Microsoft is the latest technology firm to announce it will take measures to increase the security of customer data to protect against the “advanced persistent threat” of government snooping.
The announcement comes as a UK citizen begins legal action against the Microsoft that will test its legal right to disclose private data on UK citizens to the US National Security Agency (NSA).
The case is based on UK journalist Kevin Cahill’s belief that Microsoft breached the security of his email account and that, by obeying US laws, Microsoft has contravened the UK Data Protection Act.
Microsoft and several other technology firms have been at pains to distance themselves from the NSA since whistleblower Edward Snowden revealed the agency had been collecting user data from them.
In the latest move along these lines by Microsoft, the company issued a statement in the form of a blog post, saying that the company shares concerns about US government surveillance of the internet.
“That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data,” wrote Brad Smith, general counsel and executive vice-president of legal and corporate affairs at Microsoft.
Read more about Prism
- Security Think Tank: Prism fallout could be worse than security risks
- Security Think Tank: Prism is dangerous for everyone
- Security Think Tank: Prism – Sitting duck or elaborate honeypot?
- NSA surveillance whistleblower reveals identity
- US repeatedly hacked China, claims NSA whistleblower
- FBI spies on internet users
- UK links to US internet surveillance remain unclear
- Technology companies call for more transparency over data requests
- Compliance: The Edward Snowden, NSA program controversy continues
Without pointing to the US or UK, he said Microsoft was “especially alarmed by recent allegations… of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data”.
In particular, he said, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company datacentres.
Smith said that, if true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications.
In the light of these allegations, Smith said Microsoft has decided to expand encryption across its services and re-inforce the legal protections of customer data.
The software firm also plans to enhance the transparency of it software code to help re-assure customers that no Microsoft products contain back doors or code that allows access to intelligence agencies.
Microsoft said that, although it already uses encryption in its products and services, and there is no direct evidence of customer data being breached by unauthorised government access, the company will “pursue a comprehensive engineering effort to strengthen the encryption of customer data”.
This will include services like Outlook.com, Office 365, SkyDrive and Windows Azure, and customer-created content, using best-in-class industry cryptography, including perfect forward secrecy (PFS) and 2048-bit key lengths by the end of 2014.
In a bid to make it more difficult to collect data on users without going through legal channels, Twitter announced in November that PFS was live across all platforms to make it “effectively impossible” to collect data on users without the company’s permission.
Using PFS ensures protection of encrypted data, even if another party obtains decryption keys, as US and UK intelligence agencies have done in the past according to whistleblower Edward Snowden.
Also in November, Yahoo announced plans to encrypt all user data that moves between its datacentres by April 2014 in a bid to regain trust.
The internet firm previously announced it plans to encrypt all email communications from January 2014 after allegations of US government agencies accessing email traffic.
Reinforcing legal protections
New steps to reinforce legal protections for customer data will include notifying business and government customers if Microsoft receives legal orders related to their data.
“Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data,” wrote Smith.
“And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”
Microsoft plans to take additional steps to increase transparency by building on its long-standing programme that provides government customers with an ability to review source code to reassure themselves of its integrity, and confirm there are no back doors.
“We will open a network of transparency centres that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centres in Europe, the Americas and Asia, and we’ll further expand the range of products included in these programmes,” said Smith.
He concluded by saying Microsoft wanted to ensure that important questions about government access are decided by courts, rather than dictated by technological might.
“We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve,” said Smith.
Since the Snowden revelations of the NSA’s internet surveillance programme, Microsoft, Yahoo and Google have published transparency reports on the overall number of government requests for data, as well as pushing for the right to publish more details on such requests.
The companies are also fighting to change US legislation that prevents them from providing a breakdown of numbers to show how many requests are made by the controversial Foreign Intelligence Surveillance Act (Fisa) and National Security Letters (NSLs).