Microsoft Cranks Up Security to Lock Out Government Spies
Dec 5, 2013 1:31 PM PT
Microsoft is taking steps to make its customers' data more secure in the wake of revelations about government spying.
The company was implicated in National Security Agency snooping operations after former NSA contractor Edward Snowden leaked documents related to the agency's activities earlier this year.
Government spying on Microsoft's servers constitutes a persistent threat as serious as "sophisticated malware or cyberattacks," said Brad Smith, general counsel and executive vice president of legal and corporate affairs.
Microsoft shares customer concerns about surveillance and wants to make sure governments use legal processes to obtain data rather than scraping it without subpoenas or warrants, he added.
To combat the NSA and other government agencies, Microsoft is taking immediate action across three areas: increasing encryption across services; strengthening legal protections for customer data; and making its code more transparent, to let customers see for themselves that the government does not have backdoor access to data in Microsoft products.
Comprehensive Engineering Work
Though Microsoft maintains it has not found evidence that governments have accessed government data without authorization, the firm does not wish to take chances and is targeting comprehensive engineering work to further encrypt customer data.
All customer data moving between Microsoft servers and consumers will be encrypted by default, the company said. Likewise, Microsoft's critical platform, productivity and communications services will encrypt customer data as it migrates between data centers.
Microsoft will use best-in-class cryptography to secure data, including Perfect Forward Secrecy and 2048-bit key lengths, it said.
Perfect Forward Secrecy ensures that if Microsoft's encryption key is cracked in the future, not all data in the network will be available to spies immediately. Microsoft plans to have all of the above in place by the end of 2014.
Microsoft also will encrypt customer content it stores, and it is cooperating with its peers to ensure that data moving between services -- such as from Microsoft Outlook to another email provider -- is encrypted.
"Everything that they're doing is intended to prevent unauthorized access by a third party," Daniel Castro, senior analyst at the Information Technology & Innovation Foundation, told the E-Commerce Times.
"What it doesn't do is protect lawful access by the government. I think the question some customers will have is, 'Are there additional steps that the customer should be doing to protect data?' or 'Should the security of the data be separate from the security and the hosting of the data?'"
Elsewhere, Microsoft plans to double down on legal protections for customer data. It will continue to notify customers when it receives legal notices related to their data and challenge gag orders that prevent it from doing so.
Microsoft is also committed to opening up its code for customer review. The company will take extra measures to boost transparency by enhancing the program that allows government customers the opportunity to examine source code to scrutinize the integrity of its services, said Smith.
Additionally, it will open transparency centers in Europe, Asia, and North and South America.
These moves follow reports that the UK Government Communications Headquarters taps into fiber-optic cables that reach British soil to extract Web users' data and revelations that the NSA can tap into private communication links used by firms including Google and Yahoo to pull data as it pleases.
Other major technology firms have taken steps to shut out government spies. Last month, Yahoo announced similar encryption measures to protect data moving between data centers. In May, before the revelations of the extent of the NSA's spying, Google said it would update all its SSL certificates to 2048-bit key lengths by the end of the year.
Competing on Privacy
"I think it's safe to say on a bunch of levels all these companies are attempting to compete on privacy, and they've been stuck between a rock and a hard place," Alan Chapell, president of Chapell and Associates, told the E-Commerce Times. "They want to operate in accordance with what the government wants them to do.
"On the other hand," Chapell continued, "they have a customer trust issue, to the extent that they're required to disclose data that they've otherwise represented that they're making secure."
Customers Want Security
Rather than a response to competitive concerns, Microsoft's encryption plan is "more a reaction to questions from their customers about what can be done to secure their data," ITIF's Castro maintained.
"Certainly, any time one company does it, others will look to follow suit because they are establishing new best practices," he pointed out.
"If we start seeing certain companies offering a service where they're really turning over all encryption to the customer where the customer is in complete control," Castro added, "I think that will create a lot of competitive pressure for companies to keep up, because that will be a true market differentiator."