MSFT Criminal Compliance Handbook Leaked

The release of an internal Microsoft document, which details how the software giant stores information and the ways in which law enforcement members can access it, has drawn the wrath of Redmond.

As detailed on GeekOSystem.com, the document, entitled Global Criminal Compliance Handbook, and dated March, 2008, was originally posted by the whistleblower website Cryptome. Microsoft reacted quickly, claiming that the document was copyright material under the Digital Millennium Copyright Act (DMCA), and the offending content, and indeed, the whole website, was taken down swiftly.

Fortunately, BusinessInsider decided to host the PDF on its website for anyone interested in viewing it. The document is a version for U.S. law enforcement officials, and pertains to Microsoft’s online services such as Windows Live, Windows Live ID Windows Live Messenger, Hotmail and Xbox Live.

Cryptome editor John Young detailed what he found most distasteful in the document:

Most repugnant in the MS guide was its improper use of copyright to conceal from its customer violations of trust toward its customers. Copyright law is not intended for confidentiality purposes, although firms try that to save legal fees. Copyright bluffs have become quite common, as the EFF initiative against such bluffs demonstrates.

Second most repugnant is the craven way the programs are described to ease law enforcement grab of data. This information would also be equally useful to customers to protect themselves when Microsoft cannot due to its legal obligations under CALEA.

For Xbox 360 users who have registered on Xbox Live with a credit card, Microsoft collects and stores your: date of birth, name, e-mail address, physical address, telephone number, credit card number, type of credit card, credit card expiration and Microsoft Passport.

Xbox Live users will have their registration and IP connection history recorded “for the life of the gamertag account.” Also collected, and stored, is the Xbox’s serial number (if it was registered online).

Law enforcement officials armed with a subpoena can grab “basic subscriber information,” such as name, address, screen names, IP address, IP logs, billing info and email content “more than 180 days old.”

A court order results in “disclosure of all of the basic subscriber information available under a subpoena plus the e-mail address book, Messenger contact lists, the rest of a customer’s profile not already listed above, internet usage logs and e-mail header information (to/from) excluding subject line.”

Search warrants allow law enforcement members to access emails in electronic storage 180 days or less.

The Cryptome site has since returned on a different domain and posted the full email trail from Microsoft and Network Solutions that led to the original site being shuttered.

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone

Comments are closed.