subject:"\[liberationtech\] Microsoft Releases 2012 Law Enforcement Requests Report"

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Nick Daly

On Fri, Mar 22, 2013 at 10:49 AM, Cynthia Wong  wrote:
>
> Why are RU and CN (most glaringly) absent from the first chart
> enumerating the number (and type) of requests by country? It's hard to
> believe those countries' security services have no interest in
> (non-Skype) Microsoft data.  Is MS defining those countries as having
> no legal standing to request MS data, and therefore any requests from
> them would be rejected out-of-hand?

I actually read it as "those countries have made no specific requests
and that the missing surveillance is already accounted for in the normal
operation of the system, such that no formal requests were necessary."
At least, that's how I interpret that statement in light of the
Businessweek-Skype article [0], which says, in part:

The surveillance feature in TOM-Skype, which has 96 million users in
China, scans messages for specific words and phrases.  When the
program finds a match, it sends a copy of the offending missive to a
TOM-Skype server, along with the account’s username, time and date
of transmission, and whether the message was sent or received by the
user, Knockel’s research shows.  Whether that information is then
shared with the Chinese government is unknown.

Yes, the article's talking about Skype, but if a service as popular as
Skype includes such features, it's probably imprudent to assume that
other MS services act differently, especially when there's a blatant
hole in the data: there's no way Skype, with that feature enabled,
could've turned over only 6 conversations, so I'm forced to disbelieve
both sets of numbers.

I make this statement under the assumption that Businessweek would be
competent enough publish only independently-verifiable claims on the
first page of such a sensitive article.  If Businessweek is a bunch of
lunkheads, then I may have to revise my opinions and suspicions.

Nick

0: 
http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Nadim Kobeissi

Eugen,
Of course you're right, and I've made that specific argument about
closed-source crypto many times before. But it's still interesting since
we're trying to glean as much information as possible from that report
here, which is a first for Skype.


NK


On Fri, Mar 22, 2013 at 12:16 PM, Eugen Leitl  wrote:

> On Fri, Mar 22, 2013 at 12:08:42PM -0400, Nadim Kobeissi wrote:
> > Regarding SSL, hasn't Skype claimed in the past that the conversations
> are
> > encrypted client-to-client, as in, even from Microsoft or Skype itself?
>
> Why is it relevant what they claimed? You can't check it, so why
> spend any time on guessing, while you could be running a system
> where you would *know for sure*.
>
> > If I'm right and my memory serves well, then it's striking that they only
> > mentioned SSL in this report.
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Eugen Leitl

On Fri, Mar 22, 2013 at 12:08:42PM -0400, Nadim Kobeissi wrote:
> Regarding SSL, hasn't Skype claimed in the past that the conversations are
> encrypted client-to-client, as in, even from Microsoft or Skype itself?

Why is it relevant what they claimed? You can't check it, so why
spend any time on guessing, while you could be running a system
where you would *know for sure*.
 
> If I'm right and my memory serves well, then it's striking that they only
> mentioned SSL in this report.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Nadim Kobeissi

Regarding SSL, hasn't Skype claimed in the past that the conversations are
encrypted client-to-client, as in, even from Microsoft or Skype itself?

If I'm right and my memory serves well, then it's striking that they only
mentioned SSL in this report.


NK


On Fri, Mar 22, 2013 at 11:49 AM, Cynthia Wong  wrote:

> RU and CN are a glaring absence, which will skew the overall compliance
> rates.
>
> In previous iterations of Google's report, they declined to report numbers
> from China because of concerns that the government would designate that
> data a state secret (heavily punishable).  However, given that the Skype
> data reports on both China and Russia, that doesn't seem to be the
> justification here?
>
>
> //
> Cynthia M. Wong
> Senior Researcher on the Internet
> Business & Human Rights Division
> Human Rights Watch
>
>
>
> -Original Message-
> From: liberationtech-boun...@lists.stanford.edu [mailto:
> liberationtech-boun...@lists.stanford.edu] On Behalf Of Eric S Johnson
> Sent: Thursday, March 21, 2013 9:49 PM
> To: 'liberationtech'
> Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement
> Requests Report
>
> > I wrote to them and asked these questions, as well as a few others.
> >
> > What other questions should we pose to them, I wonder?
>
> Why are RU and CN (most glaringly) absent from the first chart enumerating
> the number (and type) of requests by country? It's hard to believe those
> countries' security services have no interest in (non-Skype) Microsoft data.
> Is MS defining those countries as having no legal standing to request MS
> data, and therefore any requests from them would be rejected out-of-hand?
>
> "We provide SSL encryption for Microsoft services and Skype-Skype calls on
> our full client (for full function computers) are encrypted on a
> peer-to-peer basis; however, no communication method is 100% secure. For
> example ... users of the Skype thin client (used on smartphones, tablets
> and other hand-held devices) route communications over a wireless or mobile
> provider network."
> --Is the implication that the Skype clients used on smartphones
> don't provide the same end-to-end encrypted-by-session-specific-keys level
> of security that the Skype for Windows client does?
>
> "Skype received 4,713 requests from law enforcement. ... Skype produced no
> content in response to these requests."
> --It's hard to believe that LEAs never validly requested a record
> of a Skype user's IM sessions. Perhaps LEAs don't know those data exist?
>
> Best,
> Eric
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Cynthia Wong

