According to documents leaked by the Syrian Electronic Army, Microsoft have been charging the FBI with millions of Dollars a year for giving them legal access to customer information.
The Syrian Electronic Army is a group of hackers which is said to be loyal to the Syrian President Bashar Al-Assad. This hackers group has been known for their attacks on the social media companies and accounts. The companies who have been a subject to their attack are CNN, NPR, the Daily Dot and Associated Press. The group allowed Daily Dot to analyze the documents before those documents were published in full.
The documents which have been recently hacked are showing emails and invoices between the Digital Intercept Technology Unit of FBI and the Global Criminal Compliance Team of Microsoft. It shows what exactly Microsoft has been charging DITU for the personal data of customers. They charge DITU in terms of the compliance costs when DITU renders courts orders and warrants for customer data to Microsoft.
In December 2012, a document was reveled which showed an email of Microsoft to DITU, and the email showed a PDF invoice where Microsoft charged DITU with $145,000. It showed that $ 100 was been charged per request of data or information. In August 2013, it has been alleged that Microsoft sent another invoice to DITU for $352,200 where 200 per request was being charged. The latest invoice for the month of November 2013 was for $ 281,100.
None of the lawyers and the technologists that have been consulted for the review of this story are of the view that Microsoft stands wrong in Charging the FBI for complying with the data request. This is in line with the reason that the company has to right to charge for reasonable expenses.
They were instead keener on stressing the fact that the government is pouring in frequent requests for data.
The Principal technologists of ACLU Christopher Soghoian is the view that charging for the data stands positive in the sense because it enables to keep a record for the government requests of user information. He previously chided Microsoft back in 2010 for not taking any charges from the Drug Enforcement Agency when they were ordered by the court to turn over user data, while Google and Yahoo charged for it.
Nate Cardozo is of the view that the government should be quite transparent about what they are giving for such data so that the taxpayers can know how much of their money is being spent for such purposes.
DITU carries a low profile in contrast to the NSAwhose documents were revealed by their former system analyst Edward Snowden. Multiple representatives of technology and law enforcement industry have termed DITU as a liaison between the FBI and the US technology companies, and as an equivalent of FBI to NSA.
The slides which were revealed by Snowden also suggested the part of DITU in the PRISM program of NSA. They suggested that how DITU is playing the role of gathering data from the technological companies of US including Microsoft.
The full authenticity of the document is hard to verify without any confirmation from someone who has direct knowledge about DITU and Microsoft compliance practices, and those authorities have refused to give any comment.
- I don’t see any indication that they’re not real,” Cardozo said. “If I was going to fake something like this, I would try to fake it up a lot more sensational than this.”
The Syrian Electronic Army has carried out a phishing attack two times, and this fact has been well documented before the documents were
published. On Jan 11, the hackers hacked the Twitter account and the Blog of the company. One of the hacker has told verge that it was a part of some bigger plan and they are distracting the employees so that they achieve success in their main plan.
- It was two weeks later that Microsoft admitted in a Blog Post that : “We have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen.”
A source which was familiar with Microsoft’s employees email data has confirmed that the emails contained in the document were authentic.
When the company was asked for comment, they maintained their stance that they are obliged by the law to act on the demand of the government. One of the officials of the company said that “as pursuant to U.S. law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demands. … To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders.”
The spokesperson of FBI have declined to make any comment in that regard and have shifted the question to Microsoft as the SEA has got the documents through them.
Indeed it is a fact that there is a rich history of cooperation between the technological companies and the intelligence companies, where the tech companies charge millions of dollars per annum as compliance costs. The CIA has been giving AT&T about 10 million dollars on an annual basis for the purpose of gaining access to the Phone records as has been told by the government officials. The documents revealed by Snowden also suggested that the government has paid multiple million dollars to tech companies including Microsoft for the compliance costs.
The invoices that have been accessed by the SEA do not clearly suggest about the type of information that is being requested by DITU from Microsoft, though it breaks down the costs in terms of search warrant, subpoena cost, court order cost etc.
What is of concern here for many is that how SEA has gained easy access to such information. How the FBI and Microsoft could be sharing such sensitive information through a less secure system like email.