Don’t Think Your Cloud Data Is Safe from the Cops

Think that data you’ve stored in the cloud is safe from the prying eyes of the police and the FBI? It’s not. Indeed, it seems like stories about how the government reaches into the cloud to obtain data on users cross the wires (as we used to say) every month.

The latest news on this front comes from Microsoft, which like Google, is now informing the public about how many requests it has gotten from government agencies in the U.S. and abroad. Microsoft said it received more than 11,000 U.S. law enforcement requests in 2012 for data belonging to users of its products, according to a report issued Thursday. But that’s only a fraction of the 70,665 requests it received from governments around the world last year.

Various agencies asked for data related to online services including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365. Skype data is included, but reported separately. If it were added in, the total requests directed at Microsoft would total more than 75,000.

How often did Microsoft comply with those requests? Most of the time. Discounting Skype-related requests, the software giant said yes 98.8 percent of the time. Or to put it another way, out of more than 70,000 requests, only 866 were turned down.

What the government actually got is a bit more complicated. According to the report, content was disclosed in only 2.2 percent of the cases. What Microsoft calls “subscriber/transactional data” was released just under 80 percent of the time, that is, 8 out of every 10 requests made for that information were granted.

Non-content data, as Microsoft explained to me, “refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration,” which is to say they know where you live.

Let’s be clear. I’m not saying Microsoft shouldn’t be releasing this information. Often it has no choice. Here’s where the company sets the bar for handing over information: “We require a valid subpoena or equivalent document before we will consider releasing non-content data; and we require a court order or warrant before we will consider producing content.”

I also think that both Microsoft and Google deserve credit for letting users know exactly what’s going on in these cases.

My point, though, is to underline once again the lack of privacy that cloud users experience. If you assume that stuff you store on someone else’s server is private, you’re simply wrong.

Earlier this year, Google disclosed that between July and December of 2012, it received 8,438 U.S. government requests for its users’ data and complied to some degree in 88 percent of those cases. And making that statistic all the more concerning is this: Only 22 percent of those requests were backed up by a warrant.

A few weeks ago we learned that with Verizon’s aid, police arrested a man for storing illegal porn in the cloud. Few of us have any sympathy for people who download kiddie porn, but that case is yet another example of the ease with which online data is exposed to prying eyes. If you read my account of the Verizon incident, you’ll learn that the stash of illegal material was discovered via the use of automated scanning software developed by Microsoft and given to service providers at no charge.

Don’t say you haven’t been warned.