Microsoft's anti-NSA encryption pledge raises questions

Filed Under: Cryptography, Featured, Microsoft, Privacy

Microsoft logo courtesy of ShutterstockEarly on in NSA-gate, Microsoft was looking at a laundry list of headlines concerning its collusion with US intelligence operations.

One example is the headline of The Guardian's public-relations-cringe-worthy coverage: "Microsoft handed the NSA access to encrypted messages" with the bulleted subheads below:

  • Secret files show scale of Silicon Valley co-operation on Prism
  • Outlook.com encryption unlocked even before official launch
  • Skype worked to enable Prism collection of video calls
  • Company says it is legally compelled to comply

So last Wednesday, Microsoft pledged to encrypt just about everything, enhance code transparency, and bolster legal protection for customers' data.

Brad Smith, Microsoft General Counsel & Executive Vice President, Legal & Corporate Affairs, wrote in the posting that government snooping potentially now constitutes an "advanced persistent threat", on par with sophisticated malware and cyber attacks.

He said that Microsoft is "especially alarmed" at the notion that governments are trying to get around online security:

Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an "advanced persistent threat," alongside sophisticated malware and cyber attacks.

In light of the allegations, Microsoft announced that it's decided to push three things: expanding encryption across its services, reinforcing legal protection for customers' data, and enhancing software code transparency so customers can rest easy in the knowledge that their products do not contain back doors.

On the encryption front, it plans to strengthen lockdown of customer data across its networks and services, including Outlook.com, Office 365, SkyDrive and Windows Azure.

Specifically, it said:

  • Content moving between customers and Microsoft will be encrypted by default.
  • All of the company's "key" platform, productivity and communications services will encrypt customer content as it moves between its data centers.
  • Microsoft will use what it calls "best-in-class" industry cryptography to protect these channels, including Perfect Forward Secrecy (which Google has been using with Gmail and Google Docs since 2011; Twitter's been using it since November), and 2048-bit key lengths.
  • All of this will be in place by the end of 2014, and Microsoft says much of it is effective already. To wit: "Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers."
  • Microsoft will also encrypt customer content that it stores. In some cases, such as third-party services developed to run on Windows Azure, the choice will be left up to developers, but Microsoft will offer the tools to allow them to get it done.
  • The company says it's also working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.

As pointed out by Electronic Frontier Foundation's Kurt Opsahl, the absence of Skype from Microsoft's list of encryption promises is a notable omission.

An excerpt from an email he sent to TechCrunch:

I agree that Skype’s absence here is extremely interesting and concerning. ... Microsoft, as the owner of Skype, has totally failed to be transparent about this and it's not surprising that users and security experts come to believe that it has something to hide.

A Microsoft spokesperson told TechCrunch that Skype isn't excluded, per se; it just wasn't mentioned because Microsoft didn't feel the need to mention all products.

As The Center for Democracy and Technology's Joe Hall explained to TechCrunch's Gregory Ferenstein, real transparency from Microsoft means nothing less than independent review from people with recognised security chops who've vetted Skype's cryptographic methods and implementation:

I think Microsoft must be very transparent to make encryption in Skype meaningful. ... That means detailing the way Skype works technically, and demonstrating that independent review from folks respected by the security community have examined Skype's cryptographic methods and implementation and said good things about it. Hopefully then anointing it as robustly 'end-to-end.' (Meaning only the parties at the ends of the conversation have access to the communication).

Ferenstein asked Microsoft about this type of independent review, but the spokesperson declined to address the issue.

As it now stands, Silent Circle offers encrypted voice, in addition to video, text and file transfer.

But at a starting price of $9.95/month, it can't compete with Microsoft's free Skype service, unless you put a price on the assurances of privacy you get from encrypted end-to-end calling.

As far as Microsoft's pledge to get transparent with its code, the Free Software Foundation (FSF), for one, questioned the logic of trusting the Very Not Free Software maker.

From a statement made by FSF executive director John Sullivan following Microsoft's announcement:

Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail.

If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.

These are just some of the voices questioning Microsoft's recent anti-NSA stance.

Microsoft's announcement on Wednesday is, of course, public relations gold, surely meant to put a bandage on the company's NSA-headline-savaged hide.

But the move to encryption and openness still sounds like it's also a rational reaction to public outrage.

Maybe the public should keep up the outrage.

Maybe if enough people scream about the government's trampling on the privacy of innocent people, more companies will embrace customer data privacy and defend it as fiercely as if corporate lives depended on it.

Microsoft logo courtesy of IVY PHOTOS / Shutterstock.com

, , , , ,

You might like

11 Responses to Microsoft's anti-NSA encryption pledge raises questions

  1. Andrew · 318 days ago

    Can we really trust Microsoft? it remains to be seen .

    • Trust Me · 317 days ago

      Can we trust any company (big or small) or government?

  2. MikeP_UK · 318 days ago

    It is worth pointing out that the use of the name 'SkyDrive' is contrary to a UK Court Judgement. See http://www.theverge.com/2013/7/31/4574878/microsoft-skydrive-name-change-bskyb et al.
    That an an employee of Microsoft who holds a position of legal responsibility fails to abide by the ruling of a court speaks volumes for the lack of care.
    As they are a commercial enterprise, I have serious reservations about their ability to implement security schemes, especially in the light of how their code is apparently riddled with 'holes' and errors.

  3. LonerVamp · 318 days ago

    Skype needs to work in the Chinese market. And there's only one way a communication technology is going to be allowed to operate in the Chinese market...

    • anonymous · 317 days ago

      Americans have to give up constitutional rights because someone wants to do business in China? No thanks

      • G Man · 308 days ago

        What are you talking about? This means the only way a communication app like skype can be used over there is if the internal workings are open, reviewed and known.
        Is that too much to ask?

  4. Lyle · 317 days ago

    Regardless of encryption, when the government requests access, they will grant it. The encryption is just to make the public stop blaming them, not to interfere with government access.

    • jet86 · 317 days ago

      Lyle: if the encryption is done properly, they wouldn't be able to grant access, regardless of who asked for it. Good end-to-end encryption would mean Microsoft themselves would have no access to the unencrypted data.

      • Adam · 316 days ago

        jet86: I think you've just explained why properly done encryption won't be implemented by Microsoft and many (most?) others.

  5. G Man · 308 days ago

    What exactly would be the point of encrypting everything if, behind your back, the keys are handed to unknown parties without your knowledge?....it's a pointless exercise.

    • Randy · 40 days ago

      A pointless exercise? Microsoft calls that "marketing".

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.