Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft’s “Global Criminal Compliance Handbook” that pulled website Cryptome.org from the Internet, at least temporarily. The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites. Microsoft’s DMCA demand to Cryptome’s service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.
Microsoft made this public statement:
Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.
Cryptome advertises itself as a site that “welcomes documents for publication that are prohibited by governments worldwide.” The site also promises that “[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction.”
The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services. The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information. In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:
Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .
This provision contrasts with Microsoft’s limits on access to other user data, such as recent email, “e-mail address book, Messenger contact lists, . . . [and] internet usage logs.” According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.
Posts at Cryptome, as well as CNet, Tom’s Hardware, The Register,describe the Handbook variously as a “spy guide” and “wiretap guide.” Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks. However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement. In this case, Microsoft’s Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders.