Microsoft: 'We can hand over Office 365 data without your permission'

Microsoft, in a bold and brave move, admits to what many other cloud service providers don't -- that data may be handed over to authorities without consent.
Written by Zack Whittaker, Contributor

Microsoft's words, not mine.

Hidden within a whitepaper, detailing the security features in the upcoming Office 365 suite, it reveals links to the Trust Center; a treasure trove of data protection policies and legalities of how Microsoft will handle your data in its cloud datacenters.

Next week, Microsoft will announce the launch of Office 365 in both New York and London, where ZDNet will have correspondents at both events.

In light of the Patriot Act furore, customers of cloud services are naturally becoming more aware of the limitations to cloud security and privacy; with legalities and powerful acts of law taking precedent.

In short, Microsoft states:

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)."

This covers all users and data of Microsoft Online Services, including the current offering of BPOS (Business Productivity Online Suite), currently in migration to Office 365. Current Live@edu users are also affected by this -- mostly schools and colleges -- which are also upgrading to Office 365.

It goes on:

"Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond."

"...and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited."

Geographic location of data is crucial to the customer. Microsoft respects this, with only a few exceptions:

"As a general rule, customer data will not be transferred to datacenters outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)"

Yet, Microsoft makes it clear that they will not inform customers when data leaves the country it is stored in. Under EU rules, if data leaves the European zone, customers must consent to this.

As a major cloud provider, Microsoft is naturally covered under EU Safe Harbor rules, allowing data to pass from a subsidiary Microsoft entity from Europe to the United States.

But it does not mean, for one minute, that data is safe from superseding laws like the USA PATRIOT Act.

Here's where it gets confusing.

Microsoft acts as the processor of the data, by storing it in its datacenters and allowing it to be open and readable by the customer. The customer -- the business or the university -- takes the role as the data controller. The controller owns the data, wherever they are in the world.

But because Microsoft physically stores and processes the data, regardless of where the data is stored (i.e. geographically) -- even outside of U.S. soil, it can be requested by U.S. law enforcement authorities through means of invoking the Patriot Act on a wholly owned U.S. company.

Under EU law, the data processor must inform the data controller when data is being moved outside the EU.

Yet, because Microsoft is a wholly owned U.S. company, data can be requested while the company is gagged from saying anything to the data controlling customer by U.S. law enforcement, leading Microsoft into difficult ethical territory.

In effect, it falls down to who has the bigger weapon: the U.S. or the EU. Because Microsoft is on its own turf and can be silenced with a U.S. gagging order, it has little option but to stay quiet and hand over data back to U.S. law enforcement.

I've reached out to Microsoft for comment.

While Microsoft's policy is "not to use [your data] for other purposes", governments in a heightened state of awareness are highly interested in business and university data. But there, of course, often needs to be probable cause of suspicion before a law enforcement authority can act.

I must say, a personal and heartfelt congratulations to Microsoft -- in full sincerity -- for being as open, honest and transparent in their documentation.

For the first time since ZDNet's Patriot Act series, which highlighted massive flaws in cloud security as a result of U.S. counter-terrorism legislation reaching outside the borders of the United States, Microsoft has taken the first step in admitting industry-wide issues of security, privacy and data protection legislation.

- -

Join both myself and ZDNet's David Gewirtz in a live webcaston the 30th June 2011 detailing the effect of the Patriot Act's in Europe and further afield.

Related content:

Also read ZDNet's Patriot Act series:

Editorial standards