How the US government accesses your OneDrive and Outlook info with NSL
A recent forced disclosure by the US government demonstrates the use of NSL’s which access your personal data from Microsoft OneDrive and Outlook without a warrant or regular oversight, let alone notice to you.
Microsoft, Google, Facebook and many other tech companies (including gaming services) have received National Security Letters which demand information about a person’s use of the company’s services.
NSL’s aren’t warrants issued by a judge. All they need is the signature of an approved senior FBI agent. The letter invariably includes a ‘gag order’ making it illegal to tell the targeted person what’s happening. There’s no checking or oversight. They are limited to three years but can be renewed indefinitely.
In 2009 the Inspector General found many problems with the use of National Security Letters including issue ‘without proper authorization’, ‘improper requests’ and ‘unauthorized collections’.
It’s a common thing, over half a million NSL’s have been issued since 2001. Their use has increased in recent years. Wikipedia has a good summary of NSL’s and their history, including copies of real letters.
Sometimes, an NSL is withdrawn and the gag order lifted. The Electronic Frontier Foundation sued to get copies of a mere 751 of these ‘stop’ or termination letters.
Source: EFF/The New York Times via DocCloud . A full copy of this letter is below.
A Freedom of Information Act release reveals just a little of the hidden process that can get ‘meta-data’ from tech companies.
NSL’s can demand ‘meta-data’ about a customer’s dealings with a company. That means the date, time, to, from and other information about emails passing through Microsoft’s servers.
For OneDrive and Sharepoint, that means the document name, date saved or modified, location (IP) where the saves occurred.
The actual content of documents and emails isn’t part of an NSL demand, but it’s more than enough.
Meta-data might seem harmless, but it gives specific information about a person’s location and who they are communicating with. Meta-data can be combined with other information to give an amazing and frightening level of detail into a person’s life.
What does Microsoft do?
An NSL Termination letter allows the company to notify the targeted person, in other words the ‘gag’ is lifted.
“ Accordingly, and consistent with law, you may exercise your discretion to disclose the following:
- The fact that you received the NSL on a certain date;
- The customer account(s) for which information was sought; and
- Whether or not you provided responsive information to the FBI pursuant to the NSL.
If you choose, you may disclose the NSL itself provided that doing so would be consistent with other legal obligations you may have. “
The key words are ‘may’ and ‘discretion’. The company doesn’t have to tell a customer that their privacy has been breached.
It would be interesting to know what Microsoft does. Do they tell the customer what happened or stay quiet. If Microsoft doesn’t tell the customer … why not?
The complete set of NSL Termination Letters obtained under FOI is at DocCloud
Electronic Frontier Foundation has a page devoted to NSL’s.
Wikipedia on National Security Letters.
Complete NSL Termination Letter
Here’s just one of the NSL termination letters, in full, sent to Microsoft. It’s on page 55/56 of the ‘Termination Letters 3.pdf’