PRISM Pulled Microsoft Deep Into NSA Rabbit Hole

Although it initially denied involvement in the National Security Agency’s PRISM surveillance program, Microsoft has in fact worked closely with U.S. intelligence agencies to monitor users’ communications, even helping the NSA circumvent its own encryption to do so, new documents from whistleblower Edward Snowden suggest.

Microsoft gave the NSA pre-encryption access to chats and emails on Outlook.com, including those of Hotmail users, as well as data on its SkyDrive cloud storage service and phone calls made through Skype, according to a Thursday report in The Guardian, which originally broke the news about PRISM.

One NSA document, in fact, referred to the PRISM program as a “team sport” for the data-sharing it involved with the FBI and the CIA, The Guardian reported.

No Blanket Access

Microsoft responded to the report later on Thursday with a statement of its own to defend its practices, noting that it provides customer data only in response to legal processes and when the requests focus on specific instances.

It does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any of its other products, it added.

Microsoft did not respond to our request for further details.

‘It’s Hard to Compare’

“Microsoft is just another company on a list of companies that do business with the government,” Alan Webber, industry analyst and managing partner at the Altimeter Group, told the E-Commerce Times. “It isn’t clear how it was done, and whether it was under a court order, but any tech company that is asked to provide information to the government is going to do so.”

How other companies’ involvement compares with Microsoft’s, meanwhile, remains to be revealed.

Spotlight on Redmond

“It’s hard to compare Microsoft’s collaboration with U.S. intelligence agencies to other companies which are part of PRISM because there’s so much information that hasn’t been made public yet,” Electronic Frontier Foundation Staff Technologist Micah Lee told the E-Commerce Times.

As a result of this latest report, we simply know more about Microsoft’s role than we do about those of any of the other players, Lee added.

Apple, Facebook, Google and Yahoo are among the other major tech companies involved. Since admitting their participation many of them — including Microsoft — have made calls for greater transparency.

‘There Is a Backlash’

“Companies are fearful of a backlash,” Jeffrey Silva, senior policy director for telecommunications, media and technology at Medley Global Advisors, told the E-Commerce Times. “They are trying to be good corporate citizens, but there is a backlash from trying to help the government and satisfy the customer.”

In essence, it’s a balancing act, he said.

Of course, it’s no longer clear how much privacy can still reasonably be expected in the digital, post-9/11 era.

“As a security professional I have very little expectation for privacy,” John Dickson, principal of Denim Group and a Certified Information Systems Security Professional, told the E-Commerce Times. “We’ve already given away expectations — or at least should — when we use the Internet.”

‘Our Sense of Privacy Is Misguided’

Indeed, “we live in a country where we can believe the government isn’t unnecessarily tapping our phone; however, those protections have eroded through the years thanks to the different acts,” Webber noted. “Today, our sense of privacy is misguided.

“In a Utopian world it could exist, but in the real world there shouldn’t be that expectation of privacy,” he added. “This is especially true as user agreements are a one-sided agreement with the company and the user, and few people read them anyway. They exist to protect the company, and they have wiggle room to do what they want as mandated by the government.”

In fact, as a result of recent revelations, privacy-concerned users may increasingly begin looking to other solutions.

“We could soon see a rise in competing ‘host-proof’ services that won’t have the ability to give user data to U.S. intelligence agencies,” said EFF’s Lee. “All of the data that host-proof services have access to is end-to-end encrypted so that only the users — and not the service itself — are able to decrypt it.”

‘There Is a Disconnect’

The other part of this issue, however, is whether the government’s newly revealed surveillance efforts are even doing any good. In this respect, it’s a balance between liberty — including privacy — and security.

“We have mismatched pronounced levels of privacy concerns with security concerns,” Dickson said. “There is a disconnect with the public wanting privacy and expecting security.”

At the same time, “there is never going to be enough access to the information for us to know why the government needed our private information,” he noted. “If there is another terrorist event then this story will go away — it is as simple as that.”

Where is the ideal balancing point between privacy and security?

“It comes down to what percentage of terrorist acts do you want to catch up front, Dickson concluded. “If that number is 100 percent, then we need to understand that it means more of our privacy will be compromised.”