A Closer Look at Microsoft’s FISA Disclosure Numbers
Late last night, software giant Microsoft joined Facebook in disclosing the total number of requests for information it received from government agencies in the U.S.
Numbers covering the final six months of 2012, shared in a company blog post, are slightly higher than Facebook’s.
As with Facebook’s disclosure on Friday night, Microsoft’s new figures include the number of requests made by law enforcement and national security agencies under the auspices of the Foreign Intelligence Surveillance Act. The disclosures were worked out as the result of a deal between the companies and government agencies because under current U.S. law, such disclosures are illegal.
Microsoft said it received between 6,000 and 7,000 requests for information from local, state and federal law enforcement agencies in the United States. The affected number of accounts was between 31,000 and 32,000.
Before adding six months’ worth of FISA requests to the overall statistical bucket, Microsoft had previously disclosed in its 2012 Law Enforcement Requests Report that it had received 11,073 requests for information affecting 24,565 accounts from government entities in the U.S. during all 12 months of 2012.
These requests covered the following services: Hotmail ad Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365. Skype was reported separately in part because, before Microsoft bought it in 2011, it was tracking this data differently.
Assuming a consistent run rate, the difference between FISA-inclusive and the non-FISA numbers would suggest a difference of no more than about 3,000 overall requests per year.
But when taking into account the average number of accounts affected per request, the picture changes. In its FISA-inclusive figures for the second half of the year, Microsoft averaged between four and five accounts affected per request. That’s about double the average of 2.2 accounts per request in the earlier data that didn’t include FISA requests. (Facebook, in its FISA-inclusive disclosure, averaged about 2 accounts per request.)
What this suggests is that requests made to Microsoft by government agencies under FISA tend to cover multiple accounts more often than in non-FISA cases. Why the higher average? It’s unclear.
But here’s another bit of data that may tell part of the story. Remember that Microsoft’s non-FISA disclosures counted Skype, Microsoft’s audio and video calling service, separately. The 2012 report shows that U.S. agencies made 1,154 requests affecting 4,814 for an average of 3.62 accounts per request. This is just a guess from the math, but it may explain — at least in part — why the FISA-inclusive average of affected accounts is higher than the non-FISA one: Maybe it contained more Skype requests.
Also, this may be precisely the kind of analysis that makes the government so ticklish about releasing any of these numbers in the first place.