Over on Computerworld, blogger Preston Gralla describes some of the information that Microsoft can make available to law enforcement in his column, “Leaked Microsoft intelligence document: Here’s what Microsoft will reveal to police about you” post.
Looking over the leaked document, Microsoft® Online Services Global Criminal Compliance Handbook, it is similar to many other such compliance guides also available on Cryptome.org. For each of its services, it describes what types of user information it retains and for how long.
So what was the fuss about? According to Microsoft, the issue was not the contents of the file per se but the issue of protecting copyrighted material. Be that as it may, a few things in the guide caught my eye:
- Even though Microsoft maintains domain names for other countries, as of 2008, its domestic guide indicated that all e-mail service customer data is stored in the U.S. even if the account name contains a country specific domain.
- For original Xbox users and Xbox 360 users under 13, Microsoft retains (and can provide) date of birth, name, e-mail address, physical address, telephone, credit card number, type of credit card, credit card expiration date, and Microsoft Passport (the last only for Xbox 360 users under 13).
Part of the guide describes what type of legal process is required to obtain specific types of user information. Under the subsection for search warrants, it says:
Search warrants are required for contents. A search warrant will compel disclosure of all information available with a court order issued pursuant to 2703(d) (as listed above), plus all contents (if prior notice is not provided or an order for delayed notice is not obtained), and is the only means to compel the disclosure of e-mails, including subject line, in electronic storage 180 days or less**.
**A Note About Opened E-mail Content less than 181 days: Under ECPA, e-mail in electronic storage for 180 days or less may be disclosed pursuant to a search warrant. While some have interpreted “in electronic storage” to refer only to unopened mail, a Ninth Circuit decision in Theofel et al v. Farey-Jones and Kwansy, 341 F.3d 978 (9th Cir. 2003) held that opened e-mails on ISP servers are also in “electronic storage.” Therefore, as Microsoft receives and processes legal process for its online services in the Ninth Circuit, Microsoft discloses both opened and unopened e-mail in electronic storage for 181 days or less only upon pursuant to a search warrant.
Reading the above gave me some small measure of appreciation for how difficult it must be, at times, to meet the varying laws in different regions or states. Of course, if companies didn’t retain so much damned information, it might not be so difficult.
Has anyone seen anything in the guide that seems particularly shocking or of concern?