Risk
7/12/2013
11:37 AM
50%
50%

Microsoft Helped NSA Siphon Hotmail, Skype User Data

Microsoft says it takes your privacy seriously, but legal compliance with court-ordered NSA surveillance programs -- including Prism -- is mandatory.

"Your privacy is our priority." So goes the tagline for Microsoft's marketing campaign launched in April.

While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The documents, which were leaked by former NSA contractor Edward Snowden, were first cited Friday -- but not published in full -- by the Guardian.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

[ Hackers tell the feds, "it's not us, it's you." Read NSA Fallout: No Feds At Def Con. ]

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2505770614
50%
50%
anon2505770614,
User Rank: Apprentice
8/31/2013 | 4:15:20 AM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
At best they could have done what others more recently have done and shut off the service. They couldn't say why, due to the nature of FISA orders, but they could have chosen to state something like "Due to government regulations we may no longer offer you a secure communications platform."
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/15/2013 | 12:27:10 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
As the article mentions, I'm not sure anyone at Microsoft could have done anything more to protect user's privacy. It seems to me users should be pushing for transparency of the government's, specifically the NSA's, actions to force Microsoft and other companies to comply. Something tells me the extent to which the government is seeking access to user data is greater than the actual need of the data for security purposes.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
7/13/2013 | 3:18:21 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
Microsoft should have resisted the court orders if they indeed consider privacy that important. They may not have won the fight in the end, but it surely would have been become public and Microsoft has pockets deep enough to take on the government. But in the end more profit was to be made by aiding illegal spy programs than stand on moral ground. At least Goggle tells you that anything you give them will be turned into cash.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.