Early on in NSA-gate, Microsoft was looking at a laundry list of headlines concerning its collusion with US intelligence operations.
One example is the headline of The Guardian's public-relations-cringe-worthy coverage: "Microsoft handed the NSA access to encrypted messages" with the bulleted subheads below:
- Secret files show scale of Silicon Valley co-operation on Prism
- Outlook.com encryption unlocked even before official launch
- Skype worked to enable Prism collection of video calls
- Company says it is legally compelled to comply
So last Wednesday, Microsoft pledged to encrypt just about everything, enhance code transparency, and bolster legal protection for customers' data.
Brad Smith, Microsoft General Counsel & Executive Vice President, Legal & Corporate Affairs, wrote in the posting that government snooping potentially now constitutes an "advanced persistent threat", on par with sophisticated malware and cyber attacks.
He said that Microsoft is "especially alarmed" at the notion that governments are trying to get around online security:
Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an "advanced persistent threat," alongside sophisticated malware and cyber attacks.
In light of the allegations, Microsoft announced that it's decided to push three things: expanding encryption across its services, reinforcing legal protection for customers' data, and enhancing software code transparency so customers can rest easy in the knowledge that their products do not contain back doors.
On the encryption front, it plans to strengthen lockdown of customer data across its networks and services, including Outlook.com, Office 365, SkyDrive and Windows Azure.
Specifically, it said:
- Content moving between customers and Microsoft will be encrypted by default.
- All of the company's "key" platform, productivity and communications services will encrypt customer content as it moves between its data centers.
- Microsoft will use what it calls "best-in-class" industry cryptography to protect these channels, including Perfect Forward Secrecy (which Google has been using with Gmail and Google Docs since 2011; Twitter's been using it since November), and 2048-bit key lengths.
- All of this will be in place by the end of 2014, and Microsoft says much of it is effective already. To wit: "Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers."
- Microsoft will also encrypt customer content that it stores. In some cases, such as third-party services developed to run on Windows Azure, the choice will be left up to developers, but Microsoft will offer the tools to allow them to get it done.
- The company says it's also working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.
As pointed out by Electronic Frontier Foundation's Kurt Opsahl, the absence of Skype from Microsoft's list of encryption promises is a notable omission.
An excerpt from an email he sent to TechCrunch:
I agree that Skype’s absence here is extremely interesting and concerning. ... Microsoft, as the owner of Skype, has totally failed to be transparent about this and it's not surprising that users and security experts come to believe that it has something to hide.
A Microsoft spokesperson told TechCrunch that Skype isn't excluded, per se; it just wasn't mentioned because Microsoft didn't feel the need to mention all products.
As The Center for Democracy and Technology's Joe Hall explained to TechCrunch's Gregory Ferenstein, real transparency from Microsoft means nothing less than independent review from people with recognised security chops who've vetted Skype's cryptographic methods and implementation:
I think Microsoft must be very transparent to make encryption in Skype meaningful. ... That means detailing the way Skype works technically, and demonstrating that independent review from folks respected by the security community have examined Skype's cryptographic methods and implementation and said good things about it. Hopefully then anointing it as robustly 'end-to-end.' (Meaning only the parties at the ends of the conversation have access to the communication).
Ferenstein asked Microsoft about this type of independent review, but the spokesperson declined to address the issue.
As it now stands, Silent Circle offers encrypted voice, in addition to video, text and file transfer.
But at a starting price of $9.95/month, it can't compete with Microsoft's free Skype service, unless you put a price on the assurances of privacy you get from encrypted end-to-end calling.
As far as Microsoft's pledge to get transparent with its code, the Free Software Foundation (FSF), for one, questioned the logic of trusting the Very Not Free Software maker.
From a statement made by FSF executive director John Sullivan following Microsoft's announcement:
Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft's privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail.
If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party's blessing. When we don't have that, back doors and privacy violations are inevitable.
These are just some of the voices questioning Microsoft's recent anti-NSA stance.
Microsoft's announcement on Wednesday is, of course, public relations gold, surely meant to put a bandage on the company's NSA-headline-savaged hide.
But the move to encryption and openness still sounds like it's also a rational reaction to public outrage.
Maybe the public should keep up the outrage.
Maybe if enough people scream about the government's trampling on the privacy of innocent people, more companies will embrace customer data privacy and defend it as fiercely as if corporate lives depended on it.Follow @NakedSecurity