the document contains just about no information about Windows Live SkyDrive, which is Microsoft’s free online file storage service. The document only has a single-sentence description of the service, along with a screenshot. I assume that the files on the service can be gotten by police and intelligence agencies, but there are no details about that, so for me at, least, it’s an open question.
Quite a bit of information is available about XBox Live users. Here’s what the document says can be gotten by police and intelligence officials:
What records are retained and for how long?
Both registration and IP connection history records are retained for the life of the gamertag account. Because the volume of IP connection history records may be large, when possible please ask for the specific date range of records you are specifically interested in receiving. A full listing of retained records is below:
* Credit card number
* First/last name with zip code
* Serial number but only if box has been registered online. “Console ID” is better.
* Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
* E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)
* IP history for the lifetime of the gamertag (only one gamertag at a time)
If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.
Especially noteworthy is the final section of the document, which spells out in detail what information Microsoft is required by law to provide to police and intelligence agencies. Here, for example, is a small section:
Information that may be disclosed with a subpoena. Basic subscriber information includes name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705.)
The document goes on to explain that a court order is required for the rest of a customer’s profile. It also spells out when search warrants are required.
None of this should be a surprise. All companies, not just Microsoft, comply with laws that require them to turn over information to police and intelligence agencies. So Microsoft is not to blame. But it’s certainly eye-opening to see what they turn over, and how they do it.
Microsoft, by the way, has released a statement about the affair. Here’s what the company has to say:
“Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.”