1

Microsoft’s Commitment to Privacy

Principles and practices concerning governmentaccess to enterprise customer data

April 2, 2014

1

2

Trust and confidenceCustomers and business partners around the world have serious questions and concerns. We share many of these.Organizations everywhere need to have confidence that their data and that of their customers is secure and private, and understand the laws which govern government access to any data.

We take privacy seriously and provide enterprise customer data only in response to specific, targeted legal orders. We have published as much information as is permitted about demands made pursuant to U.S. national security laws, showing that the amount of data Microsoft provides has been significantly exaggerated. The data we published shows only a tiny fraction of our customers are impacted by legal orders of any type. Beyond these limited legal orders Microsoft is not aware of and has never participated in a broader government surveillance program.

We’ve announced a comprehensive response to the allegations that governments may be collecting customer data without the knowledge or involvement of technology companies. This includes a comprehensive engineering effort to expand use of encryption across our services, increased transparency, and reinforcing legal protections for customer data. We are also calling for development of an international legal framework for government surveillance and data demands.

Trust that private information customers share with others or store in the cloud will remain private

Trust that governments will respect the privacy of cloud computing users

“People won’t use technology they don’t trust. Governments have put this trust at risk and governments need to help restore it.” – Brad Smith, General Counsel & Executive Vice President, Microsoft

4/2/2014

34/2/2014

Facts about government access to data To date, we have not been compelled to disclose customer data of any enterprise customers (in this case, those with more than 50 seats or users) in response to national security laws.

To date, we have not been compelled to disclose customer data of any enterprise customers based outside the United States.

For the second half of 2013, we received only three legal orders for data associated with use of our commercial services by our enterprise customers, seeking information about 15 accounts, all related to U.S. customers.

The overwhelming majority of customers have never been impacted by any government demand served on Microsoft.

44/2/2014

Taking action We’re taking new steps to secure our customers’ data in light of recent revelations about government actions.

Working for a global legal framework on governmental surveillance and data access

Publishing as much data as is permitted about volume, type, and impact of demands for customer data

Expanding legal protections for customers by agreeing to contest orders and warrants on jurisdictional grounds where possible

Advocating for reforms in government surveillance practices including clear rules, greater transparency, and oversight

Strengthening encryption of customer data across our services and providing more customer choice in data storage location

Further increasing transparency of our software code to help customers reassure themselves that our products do not contain back doors

54/2/2014

Closing facts To be clear, here’s what we do, and what we don’t do:• We don’t provide any government with direct

or unfettered access to your data.

• We don’t assist any government’s efforts to break our encryption or provide any government with encryption keys.

• We don’t engineer back doors into our products and we take steps to ensure governments can independently verify this.

• If, as reports suggest, governments are engaging in broader surveillance of communications, we aren’t involved, and we’re taking steps to enhance the security of our customers’ data while in transit and at rest.,

The volume of information Microsoft provides to the U.S. Government has been significantly exaggerated

Microsoft publishes a Law Enforcement Requests Report every six months here that includes requests under national security laws

Any requests we receive relate to specific accounts within an enterprise and not to all of the accounts or data within a particular enterprise

Microsoft only discloses enterprise customer data required by a valid legal order

6

Thank you