The Guardian has continued its string of leaks regarding the American surveillance program, reporting that top-secret documents reveal a tight collaboration between Microsoft, the NSA, and the FBI. Microsoft, along with other companies, has insisted that reports about widespread information-gathering are not accurate, and that it only provides limited information in response to government orders. According to a report published today, though, Microsoft didn't simply hand over data: it also allowed agencies to get around encryption and collect data from Outlook.com, Skype, and SkyDrive.
Internal newsletters from the NSA Special Source Operation division allegedly show that the NSA was easily able to access emails or Skype calls through the PRISM program. The NSA, it says, worked with Microsoft to make sure Outlook.com would not be immune from surveillance. "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption," one newsletter apparently reads. Another letter, from April 2013, describes a months-long negotiation to let analysts access SkyDrive. This "means that analysts will no longer have to make a special request to SSO for this — a process step that many analysts may not have known about," it reads.
"PRISM is a team sport!"
The Guardian reports that Skype signed on with PRISM in 2010, before its acquisition by Microsoft, and continuously worked to provide access to its calls. "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture'," one document says, though this doesn't directly state that the NSA had access. The Guardian, however, also describes a process of "integrating Skype into PRISM," quoting a newsletter that says "collaborative teamwork was the key to the successful addition of another provider to the Prism system." The FBI and NSA also apparently shared information freely, at one point allegedly saying that automated sharing and other measures "underscore the point that PRISM is a team sport!"
Skype has previously denied that it approved blanket requests for data or even had the capability to carry out a program like PRISM. "Our position has always been that when a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible," it said last year. In 2008, Skype categorically denied that it could even tap phones: "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications," it told CNET. "In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."
Microsoft has also denied that it provides any more data than necessary. The Guardian asked for comment and was told that "we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks." However, it also said that "when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely."
Microsoft has also been one of the rare companies that did not immediately flatly deny providing "direct access" to its servers. It has now, however, stated that it "does not provide any government with blanket or direct access," repudiating The Guardian's allegations that the NSA could get full direct access to files. The full Guardian article can be read here, but the leaked newsletters themselves are not available to read. Glenn Greenwald has said that this is because they were gathered from an online bulletin system, not in the form of discrete documents.
Update: Microsoft has given us a statement denying providing direct access, and the article has been updated to reflect this. Read the statement below.
We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes. Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate.
To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product. Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.