Although we’ve always discussed urgent priority requests as being available to both LEA and non-LEA, we are regularly asked why non-LEA should be allowed to use this type of request.  We’ve seen this again in the public comments, with new suggestions that a non-LEA requestor must route urgent requests through a government agency rather than making such a request themselves.

 

To clarify why it’s not sufficient to limit these requests to law enforcement and government agents, I asked my Digital Crime Unit and state actor cyberdefense teams for details. Here’s what they said.

 

• Law enforcement (LE) and Microsoft priorities do not always overlap such that what we consider an emergency, where this information could be necessary to protect our customers ( such as a threat to our infrastructure or our customer’s infrastructure), is the same as an emergency for LE.
• The threshold for what is important to protect our customers is often different or  lower than the threshold for a LE emergency as outlined below – but nonetheless just as important.
• When a customer or partner is under attack, we would not necessarily engage LE. We would only notify/contact the customer directly since the impact is on their tenant. LE engagement is then at their discretion.
• Here are some scenarios where we would likely make urgent data requests separate from LE engagement:
• a large banking establishment or school district under ransomware attack
• a nation state actor targeting multiple human rights organizations with persistent spear phishing attacks
• a nation state actor using a malicious domain to compromise and steal information from members of the United Nations
• a nation state actor purchasing large swaths of domains to target multiple organizations in the oil and gas industry, then using them in a large-scale intrusion campaign

 

Remember that abuse of the Urgent Priority request mechanism is already defined as an activity which may lead to loss of accreditation, even for LEA.  That safeguard would be certainly be invoked quickly if the privilege were abused by a non-LEA requester.

 

I look forward to discussing this topic soon.

 

/marksv