DNA MONEY EXCLUSIVE: Microsoft shared Indian bank customers’ data with US intel
From 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US
This article, first published on October 30, 2018 has been updated with the response from Microsoft on November 5, 2018.
Microsoft routinely shared Indian bank customers’ financial details with the US intelligence agencies, a bank document related to Reserve Bank of India (RBI)’s risk observation, seen by DNA Money, reveals.
The data of customers running an account with banks that have migrated to Microsoft Office 365 cloud-based email service has been found to have been shared with the US agencies.
Reserve Bank of India has flagged the data sharing by the service provider in its Risk Assessment Report (RAR), which has been placed before the banks’ audit committees for a response.
Customers may not be aware that their financial details are being shared with the US security and intelligence agencies. But Indian banks are fully aware of the development.
According to the response of RBI’s observation, banks know that Microsoft might be sharing their customers’ data to US agencies since they had purchased and migrated to Microsoft’s cloud-based email service - Office 365.
In a specific case, RBI observed in its risk report, “All the mailboxes had been migrated to office 365 Microsoft cloud environment.
It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities.”
According to the RBI observation,submited to an audit committee of a bank, from 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US.
Banks have entered into a deal with Microsoft regarding the data sharing of their customers. In response to the RBI risk assessment observation, seen by DNA Money, a bank acknowledged that they have agreed with Microsoft, and according to the deal, Microsoft will only share the bank customers’ data if the order was issued by the government of India or an Indian court.
In the case of the US, the bank responded, “The US government issues gag orders for the same with prior intimation to us. We have incorporated appropriate provision to that effect in the legal agreement.”
More than 100 million people use Office 365 commercial, according to a latest Microsoft report.
DNA Money asked banks about how many US authorities’ requests have been responded and have been disclosed the Indian customers’ details by your email provider-- Microsoft – in the last five years (2014-2018). Several attempts to contact RBI and banks, through email and SMS on the issue did not elicit any response, except from State Bank of India (SBI) and Bank of Baroda.
An SBI spokesperson said, “In 2016 and 2017, Microsoft has advised that they received zero demands from the US law enforcement for commercial enterprise content (50+ seats) located outside the United States. In the first half of 2018, the latest time period for which Microsoft has data available, there was one demand from the US government for content data of a commercial enterprise located outside of the United States and Microsoft notified the customer, which is not SBI.”
On customer data sharing issue, Bank of Baroda said, “Protecting the interests of our esteemed customers is of paramount importance to us. The bank’s ‘systems and operations’ are robust – we stand committed to protecting our customers’ interests, and we have all the necessary systems in place to ensure the same.”
However, a cyber law expert said India needs stringent laws against such practices. Achen Jakher, advocate, Cyber Law, told DNA Money, “Preserving consumer information is extremely important in today’s digital world, especially critical financial information. Intermediary technological firms have to adhere to Supreme Court guidelines to not share data with third parties and not take the data out of the country under any circumstance. Unfortunately, IT companies find multiple loopholes citing technological implementation and flout this rule. It is the need of the hour to come up with stringent laws against such practices. We have to work towards protecting sensitive data of consumers and not share this data for paltry gains.”
Microsoft, however, denied the allegations. "We categorically deny allegations of the report that Microsoft provides the US government – or any government – with unfettered access to data or provides any customer data in contravention of our public statements and clearly articulated principles and contractual obligations.
"Microsoft does not provide any government entity anywhere in the world unfettered access to customer data through any means including backdoors in products, special access etc. Microsoft never provides customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers. If data is provided, it is done only after a thorough legal review to check whether the request is appropriate and consistent with the rule of law and Microsoft’s principles.
"For commercial customers, absent extraordinary circumstances, Microsoft redirects governments to seek data directly from them and informs the commercial entity when any government seeks its data," Microsoft said in a statement.
While directly responding to DNA's story, a Microsoft spokesperson said, "The story also mentions a number of alleged disclosures by Microsoft of data of Indian customers in the United States to the US Government, based on RBI’s risk report. These numbers do not match any data available to Microsoft and remain unverified. Microsoft does not record data on the nationality of our customers."
A Microsoft spokesperson told DNA Money, “No government has direct access to any of our users’ data. Data privacy is a top priority for us. We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider legally appropriate and consistent with the rule of law and our Microsoft principles. Absent extraordinary circumstances, in the vast majority of cases we redirect governments to seek data directly from commercial customers or to allow us to tell our commercial customers when the government seeks their data.”
OFFICE SECRETS
- From 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US
- Banks know that Microsoft might be sharing their customers’ data to US agencies
This is with reference to the story published by DNA Money on October 30, 2018, titled “Data breach: Microsoft shared Indian bank customers’ financial details with US intelligence agencies”, referencing an RBI Risk Assessment Report. The story is extremely misleading, factually erroneous and has caused a lot of distress among Microsoft’s employees, partners and customers, in addition to discrediting Microsoft in the country.
We have not been given any opportunity to see or comment on the mentioned RBI risk report. Please review our position on the topic published on the Microsoft India News Center HERE
We would also like to set the record straight and call out the following points in particular:
1. We categorically deny allegations of the report that Microsoft provides the US government – or any government – with unfettered access to data or provides any customer data in contravention of our public statements and clearly articulated principles and contractual obligations.
Microsoft does not provide any government entity anywhere in the world unfettered access to customer data through any means including backdoors in products, special access etc. Microsoft never provides customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers. If data is provided, it is done only after a thorough legal review to check whether the request is appropriate and consistent with the rule of law and Microsoft’s principles.
For commercial customers, absent extraordinary circumstances, Microsoft redirects governments to seek data directly from them and informs the commercial entity when any government seeks its data.
2. The story also mentions a number of alleged disclosures by Microsoft of data of Indian customers in the United States to the US Government, based on RBI’s risk report. These numbers do not match any data available to Microsoft and remain unverified. Microsoft does not record data on the nationality of our customers.
Please also note that Microsoft data centers in India began their operations towards the end of 2015 post which various Indian banks started to consume our cloud services.
Please refer to our Data Law site, where we detail everything we have done to protect our customers’ data as well as our principles explaining why we go to such lengths to fight for them.
We request you to publish this letter in its entirety along with the post and the above link of Microsoft News Center across all your outlets that carried the story.