Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
The glossary indicates the reporting only covers criminal law enforcement
matters, so it probably excludes national security requests. Another thing to
ask for in future iterations, given Google's precedent on NSLs.
//
Cynthia M. Wong
Senior Researcher on the Internet
Business Human Rights Division
Human Rights Watch
-Original Message-
From: liberationtech-boun...@lists.stanford.edu
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Dan Auerbach
Sent: Thursday, March 21, 2013 4:14 PM
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests
Report
On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
Two things seem particularly interesting: apparently zero
requests for content were fulfilled for Skype and the
associated FAQ [1] says CALEA (the US law that mandates intercept
capability) does not apply to Skype.
That seems particularly encouraging to me.
The FAQ is also interesting in that the non-content question
mentions location but then only lists state, country and ZIP
code as fields provided (I don't know how MSFT would have
access to precise geolocation, but that doesn't appear to be
something they provide). Also the NSL reporting in the FAQ is binned
in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010
1000-1999 NSLs (hard to tell if that was just one more NSL or a bunch).
I don't agree with that reading of the report. There is likely a
lot of word-smithing here - for example, Does Skype include
SkypeIn and SkypeOut or just Peer to Peer video, text and storage
of (other) meta-data? Does CALEA happen on the Skype side of
things or on the PTSN/VoIP service side of Skype{In,Out}? My
guess is the latter rather than the former.
Ok, I certainly agree there is probably a lot of wordsmithing here.
CALEA certainly applies to PSTN interconnection but then presumably
law enforcement would just go to the phone company which has
CALEA-compliant switching hardware there. (I think.)
Also, note that Microsoft Provided Guidance to Law Enforcement
- so when they say they didn't provide content, did they provide
the credentials? If so, the guidance could have allowed the Law
Enforcement to simply login and restore the account data. Or
perhaps merely disclosing a key?
They certainly don't describe what that means, which is strange
because for a transparency report with quantitative data, one would
want to bound what the categories of quantitative data are! I would
hope that MSFT would consider providing ciphertext and session keys
as providing content and increment the zeros in that column, but
there's no definitive statement in all of this that I can see which
would support that.
I wrote to them and asked these questions, as well as a few others.
What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information about
US FISA court orders, so that might be something to ask them about. I am
concerned about the possibility that FISA is being abused to access large
swaths of user data (esp given FAA provisions and secret interpretation of
section 215 of Patriot Act). You could suggest general rounded numbers for FISA
like for NSLs. Doubt you'll get any info, though.
That said, kudos to MS for releasing this info and to people for pushing them
on Skype!
--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
RU and CN are a glaring absence, which will skew the overall compliance rates. In previous iterations of Google's report, they declined to report numbers from China because of concerns that the government would designate that data a state secret (heavily punishable). However, given that the Skype data reports on both China and Russia, that doesn't seem to be the justification here? // Cynthia M. Wong Senior Researcher on the Internet Business Human Rights Division Human Rights Watch -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Eric S Johnson Sent: Thursday, March 21, 2013 9:49 PM To: 'liberationtech' Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report I wrote to them and asked these questions, as well as a few others. What other questions should we pose to them, I wonder? Why are RU and CN (most glaringly) absent from the first chart enumerating the number (and type) of requests by country? It's hard to believe those countries' security services have no interest in (non-Skype) Microsoft data. Is MS defining those countries as having no legal standing to request MS data, and therefore any requests from them would be rejected out-of-hand? We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example ... users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. --Is the implication that the Skype clients used on smartphones don't provide the same end-to-end encrypted-by-session-specific-keys level of security that the Skype for Windows client does? Skype received 4,713 requests from law enforcement. ... Skype produced no content in response to these requests. --It's hard to believe that LEAs never validly requested a record of a Skype user's IM sessions. Perhaps LEAs don't know those data exist? Best, Eric -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Regarding SSL, hasn't Skype claimed in the past that the conversations are encrypted client-to-client, as in, even from Microsoft or Skype itself? If I'm right and my memory serves well, then it's striking that they only mentioned SSL in this report. NK On Fri, Mar 22, 2013 at 11:49 AM, Cynthia Wong wo...@hrw.org wrote: RU and CN are a glaring absence, which will skew the overall compliance rates. In previous iterations of Google's report, they declined to report numbers from China because of concerns that the government would designate that data a state secret (heavily punishable). However, given that the Skype data reports on both China and Russia, that doesn't seem to be the justification here? // Cynthia M. Wong Senior Researcher on the Internet Business Human Rights Division Human Rights Watch -Original Message- From: liberationtech-boun...@lists.stanford.edu [mailto: liberationtech-boun...