We request an urgent dialogue regarding potential inconsistencies between Microsoft’s obligations under international humanitarian and human rights law and the company’s ongoing business operations and relationships in Russia that may contribute to, or be linked with, human rights harms...

On March 4th, 2022, Microsoft announced that it suspended all new sales of Microsoft products and services in Russia, as well as stopped “many aspects of [its] business in Russia in compliance with governmental sanctions decisions.” The statement also details Microsoft’s humanitarian aid to the people of Ukraine, as well as the actions the company has taken in order to provide improved cybersecurity to Ukraine, which is commendable. In June, Microsoft announced further substantial cuts to its business in Russia, but that the company will fulfil its existing contractual obligations with its Russian customers.

In September, Russian customers were reportedly unable to download the new Windows 10 and 11 OS updates. However, Russian media reports that as of December 2022 Microsoft has permitted Russians to download and install its Windows operating system and updates, including Windows 11, 10, Windows 8.1. and Windows 7.

...[I]t was reported that Microsoft has been fined over $3 million for supposedly breaching U.S. sanctions on Russia (and other countries). The reason behind the fine was that Microsoft’s software and services were found to have been acquired by blacklisted individuals and companies in the Crimea region of Ukraine. The breach led to the sale of $12 million in products and services to blacklisted parties between December 2016 and December 2017.

The company allegedly uses an indirect resale model in Russia to develop sales leads and negotiate bulk sales with end customers, which ultimately resulted in the failure to obtain accurate information about some of these end users. Some of Microsoft’s Russian employees have reportedly intentionally circumvented the company’s screening procedures. The company’s spokesperson stated: “Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities.”

In light of Microsoft’s statements and the full-scale Russian invasion of Ukraine, we are writing now to enquire whether Microsoft has reconsidered its business practices that initially led to these sanction violations; what policies and practices has Microsoft employed to prevent such breaches from happening again; and what is the current exposure of Microsoft’s business in Russia...