Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Microsoft Releases 2012 Law Enforcement Requests Report

Jacob Appelbaum jacob at appelbaum.net
Thu Mar 21 10:37:25 PDT 2013


Joseph Lorenzo Hall:
> 
> 
> On Thu Mar 21 12:27:47 2013, Jacob Appelbaum wrote:
>> Joseph Lorenzo Hall:
>>> Two things seem particularly interesting: apparently zero requests for
>>> content were fulfilled for Skype and the associated FAQ [1] says CALEA
>>> (the US law that mandates intercept capability) does not apply to Skype.
>>> That seems particularly encouraging to me.
>>>
>>> The FAQ is also interesting in that the non-content question mentions
>>> "location" but then only lists state, country and ZIP code as fields
>>> provided (I don't know how MSFT would have access to precise
>>> geolocation, but that doesn't appear to be something they provide). Also
>>> the NSL reporting in the FAQ is binned in terms of thousands of NSLs...
>>> so in 2009 they report receiving 0-999 NSLs and in 2010 1000-1999 NSLs
>>> (hard to tell if that was just one more NSL or a bunch).
>>>
>>
>> I don't agree with that reading of the report. There is likely a lot of
>> word-smithing here - for example, Does Skype include SkypeIn and
>> SkypeOut or just Peer to Peer video, text and storage of (other)
>> meta-data? Does CALEA happen on the Skype side of things or on the
>> PTSN/VoIP service side of Skype{In,Out}? My guess is the latter rather
>> than the former.
> 
> Ok, I certainly agree there is probably a lot of wordsmithing here. 
> CALEA certainly applies to PSTN interconnection but then presumably law 
> enforcement would just go to the phone company which has 
> CALEA-compliant switching hardware there. (I think.)
> 
>> Also, note that Microsoft "Provided Guidance to Law Enforcement" - so
>> when they say they didn't provide content, did they provide the
>> credentials? If so, the guidance could have allowed the "Law
>> Enforcement" to simply login and restore the account data. Or perhaps
>> merely disclosing a key?
> 
> They certainly don't describe what that means, which is strange because 
> for a transparency report with quantitative data, one would want to 
> bound what the categories of quantitative data are! I would hope that 
> MSFT would consider providing ciphertext and session keys as "providing 
> content" and increment the zeros in that column, but there's no 
> definitive statement in all of this that I can see which would support 
> that.

I wrote to them and asked these questions, as well as a few others.

What other questions should we pose to them, I wonder?

All the best,
Jacob




More information about the liberationtech mailing list