@lists.stanford.edu] On Behalf Of Eric S Johnson Sent: Thursday, March 21, 2013 9:49 PM To: 'liberationtech' Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report I wrote to them and asked these questions, as well as a few others. What other questions should we pose to them, I wonder? Why are RU and CN (most glaringly) absent from the first chart enumerating the number (and type) of requests by country? It's hard to believe those countries' security services have no interest in (non-Skype) Microsoft data. Is MS defining those countries as having no legal standing to request MS data, and therefore any requests from them would be rejected out-of-hand? We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example ... users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. --Is the implication that the Skype clients used on smartphones don't provide the same end-to-end encrypted-by-session-specific-keys level of security that the Skype for Windows client does? Skype received 4,713 requests from law enforcement. ... Skype produced no content in response to these requests. --It's hard to believe that LEAs never validly requested a record of a Skype user's IM sessions. Perhaps LEAs don't know those data exist? Best, Eric -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On Fri, Mar 22, 2013 at 12:08:42PM -0400, Nadim Kobeissi wrote: Regarding SSL, hasn't Skype claimed in the past that the conversations are encrypted client-to-client, as in, even from Microsoft or Skype itself? Why is it relevant what they claimed? You can't check it, so why spend any time on guessing, while you could be running a system where you would *know for sure*. If I'm right and my memory serves well, then it's striking that they only mentioned SSL in this report. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Eugen, Of course you're right, and I've made that specific argument about closed-source crypto many times before. But it's still interesting since we're trying to glean as much information as possible from that report here, which is a first for Skype. NK On Fri, Mar 22, 2013 at 12:16 PM, Eugen Leitl eu...@leitl.org wrote: On Fri, Mar 22, 2013 at 12:08:42PM -0400, Nadim Kobeissi wrote: Regarding SSL, hasn't Skype claimed in the past that the conversations are encrypted client-to-client, as in, even from Microsoft or Skype itself? Why is it relevant what they claimed? You can't check it, so why spend any time on guessing, while you could be running a system where you would *know for sure*. If I'm right and my memory serves well, then it's striking that they only mentioned SSL in this report. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On Fri, Mar 22, 2013 at 10:49 AM, Cynthia Wong wo...@hrw.org wrote: Why are RU and CN (most glaringly) absent from the first chart enumerating the number (and type) of requests by country? It's hard to believe those countries' security services have no interest in (non-Skype) Microsoft data. Is MS defining those countries as having no legal standing to request MS data, and therefore any requests from them would be rejected out-of-hand? I actually read it as those countries have made no specific requests and that the missing surveillance is already accounted for in the normal operation of the system, such that no formal requests were necessary. At least, that's how I interpret that statement in light of the Businessweek-Skype article [0], which says, in part: The surveillance feature in TOM-Skype, which has 96 million users in China, scans messages for specific words and phrases. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, Knockel’s research shows. Whether that information is then shared with the Chinese government is unknown. Yes, the article's talking about Skype, but if a service as popular as Skype includes such features, it's probably imprudent to assume that other MS services act differently, especially when there's a blatant hole in the data: there's no way Skype, with that feature enabled, could've turned over only 6 conversations, so I'm forced to disbelieve both sets of numbers. I make this statement under the assumption that Businessweek would be competent enough publish only independently-verifiable claims on the first page of such a sensitive article. If Businessweek is a bunch of lunkheads, then I may have to revise my opinions and suspicions. Nick 0: http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
From the blog post: As noted in the data table (available in the PDF below) in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected. The data shows that, after a careful review of each request by our compliance teams, 18% of law enforcement requests to Microsoft resulted in the disclosure of no customer data. Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content. To further explain the data, we have included Frequently Asked Questions and Answers below. Report page: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Blog post: http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx PDF: http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf NY Times: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all_r=1; -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
We did it! Our Skype Open Letter worked!!! *Pats self on back* NK On Thu, Mar 21, 2013 at 10:04 AM, James Losey lo...@newamerica.net wrote: From the blog post: As noted in the data table (available in the PDF below) in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected. The data shows that, after a careful review of each request by our compliance teams, 18% of law enforcement requests to Microsoft resulted in the disclosure of no customer data. Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content. To further explain the data, we have included Frequently Asked Questions and Answers below. Report page: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Blog post: http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx PDF: http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf NY Times: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all_r=1; -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Well done!! Sent from my iPhone On 21 Mar 2013, at 14:10, Nadim Kobeissi na...@nadim.ccmailto:na...@nadim.cc wrote: We did it! Our Skype Open Letter worked!!! *Pats self on back* NK On Thu, Mar 21, 2013 at 10:04 AM, James Losey lo...@newamerica.netmailto:lo...@newamerica.net wrote: From the blog post: As noted in the data table (available in the PDF below) in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected. The data shows that, after a careful review of each request by our compliance teams, 18% of law enforcement requests to Microsoft resulted in the disclosure of no customer data. Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content. To further explain the data, we have included Frequently Asked Questions and Answers below. Report page: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Blog post: http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx PDF: http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf NY Times: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all_r=1; -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edumailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edumailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Re MSFT transparency, congrats on the result. In its FAQ. MSFT seems to answer quite unequivocally that Skype still encrypts Skype-Skype calls on a peer-to-peer basis: We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example Skype Out/In calls route through the existing telecommunications network for part of the call and users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments. I don't see any wiggle room here, though perhaps it would be even better were MSFT to state that it therefore has no access to the contents of Skype-to-Skype peer-to-peer calls. Stefan -- On 21 Mar, at 15:31, Joseph Lorenzo Hall j...@cdt.org wrote: Two things seem particularly interesting: apparently zero requests for content were fulfilled for Skype and the associated FAQ [1] says CALEA (the US law that mandates intercept capability) does not apply to Skype. That seems particularly encouraging to me. The FAQ is also interesting in that the non-content question mentions location but then only lists state, country and ZIP code as fields provided (I don't know how MSFT would have access to precise geolocation, but that doesn't appear to be something they provide). Also the NSL reporting in the FAQ is binned in terms of thousands of NSLs... so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs (hard to tell if that was just one more NSL or a bunch). best, Joe [1] https://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1 On Thu Mar 21 10:07:16 2013, Nadim Kobeissi wrote: We did it! Our Skype Open Letter worked!!! *Pats self on back* NK On Thu, Mar 21, 2013 at 10:04 AM, James Losey lo...@newamerica.net wrote: From the blog post: As noted in the data table (available in the PDF below) in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected. The data shows that, after a careful review of each request by our compliance teams, 18% of law enforcement requests to Microsoft resulted in the disclosure of no customer data. Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content. To further explain the data, we have included Frequently Asked Questions and Answers below. Report page: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Blog post: http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx PDF: http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf NY Times: http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all_r=1; -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech We did it! Our Skype Open Letter worked!!! *Pats self on back* NK On Thu, Mar 21, 2013 at 10:04 AM, James Losey lo...@newamerica.net mailto:lo...@newamerica.net wrote: From the blog post: As noted in the data table (available in the PDF below) in 2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected. The data shows that, after a careful review of each request by our compliance teams, 18% of law enforcement requests to Microsoft resulted in the disclosure of no customer data. Approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information, and only a small number of law enforcement requests (2.2%) resulted in the disclosure of customer content. To further explain the data, we have included Frequently Asked Questions and Answers below. Report page: http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Blog post:
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Joseph Lorenzo Hall:
Two things seem particularly interesting: apparently zero requests for
content were fulfilled for Skype and the associated FAQ [1] says CALEA
(the US law that mandates intercept capability) does not apply to Skype.
That seems particularly encouraging to me.
The FAQ is also interesting in that the non-content question mentions
location but then only lists state, country and ZIP code as fields
provided (I don't know how MSFT would have access to precise
geolocation, but that doesn't appear to be something they provide). Also
the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
(hard to tell if that was just one more NSL or a bunch).
I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.
Also, note that Microsoft Provided Guidance to Law Enforcement - so
when they say they didn't provide content, did they provide the
credentials? If so, the guidance could have allowed the Law
Enforcement to simply login and restore the account data. Or perhaps
merely disclosing a key?
All the best,
Jacob
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
Two things seem particularly interesting: apparently zero requests for
content were fulfilled for Skype and the associated FAQ [1] says CALEA
(the US law that mandates intercept capability) does not apply to Skype.
That seems particularly encouraging to me.
The FAQ is also interesting in that the non-content question mentions
location but then only lists state, country and ZIP code as fields
provided (I don't know how MSFT would have access to precise
geolocation, but that doesn't appear to be something they provide). Also
the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
(hard to tell if that was just one more NSL or a bunch).
I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.
Ok, I certainly agree there is probably a lot of wordsmithing here.
CALEA certainly applies to PSTN interconnection but then presumably law
enforcement would just go to the phone company which has
CALEA-compliant switching hardware there. (I think.)
Also, note that Microsoft Provided Guidance to Law Enforcement - so
when they say they didn't provide content, did they provide the
credentials? If so, the guidance could have allowed the Law
Enforcement to simply login and restore the account data. Or perhaps
merely disclosing a key?
They certainly don't describe what that means, which is strange because
for a transparency report with quantitative data, one would want to
bound what the categories of quantitative data are! I would hope that
MSFT would consider providing ciphertext and session keys as providing
content and increment the zeros in that column, but there's no
definitive statement in all of this that I can see which would support
that.
best, Joe
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
Joseph Lorenzo Hall:
On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
Two things seem particularly interesting: apparently zero requests for
content were fulfilled for Skype and the associated FAQ [1] says CALEA
(the US law that mandates intercept capability) does not apply to Skype.
