Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Encryption, lawyers, and openness: Microsoft acts on NSA's 'persistent threat'

Brad Chacos | Dec. 6, 2013
"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution."

"Many of our customers have serious concerns about government surveillance of the Internet. We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

With those words, Microsoft general counsel Brad Smith announced the three-pronged countermeasures his company is implementing to foil government surveillance, which he dubbed an "advanced persistent threat" on the same level as malware and cyber-attacks: all-encompassing encryption, "reinforced" legal protections, and enhanced source code transparency.

Encrypt it, encrypt it good
Microsoft already implemented HTTPS encryption for many of its services, but a recent leak provided by whistleblower Edward Snowden revealed that the NSA spies on connections between the data centers of technology companies to snatch unencrypted information "behind the curtain."

While Yahoo and Google were the only two companies explicitly fingered in that report (and have since bolstered their own security efforts), Microsoft is taking steps to prevent similar intrusions.

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

The plan
Going forward, Microsoft promises to encrypt all of Microsoft's "key platform, productivity, and communications services"--Outlook.com, Office 365, SkyDrive, and Windows Azure are listed as specific examples--to protect data as it's transferred between Microsoft and its customers, as well as the connections between Microsoft's own data centers. The company also promises to encrypt customer content stored on Microsoft servers, and plans to work with other companies to ensure data moving between services stays secure.

Without getting specific, Smith says many of those protections are in place now, and all will be in effect by the end of 2014. The encryption itself will be "best-in-class industry cryptography," including Perfect Forward Secrecy and 2048-bit RSA key lengths, two technologies that Twitter and Google also respectively implemented in recent months to foil NSA snooping.

Microsoft's moves echo what Google chairman Eric Schmidt recently prescribed to end government snooping in the next ten years: "The solution to government surveillance is to encrypt everything."

Bolstering that, the chair of the Internet Engineering Task Force group developing HTTP 2.0 recently announced that the next-gen protocol will also only work with HTTPS-encrypted URLs.

More lawyers, more openness
The other countermeasures Microsoft is taking has less direct impact on everyday users, but will reassure the company's corporate and government clients.

Smith says the company will notify "business and government customers"--note that consumers are explicitly not mentioned--if the government issues legal orders for their data, and Microsoft will challenge any gag orders it receives if the government attempts to block Microsoft from informing users about the requests. The ongoing legal fallout from secret government information requests shows those challenges won't always be successful, but hey--at least they're trying.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.