Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:04 AM

How NSA Data Demands On Microsoft Shape Your Security

Microsoft is legally prevented from saying too much about charges it collaborated with the NSA. Product security gets caught in this complex situation.

Is Microsoft -- and by extension the likes of Google and Yahoo -- being prevented from adding security improvements to its consumer Web services because of U.S. government surveillance demands?

A review of the recent wrangling among Microsoft, the U.S. government and critics of Microsoft's cooperation with government surveillance efforts provides a glimpse into this complex state of affairs.

The Guardian last week accused Microsoft of giving the U.S. National Security Agency backdoor access to Outlook.com encryption and Skype communications to facilitate the NSA's anti-terrorism surveillance programs. To be fair to Microsoft, the NSA can already directly access data from multiple Web services, including Gmail, Hotmail and Yahoo, plus numerous chat and video services, according to documents leaked by NSA contractor Edward Snowden.

The Guardian's story led Microsoft to issue a 1,400-word blog post, titled "Responding to government legal demands for customer data," in which it asserted that "there are significant inaccuracies in the interpretations of leaked government documents reported in the media."

What are those inaccuracies? We don't know. Microsoft says it's legally prohibited from detailing them. It also says it can't say more about the data demands approved by the Foreign Intelligence Surveillance (aka FISA) Court, with which it must comply. "Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information," wrote Microsoft general counsel Brad Smith last week. "We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the government is stopping us."

Or as parodied by Belarusian writer and researcher Evgeny Morozov: "To be clear, this statement that our company has written to clarify its relationship with NSA is not meant to make anything clear."

Then again, is it fair to ask Microsoft's PR and legal machines to operate with their hands tied behind their backs? "Microsoft is obligated to comply with the applicable laws that governments around the world -- not just the United States -- pass, and this includes responding to legal demands for customer data," Smith said. "All of us now live in a world in which companies and government agencies are using big data, and it would be a mistake to assume this somehow is confined to the United States."

Despite the gag order preventing Microsoft from fully responding to the criticism leveled against it, Smith claimed that on the Outlook.com front, "we do not provide any government with direct access to emails or instant messages." Furthermore, he said that changes made to Skype in 2012 "were not made to facilitate greater government access to audio, video, messaging or other customer data."

It's not Microsoft's fault that governments want this information. Furthermore, White House and intelligence officials insist (of course) that such data is being collected only in legal ways. But could, and should, Microsoft be taking steps that might raise the bar for intelligence agencies that want to collect intelligence on its users?

For example, the Communications Assistance for Law Enforcement Act (CALEA), while requiring some businesses to let the government wiretap their communications, also says that "a telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Then again, "a secret order from the FISA Court, which might be among the 'aspects of this debate' that Microsoft finds it's unable to discuss, could provide a new reason why Microsoft doesn't act to better protect Skype users against eavesdropping," said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation (EFF), in a blog post. "If the secret order required Microsoft to turn over Skype users' communications on an ongoing basis, Microsoft might fear that changing the Skype technology in a way that stopped it from complying would violate the order." In other words, the government's demands for data might make it difficult for Microsoft to alter its system, at least in a way that trades enhanced encryption for easy interception.

For example, while Skype offers "end to end" encryption, the EFF says Skype also serves as a certificate authority for users. As a result, anyone with access to Skype's keys could intercept any Skype communications. In other words, "Skype is in a position to give the government sufficient data to perform a man-in-the-middle attack against Skype users," Christopher Soghoian, a principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, argued last year.

"This security limitation has concerned us for a long time," said the EFF's Schoen. "One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service." Such a feature would let users verify that they're not being spied on, and other encryption systems already offer this feature, including PGP and HTTPS. But Skype -- since acquired by Microsoft -- has declined to add such a feature, despite related requests from privacy rights groups.

The continuing rise in cybercrime, of course, means that everyone's communications need better safeguarding against interception. Intelligence agents aren't the only people who can execute man-in-the-middle attacks against Skype or target Gmail accounts. In the wake of PRISM and every other obscurely named NSA surveillance program under the sun demanding freer access to Web data, is this government-ordered surveillance subverting the information security of widely used consumer services?

That's also a topic Microsoft is legally prevented from addressing. The White House, responding to a suit filed by the ACLU, claimed last week that the NSA's surveillance programs are fully legal. "The alleged metadata program is fully consistent with the Fourth Amendment" prohibition against unreasonable search or seizure, and thus doesn't violate the free speech protections of the First Amendment, assistant U.S. attorney David S. Jones wrote in a Thursday filing to U.S. District Judge William H. Pauley.

Even if Microsoft and the NSA could freely discuss the tradeoffs inherent in the current surveillance programs, there aren't easy answers. Federal judge James G. Carr, who served on the FISA Court from 2002 to 2008, has called on Congress to let the court appoint technologically sophisticated, pro-bono lawyers "with high-level security clearance" to argue against the government's filings and help judges balance surveillance requests with civil liberties concerns. In other words, let the judges tasked with overseeing FISA requests actually understand the full implications of those requests.

Better oversight might also address the open question of whether the NSA's voracious data-interception demands are weakening the information security protections being offered to consumers and businesses.

Gen. Keith Alexander, commander of U.S. Cyber Command, will be keynote speaker at Black Hat USA 2013, the benchmark for all security conferences. Join us for four intense days of training and two jam-packed days of briefings. Register for Black Hat today. In Las Vegas, July 27-Aug. 1.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/29/2013 | 3:04:58 PM
re: How NSA Data Demands On Microsoft Shape Your Security
Microsoft (and Google and Yahoo and Facebood and etc) are conveniently feigning powerlessness when it comes to these NSA programs. Setting aside 4th amendment issues, these companies' constitutional 1st amendment right to free speech is infringed upon by Section 215 of the Patriot Act. Without revealing the specific orders, they have legal standing to take this to the appropriate, open federal court to challenge the relevant sections of the law. They simply fail, due to incompetence or willful neglect, to defend their rights. Additionally, while section 215 does gag any of these companies from disclosing FISA court orders, it does not prevent them from disclosing information about their software. That is, the Patriot Act does not stopping them from hiring an independent firm to audit their software and provide a public report on the security. If they want. Either way, Microsoft et al are partially responsible for their fate in this matter.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, R390 driver branch, contains a vulnerability in its installer where an attacker with local system access may replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service, or...
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of se...
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.