That seems particularly encouraging to me.
The FAQ is also interesting in that the non-content question mentions
location but then only lists state, country and ZIP code as fields
provided (I don't know how MSFT would have access to precise
geolocation, but that doesn't appear to be something they provide). Also
the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
(hard to tell if that was just one more NSL or a bunch).
I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.
Ok, I certainly agree there is probably a lot of wordsmithing here.
CALEA certainly applies to PSTN interconnection but then presumably law
enforcement would just go to the phone company which has
CALEA-compliant switching hardware there. (I think.)
Also, note that Microsoft Provided Guidance to Law Enforcement - so
when they say they didn't provide content, did they provide the
credentials? If so, the guidance could have allowed the Law
Enforcement to simply login and restore the account data. Or perhaps
merely disclosing a key?
They certainly don't describe what that means, which is strange because
for a transparency report with quantitative data, one would want to
bound what the categories of quantitative data are! I would hope that
MSFT would consider providing ciphertext and session keys as providing
content and increment the zeros in that column, but there's no
definitive statement in all of this that I can see which would support
that.
I wrote to them and asked these questions, as well as a few others.
What other questions should we pose to them, I wonder?
All the best,
Jacob
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
Joseph Lorenzo Hall:
Two things seem particularly interesting: apparently zero requests for
content were fulfilled for Skype and the associated FAQ [1] says CALEA
(the US law that mandates intercept capability) does not apply to
Skype.
That seems particularly encouraging to me.
The FAQ is also interesting in that the non-content question mentions
location but then only lists state, country and ZIP code as fields
provided (I don't know how MSFT would have access to precise
geolocation, but that doesn't appear to be something they provide).
Also
the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
(hard to tell if that was just one more NSL or a bunch).
I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.
Ok, I certainly agree there is probably a lot of wordsmithing here.
CALEA certainly applies to PSTN interconnection but then presumably law
enforcement would just go to the phone company which has
CALEA-compliant switching hardware there. (I think.)
Also, note that Microsoft Provided Guidance to Law Enforcement - so
when they say they didn't provide content, did they provide the
credentials? If so, the guidance could have allowed the Law
Enforcement to simply login and restore the account data. Or perhaps
merely disclosing a key?
They certainly don't describe what that means, which is strange because
for a transparency report with quantitative data, one would want to
bound what the categories of quantitative data are! I would hope that
MSFT would consider providing ciphertext and session keys as providing
content and increment the zeros in that column, but there's no
definitive statement in all of this that I can see which would support
that.
I wrote to them and asked these questions, as well as a few others.
What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information
about US FISA court orders, so that might be something to ask them
about. I am concerned about the possibility that FISA is being abused to
access large swaths of user data (esp given FAA provisions and secret
interpretation of section 215 of Patriot Act). You could suggest general
rounded numbers for FISA like for NSLs. Doubt you'll get any info, though.
That said, kudos to MS for releasing this info and to people for pushing
them on Skype!
--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
On 3/21/13 5:27 PM, Jacob Appelbaum wrote:
I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.
Nice consideration for SkypeIn/Out.
Just to say that if in Italy LEA ask a local provider for wiretapping
and it refuse to comply with the request, he is violating ministry of
communication licensing rules and he can be immediately revocated
telecommunication license.
And it's unreasonable to think that in a country with 60mln person like
Italy there was no requests done to Skype, especially considering the
special task force of prosecutors and lawyers that has been setup some
years ago (pre-microsoft acquisition) to make pressure on Skype at EU level.
So i'll add a question:
Does Microsoft/Skype transparency report consider also requests that are
done from non-US authorities to Microsoft Corporation or to non-US
branch of Microsoft (like Microsoft Italia) ?
Fabio
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report
I wrote to them and asked these questions, as well as a few others. What other questions should we pose to them, I wonder? Why are RU and CN (most glaringly) absent from the first chart enumerating the number (and type) of requests by country? It's hard to believe those countries' security services have no interest in (non-Skype) Microsoft data. Is MS defining those countries as having no legal standing to request MS data, and therefore any requests from them would be rejected out-of-hand? We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example ... users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. --Is the implication that the Skype clients used on smartphones don't provide the same end-to-end encrypted-by-session-specific-keys level of security that the Skype for Windows client does? Skype received 4,713 requests from law enforcement. ... Skype produced no content in response to these requests. --It's hard to believe that LEAs never validly requested a record of a Skype user's IM sessions. Perhaps LEAs don't know those data exist? Best, Eric -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
