Microsoft has announced new human rights and security measures after completing an internal inquiry into how the Israeli military used its cloud technology for the surveillance of Palestinians. The company said it will strengthen oversight of projects linked to national security agencies and review how employees handle security clearances issued by foreign governments. The move follows concerns raised during an investigation into the use of Microsoft’s Azure cloud platform by Israel’s Unit 8200 intelligence agency. The software company said it will introduce new checks for national security-related contracts before they are approved. It will also carry out regular reviews to ensure customers comply with Microsoft’s acceptable use policies, especially when political situations change or projects become more sensitive.Microsoft said it will also strengthen its human rights due-diligence processes in conflict-affected and high-risk regions. The company announced the measures after completing an inquiry that was launched following reports that the Israeli military used Microsoft’s cloud technology to store and analyse large amounts of intercepted Palestinian phone calls. Here’s the full report published by the company
Microsoft huamn rights commitments and due diligence
BACKGROUND AND CONTEXTMicrosoft has a longstanding human rights program aligned with the UN Guiding Principles on Business and Human Rights (UNGPs), the OECD Guidelines for Multinational Enterprises, and other international standards. We have ongoing processes to identify, assess, and address human rights risks across our business. These processes are continuous and integrated into our operations.As described in our Global Human Rights Statement (see aka.ms/humanrights), Microsoft is committed to conducting continuous human rights due diligence worldwide, in line with the UNGPs. These commitments inform our responsibility to respect human rights, including identifying and addressing salient human rights risks associated with our operations, products, services, and business relationships.Key features of our program include:• Regular Risk Assessments: We conduct regular human rights due diligence across our business, including periodic, formal human rights impact assessments (HRIAs). These due diligence efforts occur at multiple levels (such as enterprise-wide, for specific products, and in sensitive regions) to identify actual, or potential, salient human rights risks and impacts that we may cause, contribute to, or be directly linked with, either through our own activities or as a result of our business relationships. Findings from all our human rights due diligence efforts are integrated into our business practices, and we track implementation to ensure learnings and mitigations are incorporated. Formal HRIAs are typically conducted by third-party experts in business and human rights to ensure a neutral, rights-based review.• Integration into Business Processes: Human rights considerations are embedded into Microsoft’s policies and daily operations. Contractual terms prohibit misuse of our services to violate human rights. Cross-functional teams work together to incorporate human rights safeguards into product design and deployment, market entry, sales processes, and supply chain management. This integrates due diligence into decision-making rather than being treated as a standalone activity.• External Perspectives: Microsoft conducts regular engagement and consultation with external stakeholders, including vulnerable populations or their trusted representatives, to understand their perspectives and experiences. We also consult regularly with human rights experts and civil society organizations to benefit from their expertise and perspectives. We engage with these stakeholders through formal meetings, participation in multistakeholder forums, focus groups, surveys, and direct interviews.• Continuous Improvement: Our due diligence is on-going and adaptive. We update assessments when conditions change and learn from new challenges to refine our approach. This continuous cycle of assess-act-review epitomizes the UNGP concept of due diligence as a dynamic process.• Transparency: Microsoft has a strong track record of publicly reporting on its human rights commitments, processes, and progress. Our 2025 Human Rights Transparency Report (covering fiscal year 2025) brought together our legacy supply chain reporting and broader human rights report to provide a more integrated view of our value chain efforts. The report describes our approach to managing salient human rights issues, key actions taken, and lessons learned over the prior year. Microsoft also published executive summaries of its 2025 saliency assessment and HRIA of generative AI. In addition to our human rights-specific reporting, Microsoft regularly publishes additional transparency reports at www.microsoft.com/transparency, including our Responsible AI Transparency Report, Environmental Sustainability Report, and additional transparency reports. Updates are also published regularly through our blogs and other public communication channels, covering topics like data center siting in rights-challenged markets and our approach to responsible AI— demonstrating how rights-related due diligence is applied in specific contexts.INVESTIGATION OF HUMAN RIGHTS CONCERNSDuring 2025, Microsoft became aware of reports alleging that IMOD used Microsoft Azure and AI technologies during the conflict in Gaza. We also received related inquiries and concerns from employees, shareholders, and members of the public.We took these reports and allegations seriously. In response, we conducted an internal attorney-directed review and engaged an external law firm to undertake additional fact-finding to help us assess these issues. We supplemented our initial internal review with a second attorney-directed internal investigation of allegations reported by The Guardian on August 6, 2025. Specifically, The Guardian’s reporting alleged use of Azure by a unit of IMOD to store recordings of phone calls obtained through broad or mass surveillance of Palestinian civilians in Gaza and the West Bank.Microsoft retained the law firm of Covington & Burling LLP (“Covington”), with technical assistance under Covington’s direction from an outside consulting firm, to conduct this second review. We selected Covington because of its deep experience conducting independent investigations and advising on business and human rights matters.Investigation MethodsTwo principles, both grounded in Microsoft’s longstanding protection of privacy as a fundamental right, guided our investigation. First, consistent with our terms of service, Microsoft does notprovide technology to facilitate