Update: Microsoft has responded to this story originally reported by DNA Money.
We would also like to set the record straight and call out the following points in particular:
1- We categorically deny allegations of the report that Microsoft provides the US government – or any government – with unfettered access to data or provides any customer data in contravention of our public statements and clearly articulated principles and contractual obligations.
Microsoft does not provide any government entity anywhere in the world unfettered access to customer data through any means including backdoors in products, special access etc. Microsoft never provides customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers. If data is provided, it is done only after a thorough legal review to check whether the request is appropriate and consistent with the rule of law and Microsoft’s principles.
For commercial customers, absent extraordinary circumstances, Microsoft redirects governments to seek data directly from them and informs the commercial entity when any government seeks its data.
2- The story also mentions a number of alleged disclosures by Microsoft of data of Indian customers in the United States to the US Government, based on RBI’s risk report. These numbers do not match any data available to Microsoft and remain unverified. Microsoft does not record data on the nationality of our customers.
Please also note that Microsoft data centers in India began their operations towards the end of 2015 post which various Indian banks started to consume our cloud services. Please review our position on the topic published on the Microsoft India News Center (https://news.microsoft.com/en-in/setting-the-record-straight-on-microsofts-commitment-to-protecting-our-customers-data/)
The reported story follows below:
With all the lapses in cyber security that have happened in the recent times, one would assume that top companies would be even more careful about the subject. But it seems Microsoft didn’t think much about the bank details of its Indian customers as it routinely shared them with the US intelligence agencies, according to an exclusive report by DNA Money.
As a result, Reserve Bank of India (RBI) in its Risk Assessment Report has raised an issue of concern regarding the sharing of the data of people with accounts in banks that switch its systems to Microsoft Office 365 cloud-based email service with US Intelligence Services. The banks in question were reportedly aware of this lapse in security, but didn’t share this piece of information with its customers.
In the report RBI stated, “All the mailboxes had been migrated to office 365 Microsoft cloud environment. It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities.”
Microsoft spokesperson on its part told DNA Money, “No government has direct access to any of our users’ data. Data privacy is a top priority for us. We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and considered legally appropriate and consistent with the rule of law and our Microsoft principles.”
That being said Microsoft’s Transparency hub clearly states that the company is required to share any customer data under the US Foreign Intelligence Surveillance Act (FISA) and US national security letters, under orders from government agencies.
WATCH: Sony Xperia XZ3 First Look
According to reports by RBI, Microsoft divulged information 3,036 times after 4,000 requests from US authorities regarding information about Indian customers in the US. Microsoft has deals in place with banks about sharing data which can be further shared under direct orders from the Indian government or any Indian court. There are Supreme Court guidelines about not sharing user data with third parties or taking it out of the country. But IT companies often use loopholes to do just that.