RU and CN are a glaring absence, which will skew the overall compliance rates.  

In previous iterations of Google's report, they declined to report numbers from 
China because of concerns that the government would designate that data a state 
secret (heavily punishable).  However, given that the Skype data reports on 
both China and Russia, that doesn't seem to be the justification here?  


//
Cynthia M. Wong
Senior Researcher on the Internet
Business & Human Rights Division
Human Rights Watch



-Original Message-
From: liberationtech-boun...@lists.stanford.edu 
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Eric S Johnson
Sent: Thursday, March 21, 2013 9:49 PM
To: 'liberationtech'
Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests 
Report

> I wrote to them and asked these questions, as well as a few others.
> 
> What other questions should we pose to them, I wonder?

Why are RU and CN (most glaringly) absent from the first chart enumerating the 
number (and type) of requests by country? It's hard to believe those countries' 
security services have no interest in (non-Skype) Microsoft data.
Is MS defining those countries as having no legal standing to request MS data, 
and therefore any requests from them would be rejected out-of-hand?

"We provide SSL encryption for Microsoft services and Skype-Skype calls on our 
full client (for full function computers) are encrypted on a peer-to-peer 
basis; however, no communication method is 100% secure. For example ... users 
of the Skype thin client (used on smartphones, tablets and other hand-held 
devices) route communications over a wireless or mobile provider network."
--Is the implication that the Skype clients used on smartphones don't 
provide the same end-to-end encrypted-by-session-specific-keys level of 
security that the Skype for Windows client does?

"Skype received 4,713 requests from law enforcement. ... Skype produced no 
content in response to these requests."
--It's hard to believe that LEAs never validly requested a record of a 
Skype user's IM sessions. Perhaps LEAs don't know those data exist?

Best,
Eric

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-22 Thread Cynthia Wong

The glossary indicates the reporting only covers criminal law enforcement 
matters, so it probably excludes national security requests.  Another thing to 
ask for in future iterations, given Google's precedent on NSLs.  




//
Cynthia M. Wong
Senior Researcher on the Internet
Business & Human Rights Division
Human Rights Watch




-Original Message-
From: liberationtech-boun...@lists.stanford.edu 
[mailto:liberationtech-boun...@lists.stanford.edu] On Behalf Of Dan Auerbach
Sent: Thursday, March 21, 2013 4:14 PM
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests 
Report

