Since 1996, the whistleblower site Cryptome has been posting sensitive government and corporate documents. Now Cryptome has been removed from the web after releasing the Microsoft Online Services Global Criminal Compliance Handbook, a 'spy guide' for law enforcement detailing what data Microsoft has, keeps, and can relinquish.
Most of us are Microsoft users in one way or another - whether you purchase Xbox Live points, log on to Office Live or sending emails through Hotmail - so you probably have a few questions.
What is the 'Spy Guide'?
The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.
I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.
Which of my Microsoft services are affected?
All sorts. Microsoft keeps user information related to its online services. The data ranges from past emails to credit-card numbers. The information is kept for a designated period of time, sometimes forever.
The sites referenced are:
- Windows Live
- Windows Live ID
- Microsoft Office Live
- Xbox Live
- Windows Live Spaces
- Windows Live Messenger
- MSN Groups
Some of these Microsoft services may not apply to a lot of people. Who uses MSN Groups, for instance? But accessing personal information from Xbox Live accounts, for example, could be a big problem for 23 million subscribers; especially since Xbox Live keeps more data than many of Microsoft's other services.
What information does Microsoft have?
It depends on the service. We'll deal with the big ones here.
Windows Live ID
Windows Live ID is a one-stop shop for user info retention and is used on a multitude of sites to limit scattered user names and passwords. Because of its wide reach, Windows Live ID could allow law enforcement agencies to access tons of your personal web-surfing information. Microsoft keeps "the last 10 Microsoft site and IP connection record combinations (not the last 10, consecutive IP connection records)."
All things considered, that's not bad. It gets worse.
"Email account registration records are retained for the life of the account. Internet Protocol connection history records are retained for 60 days," according to the document. But if you, like many, switched over to Gmail and let your Hotmail account lapse, all email content is "typically deleted after 60 days of inactivity. Then if the user does not reactivate their account, the free MSN Hotmail and free Windows Live Hotmail account will become inactive after a period of time."
Email content that is older than 180 days can be disbursed "as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705)." If the content is less than 181 days, you need a search warrant.
Xbox Live stores a lot of information.
- Credit card number
- Phone number
- First/last name and location details
- Serial number (but only if box has been registered online)
- Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
- Email accoun
- IP history for the lifetime of the gamertag (only one gamertag at a time)
This information comes in handy for non-nefarious purposes, just so you don't get completely paranoid. For instance, if your Xbox 360 console is stolen, Microsoft can hunt it down quickly using its vast tracking records of you and your machine.
Office Online and Windows Live SkyDrive
The scariest part of the handbook comes here. Office Online and Windows Live SkyDrive are both services that store documents and files in the cloud. The two pages devoted to these services describe only what the products are and not the access Microsoft has to pertinent information. What can Microsoft get at? How long is everything stored? What are the legal parameters? All of this is uncertain and worrying.
Cloud computing is the next big thing in technology. Companies are apt to store sensitive financial and human relations documents in one of Microsoft's clouds. If prompted by the government, Microsoft could (or couldn't?) dip its fingers into your spreadsheets and extract all it wants.
Next: the legal hoops to obtain all this information >>