An investigation by the Reserve Bank of India (RBI) has revealed that Microsoft has been passing user data that it gathers from Indian banks that are Office 365 customers to various U.S. intelligence agencies, upon demand. The outcome of this investigation was compiled into a Risk Assessment Report (RAR), which was submitted to these banks in order to get answers from them.

One such bank responded to the document saying that the gathering of such data was previously agreed upon; it is stated in the legal agreement drafted as part of the Office 365 subscription, and the banks involved were aware of it being collected by Microsoft. The requests for the banks' customer data by U.S. intelligence agencies was reflected in the company's Transparency Hub, per the RAR.

"It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities.”

According to the document, between 2014 and 2016, the U.S. government had made over 4,000 requests to Microsoft for data belonging to customers of these Indian banks. Out of these, the company complied on 3,036 occasions.

In the Office 365 contract, the banks agreed to share such data only if it was sanctioned by the Government of India or an Indian court. The contract also made provisions for gag orders issued by the U.S. agencies, where Microsoft wouldn't be allowed to outwardly acknowledge the disclosure of the user data. Per one of the banks,

“The US government issues gag orders for the same with prior intimation to us. We have incorporated appropriate provision to that effect in the legal agreement.”

It's unclear whether the banks were comfortable with this process, because it seems unlikely that they had much say in the matter. Given that the banks pressed on ahead with shifting to Office 365 despite the potential for breaches in customer privacy in these agreements it could be assumed that they were just fine with it.

Very few of these banks have offered official statements outside of the report; the State Bank of India (SBI) has offered one, saying:

“In 2016 and 2017, Microsoft has advised that they received zero demands from the US law enforcement for commercial enterprise content (50+ seats) located outside the United States. In the first half of 2018, the latest time period for which Microsoft has data available, there was one demand from the US government for content data of a commercial enterprise located outside of the United States and Microsoft notified the customer, which is not SBI."

A spokesperson representing the only other bank to provide a statement, the Bank of Baroda, said:

“Protecting the interests of our esteemed customers is of paramount importance to us. The bank’s ‘systems and operations’ are robust – we stand committed to protecting our customers’ interests, and we have all the necessary systems in place to ensure the same.”

Achen Jakher, an advocate specializing in the field of cyber law, begged to differ, telling DNA Money in a statement that India's system to protect its citizen's user data was full of exploitable loopholes:

“Preserving consumer information is extremely important in today’s digital world, especially critical financial information. Intermediary technological firms have to adhere to Supreme Court guidelines to not share data with third parties and not take the data out of the country under any circumstance. Unfortunately, IT companies find multiple loopholes citing technological implementation and flout this rule. It is the need of the hour to come up with stringent laws against such practices. We have to work towards protecting sensitive data of consumers and not share this data for paltry gains.”

Lastly, Microsoft itself had no detailed response to the situation beyond stating that it takes customer privacy seriously.

"No government has direct access to any of our users’ data. Data privacy is a top priority for us. We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider legally appropriate and consistent with the rule of law and our Microsoft principles. Absent extraordinary circumstances, in the vast majority of cases we redirect governments to seek data directly from commercial customers or to allow us to tell our commercial customers when the government seeks their data.”

Given that, in its statement, Microsoft does not explicitly deny disclosing customer data to U.S. intelligence agencies, it can be construed that it is effectively caught in between a rock and a hard place wherein it is, by law, answerable to the U.S. government. But at the same time, it may also face increasing heat for forcing banks to bypass the Indian government - and therefore, due process - in order to get its hands on Indian citizens' private data.

Source: DNA Money