Risk
7/12/2013
11:37 AM
50%
50%

Microsoft Helped NSA Siphon Hotmail, Skype User Data

Microsoft says it takes your privacy seriously, but legal compliance with court-ordered NSA surveillance programs -- including Prism -- is mandatory.

"Your privacy is our priority." So goes the tagline for Microsoft's marketing campaign launched in April.

While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The documents, which were leaked by former NSA contractor Edward Snowden, were first cited Friday -- but not published in full -- by the Guardian.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

[ Hackers tell the feds, "it's not us, it's you." Read NSA Fallout: No Feds At Def Con. ]

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
7/13/2013 | 3:18:21 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
Microsoft should have resisted the court orders if they indeed consider privacy that important. They may not have won the fight in the end, but it surely would have been become public and Microsoft has pockets deep enough to take on the government. But in the end more profit was to be made by aiding illegal spy programs than stand on moral ground. At least Goggle tells you that anything you give them will be turned into cash.
anon2505770614
50%
50%
anon2505770614,
User Rank: Apprentice
8/31/2013 | 4:15:20 AM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
At best they could have done what others more recently have done and shut off the service. They couldn't say why, due to the nature of FISA orders, but they could have chosen to state something like "Due to government regulations we may no longer offer you a secure communications platform."
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/15/2013 | 12:27:10 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
As the article mentions, I'm not sure anyone at Microsoft could have done anything more to protect user's privacy. It seems to me users should be pushing for transparency of the government's, specifically the NSA's, actions to force Microsoft and other companies to comply. Something tells me the extent to which the government is seeking access to user data is greater than the actual need of the data for security purposes.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.