On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> > 
>> > 
>> > On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>>> >> Joseph Lorenzo Hall:
>>>> >>> Two things seem particularly interesting: apparently zero 
>>>> >>> requests for content were fulfilled for Skype and the 
>>>> >>> associated FAQ [1] says CALEA (the US law that mandates intercept 
>>>> >>> capability) does not apply to Skype.
>>>> >>> That seems particularly encouraging to me.
>>>> >>>
>>>> >>> The FAQ is also interesting in that the non-content question 
>>>> >>> mentions "location" but then only lists state, country and ZIP 
>>>> >>> code as fields provided (I don't know how MSFT would have 
>>>> >>> access to precise geolocation, but that doesn't appear to be 
>>>> >>> something they provide). Also the NSL reporting in the FAQ is binned 
>>>> >>> in terms of thousands of NSLs...
>>>> >>> so in 2009 they report receiving 0-999 NSLs and in 2010 
>>>> >>> 1000-1999 NSLs (hard to tell if that was just one more NSL or a bunch).
>>>> >>>
>>> >>
>>> >> I don't agree with that reading of the report. There is likely a 
>>> >> lot of word-smithing here - for example, Does Skype include 
>>> >> SkypeIn and SkypeOut or just Peer to Peer video, text and storage 
>>> >> of (other) meta-data? Does CALEA happen on the Skype side of 
>>> >> things or on the PTSN/VoIP service side of Skype{In,Out}? My 
>>> >> guess is the latter rather than the former.
>> > 
>> > Ok, I certainly agree there is probably a lot of wordsmithing here. 
>> > CALEA certainly applies to PSTN interconnection but then presumably 
>> > law enforcement would just go to the phone company which has 
>> > CALEA-compliant switching hardware there. (I think.)
>> > 
>>> >> Also, note that Microsoft "Provided Guidance to Law Enforcement" 
>>> >> - so when they say they didn't provide content, did they provide 
>>> >> the credentials? If so, the guidance could have allowed the "Law 
>>> >> Enforcement" to simply login and restore the account data. Or 
>>> >> perhaps merely disclosing a key?
>> > 
>> > They certainly don't describe what that means, which is strange 
>> > because for a transparency report with quantitative data, one would 
>> > want to bound what the categories of quantitative data are! I would 
>> > hope that MSFT would consider providing ciphertext and session keys 
>> > as "providing content" and increment the zeros in that column, but 
>> > there's no definitive statement in all of this that I can see which 
>> > would support that.
> I wrote to them and asked these questions, as well as a few others.
>
> What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information about 
US FISA court orders, so that might be something to ask them about. I am 
concerned about the possibility that FISA is being abused to access large 
swaths of user data (esp given FAA provisions and secret interpretation of 
section 215 of Patriot Act). You could suggest general rounded numbers for FISA 
like for NSLs. Doubt you'll get any info, though.

That said, kudos to MS for releasing this info and to people for pushing them 
on Skype!

--
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Eric S Johnson

> I wrote to them and asked these questions, as well as a few others.
> 
> What other questions should we pose to them, I wonder?

Why are RU and CN (most glaringly) absent from the first chart enumerating
the number (and type) of requests by country? It's hard to believe those
countries' security services have no interest in (non-Skype) Microsoft data.
Is MS defining those countries as having no legal standing to request MS
data, and therefore any requests from them would be rejected out-of-hand?

"We provide SSL encryption for Microsoft services and Skype-Skype calls on
our full client (for full function computers) are encrypted on a
peer-to-peer basis; however, no communication method is 100% secure. For
example ... users of the Skype thin client (used on smartphones, tablets and
other hand-held devices) route communications over a wireless or mobile
provider network."
--Is the implication that the Skype clients used on smartphones
don't provide the same end-to-end encrypted-by-session-specific-keys level
of security that the Skype for Windows client does?

"Skype received 4,713 requests from law enforcement. ... Skype produced no
content in response to these requests."
--It's hard to believe that LEAs never validly requested a record of
a Skype user's IM sessions. Perhaps LEAs don't know those data exist?

Best,
Eric

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Fabio Pietrosanti (naif)

On 3/21/13 5:27 PM, Jacob Appelbaum wrote:
> I don't agree with that reading of the report. There is likely a lot of
> word-smithing here - for example, Does Skype include SkypeIn and
> SkypeOut or just Peer to Peer video, text and storage of (other)
> meta-data? Does CALEA happen on the Skype side of things or on the
> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
> than the former.
Nice consideration for SkypeIn/Out.

Just to say that if in Italy LEA ask a local provider for wiretapping
and it refuse to comply with the request, he is violating ministry of
communication licensing rules and he can be immediately revocated
telecommunication license.

And it's unreasonable to think that in a country with 60mln person like
Italy there was no requests done to Skype, especially considering the
special task force of prosecutors and lawyers that has been setup some
years ago (pre-microsoft acquisition) to make pressure on Skype at EU level.

So i'll add a question:
Does Microsoft/Skype transparency report consider also requests that are
done from non-US authorities to Microsoft Corporation or to non-US
branch of Microsoft (like Microsoft Italia) ?

