Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

NSA Fallout: Microsoft Rethinks Customer Data Controls

Fallout over NSA surveillance drives Microsoft to promise widespread security and privacy improvements. But do they go far enough?

Stung by revelations that the National Security Agency (NSA) has been conducting a massive surveillance operation against users of online services, Microsoft responded Wednesday by saying that it would encrypt -- or use stronger crypto -- for more of its services, as well as warn business and government users when it receives legal requests for their data. The company also promised to open a network of transparency centers to allow customers to review Microsoft's source code and confirm that it contains no backdoors.

"Many of our customers have serious concerns about government surveillance of the Internet," Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft, said Wednesday in a blog post announcing the changes. "We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

Senior executives at Microsoft had reportedly already considered making those changes. But they were driven into action after NSA documents leaked by Edward Snowden suggested that intelligence agencies worldwide were spying on data and communications handled by the likes of Facebook, Google, Microsoft, and Yahoo, perhaps by hacking directly into their datacenters. Industry analysts have warned that the resulting fallout from those revelations could cost global online service providers $180 billion in lost revenue by 2016.

[Existing legislation for online privacy is woefully outdated. It's time for Congress to act. Read Electronic Privacy Laws Need An Overhaul.]

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

Accordingly, by the end of 2014, Microsoft has promised to overhaul its use of crypto for all of its major communications, productivity, and developer services, including Office 365, Outlook.com, SkyDrive, and Windows Azure. That includes adopting the Perfect Forward Secrecy public-key system, as well as stronger 2048-bit key lengths. "Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers," said Smith. "In other areas we're accelerating plans to provide encryption."

One goal is to get any intelligence or law enforcement agencies that might try to hack into Microsoft's services or networks to instead need to go to court to get a subpoena. In addition, these changes might help defuse what's sure to become an escalating arms race between Microsoft and the NSA, or any foreign intelligence agency that wants all-you-can-eat access to Microsoft customers' data or communications.

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," said Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."

On the transparency tip, meanwhile, Microsoft promised to notify all business and government customers whenever it received a legal order relating to their data. It also promised to challenge all related gag orders in the court. One related goal of that move is to try to get law enforcement agencies to go directly to businesses from which they want to retrieve data, rather than surreptitiously obtaining it from Microsoft and other such companies.

In order to allow customers to review the integrity of Microsoft's products, the company said it would extend a program it already offers to some government agencies and begin allowing selected customers to review the source code for a selection of products -- to be expanded in the future -- via regional transparency centers located in Europe, Asia, North America, and South America.

But do Microsoft's promised changes go far enough? Secure messaging service Silent Circle, as well as Lavabit founder Ladar Levison, have been urging other online communications providers to adopt a new email protocol called Dark Mail, which was developed by Silent Circle's team, which includes Pretty Good Privacy (PGP) creator Phil Zimmerman.

Unlike today's webmail service providers, Dark Mail would tackle information security by relying on private encryption keys held only by email users. According to Silent Circle's overview, the "dark" aspect doesn't imply anything sinister, but rather "that it is secure, private, and that your written words are not viewed by some data-mining tech firm or a surveillance-hungry government agency."

But according to Silent Circle CEO Mike Janke, it's not clear whether online service providers will embrace an approach such as Dark Mail. "The real friction point is that Yahoo, Google and Microsoft make money mining off free email," he told the NY Times. "They say they're concerned about user privacy. Now we'll see if they really care."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/6/2013 | 1:52:14 PM
Re: NSA Proof Communication
This shows the hyprocacy of Microsoft's"scruggoled" campaign. Not only do they use user data to make Bing work, they have worked hand in glove with NSA to provide access to private communications and data. Now they try to tell us they are rethinking issues of data privacy. I remember all their promices about how wonderful Windows 7, Vista, and 8 were going to be.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/5/2013 | 6:43:11 PM
Re: I can smell the pile
The problem with any pronouncement about encryption is that is has to be taken on trust, something that has already been violated. How does anyone know the encryption Microsoft (or Google or Apple) provides will function as desired? Very few computer users are technically savvy enough to really understand and evaluate encryption. Unless there are specific laws preventing the NSA (not to mention Russia and China) from accessing data, expect it to try and ulitmately succeed. It has billions in funding and skilled experts. You have assurances but no real proof.
User Rank: Apprentice
12/5/2013 | 4:18:14 PM
Re: I can smell the pile
not all services give it up to the NSA.

social networking org Glom.com does not comply with any NSA, PRISM, or other government demands for people's data, no do they sell people's data, track searches, chats, messaging, etc.

i find it the height of hypocrisy that Microsoft, who at one time allegedly worked with the government to help them read outlook emails, now decides to work on "better privacy".  good luck with that.

can you say, "did a 180"?

User Rank: Apprentice
12/5/2013 | 3:05:40 PM
Legally required by US Law to submit all data to NSA , and then legally required not to reveil that they're doing it , or they all get thrown in jail.

This is just shuffling deck chairs on the titanic.

The FBI kicked the door in of the email provider Edward Snowden was using and took what they wanted by force , and anyone who resisted was threatenned with jail time. You think promises of encryption mean anything ?


The only thing left is to wait for them to release the code to "prove" there are no back doors, and then find out it doesn't match up with the code that's actually out there.


User Rank: Apprentice
12/5/2013 | 1:06:02 PM
Re: I can smell the pile
The fact that Microsoft has to fight our own government for privacy seems so ridiculous. This technological arms war almost seems like a waste of money.

But then again, who knows what kinds of new privacy tech may come out of efforts like this?
User Rank: Apprentice
12/5/2013 | 11:54:25 AM
I can smell the pile
BS. MS is in bed with the NSA. Same with Google, Twitter, Facebook, Yahoo, and the list goes on.
User Rank: Apprentice
12/5/2013 | 11:45:30 AM
NSA Proof Communication
It is important that more and more software companies protect our data. I am glad to see microsoft try and help protect there useres. It is also nice to see the new apps coming out that are NSA proof for communication. The one I have been using is Jolt, fee free to check it out if you wish. More security and privacy is always a good thing :)

A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.