Risk
7/12/2013
11:37 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Helped NSA Siphon Hotmail, Skype User Data

Microsoft says it takes your privacy seriously, but legal compliance with court-ordered NSA surveillance programs -- including Prism -- is mandatory.

"Your privacy is our priority." So goes the tagline for Microsoft's marketing campaign launched in April.

While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The documents, which were leaked by former NSA contractor Edward Snowden, were first cited Friday -- but not published in full -- by the Guardian.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

[ Hackers tell the feds, "it's not us, it's you." Read NSA Fallout: No Feds At Def Con. ]

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2505770614
50%
50%
anon2505770614,
User Rank: Apprentice
8/31/2013 | 4:15:20 AM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
At best they could have done what others more recently have done and shut off the service. They couldn't say why, due to the nature of FISA orders, but they could have chosen to state something like "Due to government regulations we may no longer offer you a secure communications platform."
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/15/2013 | 12:27:10 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
As the article mentions, I'm not sure anyone at Microsoft could have done anything more to protect user's privacy. It seems to me users should be pushing for transparency of the government's, specifically the NSA's, actions to force Microsoft and other companies to comply. Something tells me the extent to which the government is seeking access to user data is greater than the actual need of the data for security purposes.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
7/13/2013 | 3:18:21 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
Microsoft should have resisted the court orders if they indeed consider privacy that important. They may not have won the fight in the end, but it surely would have been become public and Microsoft has pockets deep enough to take on the government. But in the end more profit was to be made by aiding illegal spy programs than stand on moral ground. At least Goggle tells you that anything you give them will be turned into cash.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.