Fabio
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Dan Auerbach

On 03/21/2013 10:37 AM, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> > 
>> > 
>> > On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>>> >> Joseph Lorenzo Hall:
 >>> Two things seem particularly interesting: apparently zero requests for
 >>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
 >>> (the US law that mandates intercept capability) does not apply to 
 >>> Skype.
 >>> That seems particularly encouraging to me.
 >>>
 >>> The FAQ is also interesting in that the non-content question mentions
 >>> "location" but then only lists state, country and ZIP code as fields
 >>> provided (I don't know how MSFT would have access to precise
 >>> geolocation, but that doesn't appear to be something they provide). 
 >>> Also
 >>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
 >>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
 >>> (hard to tell if that was just one more NSL or a bunch).
 >>>
>>> >>
>>> >> I don't agree with that reading of the report. There is likely a lot of
>>> >> word-smithing here - for example, Does Skype include SkypeIn and
>>> >> SkypeOut or just Peer to Peer video, text and storage of (other)
>>> >> meta-data? Does CALEA happen on the Skype side of things or on the
>>> >> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>>> >> than the former.
>> > 
>> > Ok, I certainly agree there is probably a lot of wordsmithing here. 
>> > CALEA certainly applies to PSTN interconnection but then presumably law 
>> > enforcement would just go to the phone company which has 
>> > CALEA-compliant switching hardware there. (I think.)
>> > 
>>> >> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>>> >> when they say they didn't provide content, did they provide the
>>> >> credentials? If so, the guidance could have allowed the "Law
>>> >> Enforcement" to simply login and restore the account data. Or perhaps
>>> >> merely disclosing a key?
>> > 
>> > They certainly don't describe what that means, which is strange because 
>> > for a transparency report with quantitative data, one would want to 
>> > bound what the categories of quantitative data are! I would hope that 
>> > MSFT would consider providing ciphertext and session keys as "providing 
>> > content" and increment the zeros in that column, but there's no 
>> > definitive statement in all of this that I can see which would support 
>> > that.
> I wrote to them and asked these questions, as well as a few others.
>
> What other questions should we pose to them, I wonder?
Reading quickly through the documents, there seems to be no information
about US FISA court orders, so that might be something to ask them
about. I am concerned about the possibility that FISA is being abused to
access large swaths of user data (esp given FAA provisions and secret
interpretation of section 215 of Patriot Act). You could suggest general
rounded numbers for FISA like for NSLs. Doubt you'll get any info, though.

That said, kudos to MS for releasing this info and to people for pushing
them on Skype!

-- 
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
d...@eff.org
415 436 9333 x134

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Jacob Appelbaum

Joseph Lorenzo Hall:
> 
> 
> On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>> Joseph Lorenzo Hall:
>>> Two things seem particularly interesting: apparently zero requests for
>>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>>> (the US law that mandates intercept capability) does not apply to Skype.
>>> That seems particularly encouraging to me.
>>>
>>> The FAQ is also interesting in that the non-content question mentions
>>> "location" but then only lists state, country and ZIP code as fields
>>> provided (I don't know how MSFT would have access to precise
>>> geolocation, but that doesn't appear to be something they provide). Also
>>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>>> (hard to tell if that was just one more NSL or a bunch).
>>>
>>
>> I don't agree with that reading of the report. There is likely a lot of
>> word-smithing here - for example, Does Skype include SkypeIn and
>> SkypeOut or just Peer to Peer video, text and storage of (other)
>> meta-data? Does CALEA happen on the Skype side of things or on the
>> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>> than the former.
> 
> Ok, I certainly agree there is probably a lot of wordsmithing here. 
> CALEA certainly applies to PSTN interconnection but then presumably law 
> enforcement would just go to the phone company which has 
> CALEA-compliant switching hardware there. (I think.)
> 
>> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>> when they say they didn't provide content, did they provide the
>> credentials? If so, the guidance could have allowed the "Law
>> Enforcement" to simply login and restore the account data. Or perhaps
>> merely disclosing a key?
> 
> They certainly don't describe what that means, which is strange because 
> for a transparency report with quantitative data, one would want to 
> bound what the categories of quantitative data are! I would hope that 
> MSFT would consider providing ciphertext and session keys as "providing 
> content" and increment the zeros in that column, but there's no 
> definitive statement in all of this that I can see which would support 
> that.

I wrote to them and asked these questions, as well as a few others.

What other questions should we pose to them, I wonder?

