Analytics // Security Monitoring
11:00 AM

NSA Fallout: Microsoft Rethinks Customer Data Controls

Fallout over NSA surveillance drives Microsoft to promise widespread security and privacy improvements. But do they go far enough?

Stung by revelations that the National Security Agency (NSA) has been conducting a massive surveillance operation against users of online services, Microsoft responded Wednesday by saying that it would encrypt -- or use stronger crypto -- for more of its services, as well as warn business and government users when it receives legal requests for their data. The company also promised to open a network of transparency centers to allow customers to review Microsoft's source code and confirm that it contains no backdoors.

"Many of our customers have serious concerns about government surveillance of the Internet," Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft, said Wednesday in a blog post announcing the changes. "We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

Senior executives at Microsoft had reportedly already considered making those changes. But they were driven into action after NSA documents leaked by Edward Snowden suggested that intelligence agencies worldwide were spying on data and communications handled by the likes of Facebook, Google, Microsoft, and Yahoo, perhaps by hacking directly into their datacenters. Industry analysts have warned that the resulting fallout from those revelations could cost global online service providers $180 billion in lost revenue by 2016.

[Existing legislation for online privacy is woefully outdated. It's time for Congress to act. Read Electronic Privacy Laws Need An Overhaul.]

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

Accordingly, by the end of 2014, Microsoft has promised to overhaul its use of crypto for all of its major communications, productivity, and developer services, including Office 365,, SkyDrive, and Windows Azure. That includes adopting the Perfect Forward Secrecy public-key system, as well as stronger 2048-bit key lengths. "Office 365 and customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers," said Smith. "In other areas we're accelerating plans to provide encryption."

One goal is to get any intelligence or law enforcement agencies that might try to hack into Microsoft's services or networks to instead need to go to court to get a subpoena. In addition, these changes might help defuse what's sure to become an escalating arms race between Microsoft and the NSA, or any foreign intelligence agency that wants all-you-can-eat access to Microsoft customers' data or communications.

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," said Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."

On the transparency tip, meanwhile, Microsoft promised to notify all business and government customers whenever it received a legal order relating to their data. It also promised to challenge all related gag orders in the court. One related goal of that move is to try to get law enforcement agencies to go directly to businesses from which they want to retrieve data, rather than surreptitiously obtaining it from Microsoft and other such companies.

In order to allow customers to review the integrity of Microsoft's products, the company said it would extend a program it already offers to some government agencies and begin allowing selected customers to review the source code for a selection of products -- to be expanded in the future -- via regional transparency centers located in Europe, Asia, North America, and South America.

But do Microsoft's promised changes go far enough? Secure messaging service Silent Circle, as well as Lavabit founder Ladar Levison, have been urging other online communications providers to adopt a new email protocol called Dark Mail, which was developed by Silent Circle's team, which includes Pretty Good Privacy (PGP) creator Phil Zimmerman.

Unlike today's webmail service providers, Dark Mail would tackle information security by relying on private encryption keys held only by email users. According to Silent Circle's overview, the "dark" aspect doesn't imply anything sinister, but rather "that it is secure, private, and that your written words are not viewed by some data-mining tech firm or a surveillance-hungry government agency."

But according to Silent Circle CEO Mike Janke, it's not clear whether online service providers will embrace an approach such as Dark Mail. "The real friction point is that Yahoo, Google and Microsoft make money mining off free email," he told the NY Times. "They say they're concerned about user privacy. Now we'll see if they really care."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
12/5/2013 | 11:45:30 AM
NSA Proof Communication
It is important that more and more software companies protect our data. I am glad to see microsoft try and help protect there useres. It is also nice to see the new apps coming out that are NSA proof for communication. The one I have been using is Jolt, fee free to check it out if you wish. More security and privacy is always a good thing :)
User Rank: Apprentice
12/5/2013 | 11:54:25 AM
I can smell the pile
BS. MS is in bed with the NSA. Same with Google, Twitter, Facebook, Yahoo, and the list goes on.
User Rank: Apprentice
12/5/2013 | 1:06:02 PM
Re: I can smell the pile
The fact that Microsoft has to fight our own government for privacy seems so ridiculous. This technological arms war almost seems like a waste of money.

But then again, who knows what kinds of new privacy tech may come out of efforts like this?
User Rank: Apprentice
12/5/2013 | 3:05:40 PM
Legally required by US Law to submit all data to NSA , and then legally required not to reveil that they're doing it , or they all get thrown in jail.

This is just shuffling deck chairs on the titanic.

The FBI kicked the door in of the email provider Edward Snowden was using and took what they wanted by force , and anyone who resisted was threatenned with jail time. You think promises of encryption mean anything ?


The only thing left is to wait for them to release the code to "prove" there are no back doors, and then find out it doesn't match up with the code that's actually out there.


User Rank: Apprentice
12/5/2013 | 4:18:14 PM
Re: I can smell the pile
not all services give it up to the NSA.

social networking org does not comply with any NSA, PRISM, or other government demands for people's data, no do they sell people's data, track searches, chats, messaging, etc.

i find it the height of hypocrisy that Microsoft, who at one time allegedly worked with the government to help them read outlook emails, now decides to work on "better privacy".  good luck with that.

can you say, "did a 180"?

Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/5/2013 | 6:43:11 PM
Re: I can smell the pile
The problem with any pronouncement about encryption is that is has to be taken on trust, something that has already been violated. How does anyone know the encryption Microsoft (or Google or Apple) provides will function as desired? Very few computer users are technically savvy enough to really understand and evaluate encryption. Unless there are specific laws preventing the NSA (not to mention Russia and China) from accessing data, expect it to try and ulitmately succeed. It has billions in funding and skilled experts. You have assurances but no real proof.
User Rank: Apprentice
12/6/2013 | 1:52:14 PM
Re: NSA Proof Communication
This shows the hyprocacy of Microsoft's"scruggoled" campaign. Not only do they use user data to make Bing work, they have worked hand in glove with NSA to provide access to private communications and data. Now they try to tell us they are rethinking issues of data privacy. I remember all their promices about how wonderful Windows 7, Vista, and 8 were going to be.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.