10:04 AM

How NSA Data Demands On Microsoft Shape Your Security

Microsoft is legally prevented from saying too much about charges it collaborated with the NSA. Product security gets caught in this complex situation.

Is Microsoft -- and by extension the likes of Google and Yahoo -- being prevented from adding security improvements to its consumer Web services because of U.S. government surveillance demands?

A review of the recent wrangling among Microsoft, the U.S. government and critics of Microsoft's cooperation with government surveillance efforts provides a glimpse into this complex state of affairs.

The Guardian last week accused Microsoft of giving the U.S. National Security Agency backdoor access to Outlook.com encryption and Skype communications to facilitate the NSA's anti-terrorism surveillance programs. To be fair to Microsoft, the NSA can already directly access data from multiple Web services, including Gmail, Hotmail and Yahoo, plus numerous chat and video services, according to documents leaked by NSA contractor Edward Snowden.

The Guardian's story led Microsoft to issue a 1,400-word blog post, titled "Responding to government legal demands for customer data," in which it asserted that "there are significant inaccuracies in the interpretations of leaked government documents reported in the media."

What are those inaccuracies? We don't know. Microsoft says it's legally prohibited from detailing them. It also says it can't say more about the data demands approved by the Foreign Intelligence Surveillance (aka FISA) Court, with which it must comply. "Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information," wrote Microsoft general counsel Brad Smith last week. "We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the government is stopping us."

Or as parodied by Belarusian writer and researcher Evgeny Morozov: "To be clear, this statement that our company has written to clarify its relationship with NSA is not meant to make anything clear."

Then again, is it fair to ask Microsoft's PR and legal machines to operate with their hands tied behind their backs? "Microsoft is obligated to comply with the applicable laws that governments around the world -- not just the United States -- pass, and this includes responding to legal demands for customer data," Smith said. "All of us now live in a world in which companies and government agencies are using big data, and it would be a mistake to assume this somehow is confined to the United States."

Despite the gag order preventing Microsoft from fully responding to the criticism leveled against it, Smith claimed that on the Outlook.com front, "we do not provide any government with direct access to emails or instant messages." Furthermore, he said that changes made to Skype in 2012 "were not made to facilitate greater government access to audio, video, messaging or other customer data."

It's not Microsoft's fault that governments want this information. Furthermore, White House and intelligence officials insist (of course) that such data is being collected only in legal ways. But could, and should, Microsoft be taking steps that might raise the bar for intelligence agencies that want to collect intelligence on its users?

For example, the Communications Assistance for Law Enforcement Act (CALEA), while requiring some businesses to let the government wiretap their communications, also says that "a telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Then again, "a secret order from the FISA Court, which might be among the 'aspects of this debate' that Microsoft finds it's unable to discuss, could provide a new reason why Microsoft doesn't act to better protect Skype users against eavesdropping," said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation (EFF), in a blog post. "If the secret order required Microsoft to turn over Skype users' communications on an ongoing basis, Microsoft might fear that changing the Skype technology in a way that stopped it from complying would violate the order." In other words, the government's demands for data might make it difficult for Microsoft to alter its system, at least in a way that trades enhanced encryption for easy interception.

For example, while Skype offers "end to end" encryption, the EFF says Skype also serves as a certificate authority for users. As a result, anyone with access to Skype's keys could intercept any Skype communications. In other words, "Skype is in a position to give the government sufficient data to perform a man-in-the-middle attack against Skype users," Christopher Soghoian, a principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, argued last year.

"This security limitation has concerned us for a long time," said the EFF's Schoen. "One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service." Such a feature would let users verify that they're not being spied on, and other encryption systems already offer this feature, including PGP and HTTPS. But Skype -- since acquired by Microsoft -- has declined to add such a feature, despite related requests from privacy rights groups.

The continuing rise in cybercrime, of course, means that everyone's communications need better safeguarding against interception. Intelligence agents aren't the only people who can execute man-in-the-middle attacks against Skype or target Gmail accounts. In the wake of PRISM and every other obscurely named NSA surveillance program under the sun demanding freer access to Web data, is this government-ordered surveillance subverting the information security of widely used consumer services?

That's also a topic Microsoft is legally prevented from addressing. The White House, responding to a suit filed by the ACLU, claimed last week that the NSA's surveillance programs are fully legal. "The alleged metadata program is fully consistent with the Fourth Amendment" prohibition against unreasonable search or seizure, and thus doesn't violate the free speech protections of the First Amendment, assistant U.S. attorney David S. Jones wrote in a Thursday filing to U.S. District Judge William H. Pauley.

Even if Microsoft and the NSA could freely discuss the tradeoffs inherent in the current surveillance programs, there aren't easy answers. Federal judge James G. Carr, who served on the FISA Court from 2002 to 2008, has called on Congress to let the court appoint technologically sophisticated, pro-bono lawyers "with high-level security clearance" to argue against the government's filings and help judges balance surveillance requests with civil liberties concerns. In other words, let the judges tasked with overseeing FISA requests actually understand the full implications of those requests.

Better oversight might also address the open question of whether the NSA's voracious data-interception demands are weakening the information security protections being offered to consumers and businesses.

Gen. Keith Alexander, commander of U.S. Cyber Command, will be keynote speaker at Black Hat USA 2013, the benchmark for all security conferences. Join us for four intense days of training and two jam-packed days of briefings. Register for Black Hat today. In Las Vegas, July 27-Aug. 1.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
7/29/2013 | 3:04:58 PM
re: How NSA Data Demands On Microsoft Shape Your Security
Microsoft (and Google and Yahoo and Facebood and etc) are conveniently feigning powerlessness when it comes to these NSA programs. Setting aside 4th amendment issues, these companies' constitutional 1st amendment right to free speech is infringed upon by Section 215 of the Patriot Act. Without revealing the specific orders, they have legal standing to take this to the appropriate, open federal court to challenge the relevant sections of the law. They simply fail, due to incompetence or willful neglect, to defend their rights. Additionally, while section 215 does gag any of these companies from disclosing FISA court orders, it does not prevent them from disclosing information about their software. That is, the Patriot Act does not stopping them from hiring an independent firm to audit their software and provide a public report on the security. If they want. Either way, Microsoft et al are partially responsible for their fate in this matter.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.