mass surveillance of civilians. Second, Microsoft respects andprotects the privacy rights of our customers. This means that at no time did Microsoft, Covington, or any outside technical services provider access IMOD’s content as part of our investigation. Rather, the investigation focused on Microsoft’s own business data. Findings Our relationship with IMOD is structured as a standard commercial relationship.1 Like all our customers, IMOD’s use of our technology is bound by Microsoft’s terms of service and conditions of use, including our Acceptable Use Policy and our Enterprise AI Services Code of Conduct. These require customers to implement core responsible AI practices–such as human oversight and access controls–and prohibit certain uses of our cloud and AI services, such as uses that facilitate the mass surveillance of civilian populations. As Microsoft shared publicly on September 25, 2025, Covington’s investigation found evidence that supported elements of The Guardian’s reporting. This evidence included information relating to IMOD consumption of Azure storage in the Netherlands and use of AI services. Covington completed its work after our report on September 25, 2025, and its factual findings remain the same. As also shared in September 2025, we informed IMOD of Microsoft’s decision to cease and disable specified IMOD subscriptions and services, including their use of specific cloud storage and AI services and technologies. We reviewed this suspension decision with IMOD. We gave IMOD representatives an opportunity to provide further information showing that their use of the disabled services was consistent with our terms of service. According to public reporting at the time, IMOD apparently planned to transfer the data at issue to a competing cloud platform. Microsoft works with countries and public sector customers around the world, including IMOD. We provide IMOD with software, professional services, Azure cloud services, and Azure AI services, including language translation. As with many governments around the world, we also work with the Israeli government to protect its national cyberspace against external threats. FOLLOW-UP STEPS Following its factual review, Covington, at our request, conducted further inquiries and analysis to help us consider ways in which we might improve Microsoft’s processes. Covington shared suggestions at the completion of that work. We are moving forward to implement Covington’s suggestions, as well as other ideas we have developed, to further enhance both the clarity and effectiveness of our human rights governance and predictability for our customers. This work breaks down into five areas. 1. Enhance existing pre-contract review processes for national security-related engagements. We are already well underway making changes to our pre-contract review process for national security-related engagements. A team has undertaken a thorough review of the existing process and is developing ways to efficiently apply it while improving the effectiveness of our human rights due diligence. 2. Review existing processes and controls for Microsoft oversight of security clearances in relevant non-U.S. markets. Microsoft diligently adheres to security clearance laws and regulations in every country we work in, and we will continue to do so. Making good on this commitment requires clear guidance to employees and clear communications with our government partners. We are taking a closer look at how we manage security clearances in certain countries and will make changes to ensure that our employees understand how to navigate security clearance requirements as part of their work for Microsoft. 3. Undertake periodic reviews of acceptable use and national security-related policies and their application in light of new information, such as evolving scope of work or intervening events. Microsoft’s principles have held steady for decades, and we will continue to find ways to explain and apply those principles as technology advances and the world around us changes. We are working on ways to follow changes in particular areas around the world so that we can help our customers understand how Microsoft’s principles apply to new political circumstances or changes to sensitive projects. In addition, we have identified opportunities to strengthen our continuous due diligence approach, including in conflict-affected and high-risk areas. The human rights team is leading the effort to increase internal awareness of human rights governance, reexamine triggers for added due diligence, and develop clearer escalation pathways across subject matter expert teams. 4. Provide additional guidance to employees regarding Microsoft’s policies related to the acceptable use of its products and services, including how they apply in practice and when and how to escalate related questions. Microsoft trusts its employees to follow our policies and raise concerns. We are working to improve our training programs to help our employees understand our policies and continue to hold Microsoft to the highest standard. 5. Provide additional mechanisms for employees to raise concerns about development or deployment of technology and our commitments. As Microsoft’s Vice Chair and President, Brad Smith, shared with the entire company via a standalone email announcement last fall, we have already strengthened our diligence processes by expanding how employees can report information and concerns. Specifically, any employee with a concern about practices that they believe may violate the company’s policies regarding the development and deployment of our technology may report that concern through a new section in the Microsoft Integrity Portal called “Trusted Technology Review.” Concerns may be raised anonymously. The Trusted Technology group, which operates the portal, follows up to address reported information and, where appropriate, routes information to appropriate teams for action. At all times, our standard confidentiality and non-retaliation policies apply. This new reporting mechanism will also be covered in our annual company-wide training in FY27.CONCLUSION Microsoft is a company guided by principle. We continue to consider lessons learned and apply them to how we run our business and advance our mission in an increasingly complex world. We will continue to seek input from human rights experts and stakeholders to help identify emerging risks, incorporate lessons learned, and refine our approach to respecting human rights. Microsoft publishes an annual Human Rights Transparency Report to describe our salient human rights issues, due diligence processes, and progress, and we plan to share updates on these efforts as part of that regular reporting.
Leave a Reply