Microsoft: 'We can hand over Office 365 data without your permission'

Microsoft: 'We can hand over Office 365 data without your permission'

Summary: Microsoft, in a bold and brave move, admits to what many other cloud service providers don't -- that data may be handed over to authorities without consent.

SHARE:

Microsoft's words, not mine.

Hidden within a whitepaper, detailing the security features in the upcoming Office 365 suite, it reveals links to the Trust Center; a treasure trove of data protection policies and legalities of how Microsoft will handle your data in its cloud datacenters.

Next week, Microsoft will announce the launch of Office 365 in both New York and London, where ZDNet will have correspondents at both events.

In light of the Patriot Act furore, customers of cloud services are naturally becoming more aware of the limitations to cloud security and privacy; with legalities and powerful acts of law taking precedent.

In short, Microsoft states:

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)."

This covers all users and data of Microsoft Online Services, including the current offering of BPOS (Business Productivity Online Suite), currently in migration to Office 365. Current Live@edu users are also affected by this -- mostly schools and colleges -- which are also upgrading to Office 365.

It goes on:

"Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond."

"...and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited."

Geographic location of data is crucial to the customer. Microsoft respects this, with only a few exceptions:

"As a general rule, customer data will not be transferred to datacenters outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)"

Yet, Microsoft makes it clear that they will not inform customers when data leaves the country it is stored in. Under EU rules, if data leaves the European zone, customers must consent to this.

As a major cloud provider, Microsoft is naturally covered under EU Safe Harbor rules, allowing data to pass from a subsidiary Microsoft entity from Europe to the United States.

But it does not mean, for one minute, that data is safe from superseding laws like the USA PATRIOT Act.

Here's where it gets confusing.

Microsoft acts as the processor of the data, by storing it in its datacenters and allowing it to be open and readable by the customer. The customer -- the business or the university -- takes the role as the data controller. The controller owns the data, wherever they are in the world.

But because Microsoft physically stores and processes the data, regardless of where the data is stored (i.e. geographically) -- even outside of U.S. soil, it can be requested by U.S. law enforcement authorities through means of invoking the Patriot Act on a wholly owned U.S. company.

Under EU law, the data processor must inform the data controller when data is being moved outside the EU.

Yet, because Microsoft is a wholly owned U.S. company, data can be requested while the company is gagged from saying anything to the data controlling customer by U.S. law enforcement, leading Microsoft into difficult ethical territory.

In effect, it falls down to who has the bigger weapon: the U.S. or the EU. Because Microsoft is on its own turf and can be silenced with a U.S. gagging order, it has little option but to stay quiet and hand over data back to U.S. law enforcement.

I've reached out to Microsoft for comment.

While Microsoft's policy is "not to use [your data] for other purposes", governments in a heightened state of awareness are highly interested in business and university data. But there, of course, often needs to be probable cause of suspicion before a law enforcement authority can act.

I must say, a personal and heartfelt congratulations to Microsoft -- in full sincerity -- for being as open, honest and transparent in their documentation.

For the first time since ZDNet's Patriot Act series, which highlighted massive flaws in cloud security as a result of U.S. counter-terrorism legislation reaching outside the borders of the United States, Microsoft has taken the first step in admitting industry-wide issues of security, privacy and data protection legislation.

- -

Join both myself and ZDNet's David Gewirtz in a live webcast on the 30th June 2011 detailing the effect of the Patriot Act's in Europe and further afield.

Related content:

Also read ZDNet's Patriot Act series:

Topics: Microsoft, Cloud, Collaboration, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

89 comments
Log in or register to join the discussion
  • RE: Microsoft: 'We can hand over Office 365 data without your permission'

    Meh. Nothing new tbh. I don't see any problems with that as I don't do anything illegal and wouldn't care if Scotland yard wanted to look at my files - as long as they're not misplaced/lost/leaked or otherwise put in the hands of someone that does not need to see them other than for any investigation against me. Which there wouldn't be because I've not done anything wrong and don't intend to. I fully expect my data to leave the euro-zone as be stored else where as a backup or for central storage, I bet most people will expect their data to be held in the US anyway.
    Jayton
    • I agree. Give MS points for admitting

      @Jayton
      something that others do but remain quite on.

