By: Preston Gralla
Orginal post @ http://blogs.computerworld.com/15655/leaked_microsoft_intelligence_document_heres_what_microsoft_will_reveal_to_police_about_you
I've got my hands on a copy of the leaked, confidential Microsoft "Global Criminal Compliance Handbook," which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.
The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.
The handbook is available at the Wikileaks site. That's where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.
Related:
Microsoft retreats from demand that killed whistleblower site
The report, published in March 2008, is labeled "U.S. Domestic Version," which makes one wonder whether there's also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don't know whether such a document exists. Also, the document may have been superseded by a later one, although I don't know that, either.
The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:
Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves "the danger of death or physical injury to any person…" as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299.
The report describes what information is available from Microsoft Online services for police and ingelligence services, including:
E-mail Services
Authentication Service: Windows Live ID
Instant Messaging: Windows Live Messenger
Social Networking Services: Windows Live Spaces & MSN Groups
Custom Domains: Windows Live Admin Center & Office Live Small Business
Online File Storage: Office Live Workspace & Windows Live SkyDrive
Gaming: Xbox Live
What's available is the actual content of your communications --- for example, copies of your emails --- as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here's an excerpt that details what emails are available from people who are MSN Premium subscribers:
Stored E-mail Records for MSN Premium Customers:
Microsoft's systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the "Folders on MSN" section of a user's account.
Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail servers.
The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.
Interestingly, the document contains just about no information about Windows Live SkyDrive, which is Microsoft's free online file storage service. The document only has a single-sentence description of the service, along with a screenshot. I assume that the files on the service can be gotten by police and intelligence agencies, but there are no details about that, so for me at, least, it's an open question.
Quite a bit of information is available about XBox Live users. Here's what the document says can be gotten by police and intelligence officials:
What records are retained and for how long?
Both registration and IP connection history records are retained for the life of the gamertag account. Because the volume of IP connection history records may be large, when possible please ask for the specific date range of records you are specifically interested in receiving. A full listing of retained records is below:
* Credit card number
* First/last name with zip code
* Serial number but only if box has been registered online. "Console ID" is better.
* Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
* E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)
* IP history for the lifetime of the gamertag (only one gamertag at a time)
If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.
Especially noteworthy is the final section of the document, which spells out in detail what information Microsoft is required by law to provide to police and intelligence agencies. Here, for example, is a small section:
Information that may be disclosed with a subpoena. Basic subscriber information includes name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705.)
The document goes on to explain that a court order is required for the rest of a customer's profile. It also spells out when search warrants are required.
None of this should be a surprise. All companies, not just Microsoft, comply with laws that require them to turn over information to police and intelligence agencies. So Microsoft is not to blame. But it's certainly eye-opening to see what they turn over, and how they do it.
For more details, check out Gregg Keizer's story on Computerworld.
Microsoft, by the way, has released a statement about the affair. Here's what the company has to say:
"Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal."
Saturday, February 27, 2010
Saturday, February 13, 2010
Monday, February 8, 2010
10 Ways to use Facebook Professionally
10 Ways to Use Facebook Professionally
Your profile is like your desktop at work. Only put on it what you would want your co-workers to see.
Socialize with a purpose. Re-establish connections with former co-workers, classmates, but add friends selectively.
Edit your news feed preferences so that you are only alerted when it matters. Do you really care if a friend adds a new picture? More important is when they add a new contact.
Edit your profile and security settings. Be selective showing what to whom. The default settings probably show more information than you would like.
Create interest by incorporating a feed from your blog.
Join Groups related to your business interests. Ask respected contacts which groups they like.
Stay focused. It's easy to waste time on Facebook so set limits.
Help others when you can so that they'll help you when you need it.
Use the My Questions app. It is a great way to tap into your contacts� collective knowledge.
Look for events. Good online relationships can be made better by face-to-face networking or meetings.
My way?
Only use Facebook for spying or don't use at all.
Why post anything to the public?
Thursday, February 4, 2010
Twitter, Facebook use rising among gang members
Posted: 02/02/2010 02:32:28 PM PST
LOS ANGELES — When a gang member was released from jail soon after his arrest for selling methamphetamine, friends and associates assumed he had cut a deal with authorities and become a police informant.
They sent a warning on Twitter that went like this: We have a snitch in our midst. Unbeknownst to them, that tweet and the traffic it generated were being closely followed by investigators, who had been tracking the San Francisco Bay Area gang for months. Officials sat back and watched as others joined the conversation and left behind incriminating information.
Law enforcement officials say gangs are making greater use of Twitter and Facebook, where they sometimes post information that helps agents identify gang associates and learn more about their organizations.
"You find out about people you never would have known about before," said Dean Johnston with the California Bureau of Narcotics Enforcement, which helps police investigate gangs. "You build this little tree of people."
In the case involving the suspected informant, tweets alerted investigators to three other gang members who were ultimately arrested on drug charges. Tech-savvy gangsters have long been at home in chatrooms and on Web sites like MySpace, but they appear to be gravitating toward Twitter and Facebook, where they can make threats, boast about crimes, share intelligence on rivals and network with people across the country.
Subscribe to:
Posts (Atom)
