Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Microsoft Helped NSA Siphon Hotmail, Skype User Data

Microsoft says it takes your privacy seriously, but legal compliance with court-ordered NSA surveillance programs -- including Prism -- is mandatory.

"Your privacy is our priority." So goes the tagline for Microsoft's marketing campaign launched in April.

While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The documents, which were leaked by former NSA contractor Edward Snowden, were first cited Friday -- but not published in full -- by the Guardian.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

[ Hackers tell the feds, "it's not us, it's you." Read NSA Fallout: No Feds At Def Con. ]

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2505770614
50%
50%
anon2505770614,
User Rank: Apprentice
8/31/2013 | 4:15:20 AM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
At best they could have done what others more recently have done and shut off the service. They couldn't say why, due to the nature of FISA orders, but they could have chosen to state something like "Due to government regulations we may no longer offer you a secure communications platform."
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/15/2013 | 12:27:10 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
As the article mentions, I'm not sure anyone at Microsoft could have done anything more to protect user's privacy. It seems to me users should be pushing for transparency of the government's, specifically the NSA's, actions to force Microsoft and other companies to comply. Something tells me the extent to which the government is seeking access to user data is greater than the actual need of the data for security purposes.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
7/13/2013 | 3:18:21 PM
re: Microsoft Helped NSA Siphon Hotmail, Skype User Data
Microsoft should have resisted the court orders if they indeed consider privacy that important. They may not have won the fight in the end, but it surely would have been become public and Microsoft has pockets deep enough to take on the government. But in the end more profit was to be made by aiding illegal spy programs than stand on moral ground. At least Goggle tells you that anything you give them will be turned into cash.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20637
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connecti...
CVE-2020-11650
PUBLISHED: 2020-04-08
An issue was discovered in iXsystems FreeNAS 11.2 and 11.3 before 11.3-U1. It allows a denial of service.
CVE-2020-11653
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
CVE-2020-2732
PUBLISHED: 2020-04-08
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.
CVE-2020-1627
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...