All the best,
Jacob

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Joseph Lorenzo Hall



On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
> Joseph Lorenzo Hall:
>> Two things seem particularly interesting: apparently zero requests for
>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>> (the US law that mandates intercept capability) does not apply to Skype.
>> That seems particularly encouraging to me.
>>
>> The FAQ is also interesting in that the non-content question mentions
>> "location" but then only lists state, country and ZIP code as fields
>> provided (I don't know how MSFT would have access to precise
>> geolocation, but that doesn't appear to be something they provide). Also
>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>> (hard to tell if that was just one more NSL or a bunch).
>>
>
> I don't agree with that reading of the report. There is likely a lot of
> word-smithing here - for example, Does Skype include SkypeIn and
> SkypeOut or just Peer to Peer video, text and storage of (other)
> meta-data? Does CALEA happen on the Skype side of things or on the
> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
> than the former.

Ok, I certainly agree there is probably a lot of wordsmithing here. 
CALEA certainly applies to PSTN interconnection but then presumably law 
enforcement would just go to the phone company which has 
CALEA-compliant switching hardware there. (I think.)

> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
> when they say they didn't provide content, did they provide the
> credentials? If so, the guidance could have allowed the "Law
> Enforcement" to simply login and restore the account data. Or perhaps
> merely disclosing a key?

They certainly don't describe what that means, which is strange because 
for a transparency report with quantitative data, one would want to 
bound what the categories of quantitative data are! I would hope that 
MSFT would consider providing ciphertext and session keys as "providing 
content" and increment the zeros in that column, but there's no 
definitive statement in all of this that I can see which would support 
that.

best, Joe

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Jacob Appelbaum

Joseph Lorenzo Hall:
> Two things seem particularly interesting: apparently zero requests for
> content were fulfilled for Skype and the associated FAQ [1] says CALEA
> (the US law that mandates intercept capability) does not apply to Skype.
> That seems particularly encouraging to me.
> 
> The FAQ is also interesting in that the non-content question mentions
> "location" but then only lists state, country and ZIP code as fields
> provided (I don't know how MSFT would have access to precise
> geolocation, but that doesn't appear to be something they provide). Also
> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
> (hard to tell if that was just one more NSL or a bunch).
> 

I don't agree with that reading of the report. There is likely a lot of
word-smithing here - for example, Does Skype include SkypeIn and
SkypeOut or just Peer to Peer video, text and storage of (other)
meta-data? Does CALEA happen on the Skype side of things or on the
PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
than the former.

Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
when they say they didn't provide content, did they provide the
credentials? If so, the guidance could have allowed the "Law
Enforcement" to simply login and restore the account data. Or perhaps
merely disclosing a key?

All the best,
Jacob
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Stefan Geens

Re MSFT transparency, congrats on the result.

In its FAQ. MSFT seems to answer quite unequivocally that Skype still encrypts 
Skype-Skype calls on a peer-to-peer basis:

"We provide SSL encryption for Microsoft services and Skype-Skype calls on our 
full client (for full function computers) are encrypted on a peer-to-peer 
basis; however, no communication method is 100% secure. For example Skype 
Out/In calls route through the existing telecommunications network for part of 
the call and users of the Skype thin client (used on smartphones, tablets and 
other hand-held devices) route communications over a wireless or mobile 
provider network. In addition, the end points of a communication are vulnerable 
to access by third parties such as criminals or governments."

I don't see any wiggle room here, though perhaps it would be even better were 
MSFT to state that it therefore has no access to the contents of Skype-to-Skype 
peer-to-peer calls. 
 
Stefan
--

On 21 Mar, at 15:31, Joseph Lorenzo Hall  wrote:

