NSA Fallout: Microsoft Rethinks Customer Data Controls

Fallout over NSA surveillance drives Microsoft to promise widespread security and privacy improvements. But do they go far enough?

Stung by revelations that the National Security Agency (NSA) has been conducting a massive surveillance operation against users of online services, Microsoft responded Wednesday by saying that it would encrypt -- or use stronger crypto -- for more of its services, as well as warn business and government users when it receives legal requests for their data. The company also promised to open a network of transparency centers to allow customers to review Microsofts source code and confirm that it contains no backdoors.
{image 2}
Many of our customers have serious concerns about government surveillance of the Internet, Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft, said Wednesday in a
blog post
announcing the changes. We share their concerns. Thats why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.
Senior executives at Microsoft had reportedly already considered making those changes. But they were driven into action after NSA documents leaked by Edward Snowden suggested that intelligence agencies worldwide were spying on data and communications handled by the likes of Facebook, Google, Microsoft, and Yahoo, perhaps by hacking directly into their datacenters. Industry analysts have warned that the resulting fallout from those revelations could cost global online service providers
$180 billion in lost revenue
by 2016.
[Existing legislation for online privacy is woefully outdated. Its time for Congress to act. Read
Electronic Privacy Laws Need An Overhaul
.]
The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector, Smith
told
The New York Times. We concluded that we better assume that there might be such an attempt at Microsoft, or has already been.
Accordingly, by the end of 2014, Microsoft has promised to overhaul its use of crypto for all of its major communications, productivity, and developer services, including Office 365, Outlook.com, SkyDrive, and Windows Azure. That includes adopting the Perfect Forward Secrecy public-key system, as well as stronger 2048-bit key lengths. Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers, said Smith. In other areas were accelerating plans to provide encryption.
One goal is to get any intelligence or law enforcement agencies that might try to hack into Microsofts services or networks to instead need to go to court to get a subpoena. In addition, these changes might help defuse whats sure to become an escalating arms race between Microsoft and the NSA, or any foreign intelligence agency that wants all-you-can-eat access to Microsoft customers data or communications.
We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution, said Smith. We want to ensure that important questions about government access are decided by courts rather than dictated by technological might.
On the transparency tip, meanwhile, Microsoft promised to notify all business and government customers whenever it received a legal order relating to their data. It also promised to challenge all related gag orders in the court. One related goal of that move is to try to get law enforcement agencies to go directly to businesses from which they want to retrieve data, rather than surreptitiously obtaining it from Microsoft and other such companies.
In order to allow customers to review the integrity of Microsofts products, the company said it would extend a program it already offers to some government agencies and begin allowing selected customers to review the source code for a selection of products -- to be expanded in the future -- via regional transparency centers located in Europe, Asia, North America, and South America.
But do Microsofts promised changes go far enough? Secure messaging service
Silent Circle
, as well as Lavabit founder Ladar Levison, have been urging other online communications providers to adopt a new email protocol called
Dark Mail
, which was developed by Silent Circles team, which includes Pretty Good Privacy (PGP) creator Phil Zimmerman.
Unlike todays webmail service providers, Dark Mail would tackle information security by relying on private encryption keys held only by email users. According to Silent Circles overview, the dark aspect doesnt imply anything sinister, but rather that it is secure, private, and that your written words are not viewed by some data-mining tech firm or a surveillance-hungry government agency.
But according to Silent Circle CEO Mike Janke, its not clear whether online service providers will embrace an approach such as Dark Mail. The real friction point is that Yahoo, Google and Microsoft make money mining off free email, he told the NY Times. They say theyre concerned about user privacy. Now well see if they really care.
The use of cloud technology is booming, often offering the only way to meet customers, employees, and partners rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report,
Integrating Vulnerability Management Into The Application Development Process
, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NSA Fallout: Microsoft Rethinks Customer Data Controls