Microsoft is unveiling an aggressive plan today to combat government surveillance. Brad Smith, Microsoft’s general counsel, says the software giant shares the concerns of its own customers about government surveillance of the internet, and is planning to address them with improved encryption, legal protections, and source code transparency. In a detailed blog post, Smith labels government snooping an "advanced persistent threat," a term generally used to describe teams of hackers that coordinate cyberattacks for foreign governments.
Microsoft’s response follows recent revelations that the NSA has been secretly collecting private user data from various tech giants. The Washington Post revealed details of a program, known as MUSCULAR, that the NSA uses to tap into networks owned by Google, Yahoo, and Microsoft to obtain user information. Documents released by former NSA contractor Edward Snowden revealed a number of Microsoft-owned services have been targeted by the NSA, allegations Microsoft says it’s "especially alarmed" at.
Server-to-server encryption planned for end of 2014
The NSA’s methods of targeting weaknesses in encryption between servers and data centers have forced Google and Yahoo to step up their own efforts to prevent NSA snooping. Microsoft is following a similar path, promising to pursue an engineering effort across the firm to strengthen its encryption processes. Smith notes that all of Microsoft’s "key platform, productivity and communications services" will encrypt customer data with strong 2048-bit encryption as it moves between data centers. While Smith doesn’t provide a full list of Microsoft’s key services, Outlook.com, Office 365, SkyDrive, and Windows Azure are all used as examples. Skype is the notable exception from the small list of examples, despite allegations that the communications service had been integrated into an NSA PRISM surveillance program previously.
Microsoft says it will also encrypt data moving between its servers and customers by default. The server-to-server and customer encryption plans will both be in place fully by the end of 2014, and Microsoft is also working with competitors to ensure data travelling between services, such as email communications, is protected in future. Some services, such as Office 365 and Outlook.com, already encrypt data travelling between Microsoft and customers, and Microsoft is also encrypting Windows Azure storage as it’s moved between servers as well as most Office 365 workloads. "In other areas we’re accelerating plans to provide encryption," says Smith. While Microsoft’s promises to encrypt data seem like an obvious oversight in hindsight, technology firms have avoided such protections previously due to their complexity and performance impact on server operations.
Microsoft will challenge gag orders in court
Microsoft is also tackling NSA snooping with new legal protections. Smith says Microsoft is "committed to notifying business and government customers if we receive legal orders related to their data." While gag orders prohibit Microsoft from doing this on occasions, Smith notes the company will challenge them in court. "We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data." Microsoft is also pushing for government agencies to obtain data directly from its business customers, rather than securing it through requests to access it through the various cloud services the firm operates.
While Microsoft has just opened a new Cybercrime Center to allow third-party security researches to work alongside its employees, the software maker is also opening "transparency centers" that will allow foreign governments to inspect the software code Microsoft produces. The centers will be opened in Europe, the Americas, and Asia, allowing third parties to confirm there are no back doors in Microsoft’s software source code. "We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," explains Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."