> Two things seem particularly interesting: apparently zero requests for
> content were fulfilled for Skype and the associated FAQ [1] says CALEA
> (the US law that mandates intercept capability) does not apply to Skype.
> That seems particularly encouraging to me.
> 
> The FAQ is also interesting in that the non-content question mentions
> "location" but then only lists state, country and ZIP code as fields
> provided (I don't know how MSFT would have access to precise
> geolocation, but that doesn't appear to be something they provide). Also
> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
> (hard to tell if that was just one more NSL or a bunch).
> 
> best, Joe
> 
> [1]
> https://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1
> 
> On Thu Mar 21 10:07:16 2013, Nadim Kobeissi wrote:
>> We did it! Our Skype Open Letter worked!!!
>> 
>> *Pats self on back*
>> 
>> 
>> NK
>> 
>> 
>> On Thu, Mar 21, 2013 at 10:04 AM, James Losey  wrote:
>> 
>>> From the blog post:
>>> 
>>> "As noted in the data table (available in the PDF below) in 2012,
>>> Microsoft and Skype received a total of 75,378 law enforcement requests.
>>> Those requests potentially impacted 137,424 accounts. While it is not
>>> possible to directly compare the number of requests to the number of users
>>> affected, it is likely that less than 0.02% of active users were affected.
>>> The data shows that, after a careful review of each request by our
>>> compliance teams, 18% of law enforcement requests to Microsoft resulted in
>>> the disclosure of no customer data. Approximately 79.8% of requests to
>>> Microsoft resulted in the disclosure of only non-content information, and
>>> only a small number of law enforcement requests (2.2%) resulted in the
>>> disclosure of customer content. To further explain the data, we have
>>> included Frequently Asked Questions and Answers below."
>>> 
>>> Report page:
>>> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
>>> Blog post:
>>> http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
>>> PDF:
>>> http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
>>> NY Times:
>>> http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;
>>> 
>>> 
>>> 
>>> --
>>> Too many emails? Unsubscribe, change to digest, or change password by
>>> emailing moderator at compa...@stanford.edu or changing your settings at
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> 
>>> 
>>> We did it! Our Skype Open Letter worked!!!
>>> 
>>> *Pats self on back*
>>> 
>>> 
>>> NK
>>> 
>>> 
>>> On Thu, Mar 21, 2013 at 10:04 AM, James Losey >> > wrote:
>>> 
>>>From the blog post: 
>>> 
>>>"As noted in the data table (available in the PDF below) in
>>>2012, Microsoft and Skype received a total of 75,378 law
>>>enforcement requests. Those requests potentially impacted
>>>137,424 accounts. While it is not possible to directly
>>>compare the number of requests to the number of users
>>>affected, it is likely that less than 0.02% of active users
>>>were affected. The data shows that, after a careful review of
>>>each request by our compliance teams, 18% of law enforcement
>>>requests to Microsoft resulted in the disclosure of no
>>>customer data. Approximately 79.8% of requests to Microsoft
>>>resulted in the disclosure of only non-content information,
>>>and only a small number of law enforcement requests (2.2%)
>>>resulted in the disclosure of customer content. To further
>>>explain the data, we have included Frequently Asked Ques

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Paul Bernal (LAW)

Well done!!

Sent from my iPhone

On 21 Mar 2013, at 14:10, "Nadim Kobeissi" 
mailto:na...@nadim.cc>> wrote:

We did it! Our Skype Open Letter worked!!!

*Pats self on back*


NK


On Thu, Mar 21, 2013 at 10:04 AM, James Losey 
mailto:lo...@newamerica.net>> wrote:
>From the blog post:
"As noted in the data table (available in the PDF below) in 2012, Microsoft and 
Skype received a total of 75,378 law enforcement requests. Those requests 
potentially impacted 137,424 accounts. While it is not possible to directly 
compare the number of requests to the number of users affected, it is likely 
that less than 0.02% of active users were affected. The data shows that, after 
a careful review of each request by our compliance teams, 18% of law 
enforcement requests to Microsoft resulted in the disclosure of no customer 
data. Approximately 79.8% of requests to Microsoft resulted in the disclosure 
of only non-content information, and only a small number of law enforcement 
requests (2.2%) resulted in the disclosure of customer content. To further 
explain the data, we have included Frequently Asked Questions and Answers 
below."

Report page: 
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Blog post: 
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
PDF: 
http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
NY Times: 
http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;



--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing 
your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing 
your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Joseph Lorenzo Hall

Two things seem particularly interesting: apparently zero requests for
content were fulfilled for Skype and the associated FAQ [1] says CALEA
(the US law that mandates intercept capability) does not apply to Skype.
That seems particularly encouraging to me.

The FAQ is also interesting in that the non-content question mentions
"location" but then only lists state, country and ZIP code as fields
provided (I don't know how MSFT would have access to precise
geolocation, but that doesn't appear to be something they provide). Also
the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
(hard to tell if that was just one more NSL or a bunch).

