Transparency report from Microsoft follows open letter from rights groups

Back in December, a young Lebanese activist and developer named Nadim Kobeissi sent an email around several lists. The gist: “Isn’t it time for an open letter regarding Skype?” Kobeissi was referring to an issue that’s been raised by numerous technologists and activists over the years: Whether or not Skype’s architecture allows for the company (and its parent company, Microsoft) to hand over call data to governments.

The letter was drafted quickly by a motley crew of interested parties and posted online, and Kobeissi began calling for signatories in mid-January. An excerpt letter – available in its entirety here – reads:

It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.

Within days, a diverse and prestigious list of organisations and individuals – including Reporters Without Borders, the Egyptian Initiative for Personal Rights, and my own organisation, the Electronic Frontier Foundation (EFF) – had signed the letter, which was immediately picked up by mainstream media, making waves throughout the vast global digital rights community.

But then… radio silence. For nearly three months, the organisers waited, debating whether or not Microsoft would respond to their demands. On March 21, they finally got their response: Microsoft, like Google and Twitter before it, announced the release of a transparency report, showing the law enforcement requests received by the company.  

The report was well-received by some digital rights groups: Access tweeted “Transparency report from @Microsoft comes after January open letter from activists and digital rights organisations”, while the EFF stated in a blog post that they were “pleased to see that Microsoft has not only answered that letter on behalf of Skype, it has answered on behalf of the entire company”.

Transparency is key

Though Microsoft’s move was welcomed, the number of law enforcement requests should not be. In 2012, Microsoft and Skype received a total of 75,378 law enforcement requests, affecting as many as 137,424 accounts. By comparison, Google received only 42,327 requests during the same period, surprising given the number of social products offered by the company. Twitter received only 1,848.

The three companies are a minority when it comes to transparency. As EFF’s “Who Has Your Back?” campaign (updated yearly) shows, most companies fail to tell users about demands for their data, while only a handful of companies are publicly transparent about such requests.

Notably, Microsoft’s report – like Google’s before it – discloses some details about the secret National Security Letters (NSLs) it has received from the United States government: such data requests were made for between 11,000 and 14,996 of the company’s users in the period from 2009 to 2012. Just last week, a federal district court judge in San Francisco ruled that NSLs violate the US constitution.  

Most law enforcement requests aren’t so secretive. But without more companies like Microsoft and Google releasing detailed information on them publicly, users will remain in the dark. Facebook, Yahoo, and numerous other companies have yet to release data on the law enforcement requests they receive.

Lessons learned

In the aftermath of the campaign, Kobeissi is positive, reflecting on the lessons of the campaign that he led. “I think it was effective,” he says, “because we managed to get together a very well-written letter with realistic, well-defined demands from Microsoft and Skype.”

Indeed, few such campaigns – that is, those targeting Silicon Valley corporations – have that effect. Last year, a coalition of groups successfully got PayPal to back down on its denial of service to bookstores selling certain types of erotic literature. More recently, a campaign led by EFF and the ACLU of Northern California stopped Facebook from censoring certain political ads.  

Over the years, activists have made significant gains in getting companies to come forward on their privacy practices, but some say that there’s still a long road ahead. The Digital Due Process Coalition, which includes advocacy groups, corporations, and other stakeholders, aims to reform the Electronic Communications Privacy Act (ECPA), a 1986 statute that hasn’t been updated since its creation and which critics say sets inconsistent rules for governmental access to email and stored documents. With so much of our digital communications taking place on the “cloud”, legal reform is necessary to ensure privacy for all.

Kobeissi also believes that the accessibility of the campaign played a role in its success. “The website was made to be accessible and shareable… the letter was well-presented, well-referenced and you could learn more about each of the signatories. You could also share the letter easily on Facebook and Twitter,” he adds.

The campaign could serve as a strong model for future efforts. Unlike popular petition platforms like Change.org and AVAAZ, the letter to Skype used a dedicated website and opened signatures up to both individuals and organisation, adding clout. This helps, as Microsoft is unlikely to be affected by the complaints of individual users.

Furthermore, the letter brought disparate groups together. Organised over-popular mailing lists such as one run by Stanford University, the letter was coordinated in such a way to allow for open debate, the mark of a solid advocacy strategy.

In the end, Microsoft’s efforts to be transparent are only part of the solution to a growing problem. But the tech giant’s step in the right direction should nevertheless serve as a model for tech companies committed to respecting human rights.

Jillian York is director for international freedom of expression at the Electronic Frontier Foundation in San Francisco.

Follow her on Twitter: @jilliancyork