NSA Fallout: Microsoft Rethinks Customer Data ControlsFallout over NSA surveillance drives Microsoft to promise widespread security and privacy improvements. But do they go far enough?
Stung by revelations that the National Security Agency (NSA) has been conducting a massive surveillance operation against users of online services, Microsoft responded Wednesday by saying that it would encrypt -- or use stronger crypto -- for more of its services, as well as warn business and government users when it receives legal requests for their data. The company also promised to open a network of transparency centers to allow customers to review Microsoft's source code and confirm that it contains no backdoors.
"Many of our customers have serious concerns about government surveillance of the Internet," Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft, said Wednesday in a blog post announcing the changes. "We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."
Senior executives at Microsoft had reportedly already considered making those changes. But they were driven into action after NSA documents leaked by Edward Snowden suggested that intelligence agencies worldwide were spying on data and communications handled by the likes of Facebook, Google, Microsoft, and Yahoo, perhaps by hacking directly into their datacenters. Industry analysts have warned that the resulting fallout from those revelations could cost global online service providers $180 billion in lost revenue by 2016.
[Existing legislation for online privacy is woefully outdated. It's time for Congress to act. Read Electronic Privacy Laws Need An Overhaul.]
"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."
Accordingly, by the end of 2014, Microsoft has promised to overhaul its use of crypto for all of its major communications, productivity, and developer services, including Office 365, Outlook.com, SkyDrive, and Windows Azure. That includes adopting the Perfect Forward Secrecy public-key system, as well as stronger 2048-bit key lengths. "Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers," said Smith. "In other areas we're accelerating plans to provide encryption."
One goal is to get any intelligence or law enforcement agencies that might try to hack into Microsoft's services or networks to instead need to go to court to get a subpoena. In addition, these changes might help defuse what's sure to become an escalating arms race between Microsoft and the NSA, or any foreign intelligence agency that wants all-you-can-eat access to Microsoft customers' data or communications.
"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," said Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."
On the transparency tip, meanwhile, Microsoft promised to notify all business and government customers whenever it received a legal order relating to their data. It also promised to challenge all related gag orders in the court. One related goal of that move is to try to get law enforcement agencies to go directly to businesses from which they want to retrieve data, rather than surreptitiously obtaining it from Microsoft and other such companies.
In order to allow customers to review the integrity of Microsoft's products, the company said it would extend a program it already offers to some government agencies and begin allowing selected customers to review the source code for a selection of products -- to be expanded in the future -- via regional transparency centers located in Europe, Asia, North America, and South America.
But do Microsoft's promised changes go far enough? Secure messaging service Silent Circle, as well as Lavabit founder Ladar Levison, have been urging other online communications providers to adopt a new email protocol called Dark Mail, which was developed by Silent Circle's team, which includes Pretty Good Privacy (PGP) creator Phil Zimmerman.
Unlike today's webmail service providers, Dark Mail would tackle information security by relying on private encryption keys held only by email users. According to Silent Circle's overview, the "dark" aspect doesn't imply anything sinister, but rather "that it is secure, private, and that your written words are not viewed by some data-mining tech firm or a surveillance-hungry government agency."
But according to Silent Circle CEO Mike Janke, it's not clear whether online service providers will embrace an approach such as Dark Mail. "The real friction point is that Yahoo, Google and Microsoft make money mining off free email," he told the NY Times. "They say they're concerned about user privacy. Now we'll see if they really care."
The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)