best, Joe

[1]
https://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1

On Thu Mar 21 10:07:16 2013, Nadim Kobeissi wrote:
> We did it! Our Skype Open Letter worked!!!
>
> *Pats self on back*
>
>
> NK
>
>
> On Thu, Mar 21, 2013 at 10:04 AM, James Losey  wrote:
>
>> From the blog post:
>>
>> "As noted in the data table (available in the PDF below) in 2012,
>> Microsoft and Skype received a total of 75,378 law enforcement requests.
>> Those requests potentially impacted 137,424 accounts. While it is not
>> possible to directly compare the number of requests to the number of users
>> affected, it is likely that less than 0.02% of active users were affected.
>> The data shows that, after a careful review of each request by our
>> compliance teams, 18% of law enforcement requests to Microsoft resulted in
>> the disclosure of no customer data. Approximately 79.8% of requests to
>> Microsoft resulted in the disclosure of only non-content information, and
>> only a small number of law enforcement requests (2.2%) resulted in the
>> disclosure of customer content. To further explain the data, we have
>> included Frequently Asked Questions and Answers below."
>>
>> Report page:
>> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
>> Blog post:
>> http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
>> PDF:
>> http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
>> NY Times:
>> http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;
>>
>>
>>
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at compa...@stanford.edu or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>>
>> We did it! Our Skype Open Letter worked!!!
>>
>> *Pats self on back*
>>
>>
>> NK
>>
>>
>> On Thu, Mar 21, 2013 at 10:04 AM, James Losey > > wrote:
>>
>> From the blog post: 
>>
>> "As noted in the data table (available in the PDF below) in
>> 2012, Microsoft and Skype received a total of 75,378 law
>> enforcement requests. Those requests potentially impacted
>> 137,424 accounts. While it is not possible to directly
>> compare the number of requests to the number of users
>> affected, it is likely that less than 0.02% of active users
>> were affected. The data shows that, after a careful review of
>> each request by our compliance teams, 18% of law enforcement
>> requests to Microsoft resulted in the disclosure of no
>> customer data. Approximately 79.8% of requests to Microsoft
>> resulted in the disclosure of only non-content information,
>> and only a small number of law enforcement requests (2.2%)
>> resulted in the disclosure of customer content. To further
>> explain the data, we have included Frequently Asked Questions
>> and Answers below."
>>
>> Report
>> page: 
>> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
>> Blog
>> post: 
>> http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
>> PDF: 
>> http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
>> NY
>> Times: 
>> http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;
>>
>>
>>
>> --
>> Too many emails? Unsubscribe, change to digest, or change
>> password by emailing moderator at compa...@stanford.edu
>>  or changing your settings at
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>>
>>
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at compa...@stanford.edu or changing your settings at 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- 
Joseph Lorenzo Hall
Senior

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread Nadim Kobeissi

We did it! Our Skype Open Letter worked!!!

*Pats self on back*


NK


On Thu, Mar 21, 2013 at 10:04 AM, James Losey  wrote:

> From the blog post:
>
> "As noted in the data table (available in the PDF below) in 2012,
> Microsoft and Skype received a total of 75,378 law enforcement requests.
> Those requests potentially impacted 137,424 accounts. While it is not
> possible to directly compare the number of requests to the number of users
> affected, it is likely that less than 0.02% of active users were affected.
> The data shows that, after a careful review of each request by our
> compliance teams, 18% of law enforcement requests to Microsoft resulted in
> the disclosure of no customer data. Approximately 79.8% of requests to
> Microsoft resulted in the disclosure of only non-content information, and
> only a small number of law enforcement requests (2.2%) resulted in the
> disclosure of customer content. To further explain the data, we have
> included Frequently Asked Questions and Answers below."
>
> Report page:
> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
> Blog post:
> http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
> PDF:
> http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
> NY Times:
> http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;
>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

2013-03-21 Thread James Losey

>From the blog post:

"As noted in the data table (available in the PDF below) in 2012, Microsoft
and Skype received a total of 75,378 law enforcement requests. Those
requests potentially impacted 137,424 accounts. While it is not possible to
directly compare the number of requests to the number of users affected, it
is likely that less than 0.02% of active users were affected. The data
shows that, after a careful review of each request by our compliance teams,
18% of law enforcement requests to Microsoft resulted in the disclosure of
no customer data. Approximately 79.8% of requests to Microsoft resulted in
the disclosure of only non-content information, and only a small number of
law enforcement requests (2.2%) resulted in the disclosure of customer
content. To further explain the data, we have included Frequently Asked
Questions and Answers below."

Report page:
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Blog post:
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx
PDF:
http://download.microsoft.com/download/F/3/8/F38AF681-EB3A-4645-A9C4-D4F31B8BA8F2/MSFT_Reporting_Data.pdf
NY Times:
http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?pagewanted=all&_r=1&;
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Re: [liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

17 matches

Site Navigation

Mail list logo

Footer information