      Read the EULA!
      Will Pharaoh
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Will Pharaoh
        No points for M$!
        Google will never give away your data!
        Linux Geek
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Will Pharaoh
        exactly what i was going to say. Props to them for at least admitting and being (somewhat) up front to this fact of cloud computing: You no longer are the owner of your data the second you upload it to somebody else's server. Period.
        bc3tech
      • Try again!

        @Linux Geek

        Google is a US-based company, so, YES, if the US government wants access to data, they will hand it over.

        If you think otherwise, you're delusional.
        Joe_Raby
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek Another round of applause for our resident jester for this gem of a statement !!!
        1773
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek : Typically biased Linux zealot. Google would never give away your data. They can't because of outages. :-)
        Gis Bun
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek

        Maybe not directly, but so far China has been into Google's systems way too many times to count.

        Plus, we Cylons have back doors into more systems than you can count. ;)
        The one and only, Cylon Centurion
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek Giving away or selling user's private data is pretty much what Google always does. They're the least trustworthy corporation in existence.
        JoeHTH
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek That's all Google does is give away or sell your private data?
        JoeHTH
      • "Google will never give away your data..."

        @Linux Geek

        According to this, they would be in the same boat as 'M$', and will have to give it up. A subpoena is a subpoena.

        Plus, Google already has... remember the WAP fiasco?
        UrNotPayingAttention
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @Linux Geek - You are very mistaken! Google will not only give away your data but the claim they have the right to do anything they want with it including modify it!. If you don't believe me, please read their terms of service, especially part 11. I don't think they have the paragraph anymore that says they OWN your data but you have no guarantees of privacy anywhere.
        hforman9
    • RE: Microsoft: 'We can hand over Office 365 data without your permission'

      @Jayton How would you feel if Scotland Yard or the U.S. gov. used your files, regardless of how innocuous they may be, to collect intelligence on you, your colleagues or your business?
      zwhittaker
      • This is exactly why...

        @zwhittaker

        cloud security and privacy is the #1 factor for why non-US countries won't do cloud business with a lot of the tech giants.

        Non-US regulatory issues sometimes even mandate it too.
        Joe_Raby
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @zwhittaker
        what makes you think they arent already doing this?
        tiderulz
      • No one would like that; however, this is not reason for you to fabricate...

        @zwhittaker: ... Microsoft's statement in the headline of your blog entry. The company will have to hand over the data, not just "can". <b>They have no choice thanks to George Bush junior</b> (though they supported him).
        DDERSSS
      • DeRSSS, Google supported Obama

        @DeRSSS<br>and [b]he hasn't stopped the pratice (he endorses it)[/b], so what was your Bush reference all about?
        Will Pharaoh
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @DeRSSS Well, I opted for "can" rather than "will" -- seeing as Microsoft stated that they will try and inform the customer first, provided they are not under a National Security Letter (gagging order).
        zwhittaker
      • gag order

        @zwhittaker

        It is a common legal tactic to collect enough evidence to charge a party before informing them about the charges. If you report software piracy to the BSA, for instance, parties involved will not be contacted unless they have enough corroborated reports to charge the company. Any information that is taken is held confidentially until charges are made, and if you report the same information to another entity, it can be admissible depending on the reporting policies of all of the entities involved.
        Joe_Raby
      • RE: Microsoft: 'We can hand over Office 365 data without your permission'

        @zwhittaker I'd be fine with it, I have nothing to hide from any government. Why is it such a big deal if they did 'snoop' on me? Surely checking up on suspicious people is a good thing and hopefully they'll catch a criminal/pedo doing so. They would have to have a very good reason to do so in the first place, so don't give them a reason ;)
        Jayton