Microsoft, Spooked By Snoops, Joins the Encryption Crowd
- Robert Schoon
- Dec 06, 2013 01:58 AM EST
- Sign up to receive the lastest news from LATINONE
-
After continuing revelations about the National Security Agency's snooping programs - some which reportedly did not involve the NSA giving notification to, or obtaining permission from internet technology companies - Microsoft joined the chorus of IT giants locking down their networks with tighter security.
On Wednesday, Microsoft's General Counsel and Executive Vice President of Legal and Corporate Affairs Brad Smith announced the changes in Microsoft's security on one of the company's blogs.
"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures - and in our view, legal processes and protections - in order to surreptitiously collect private customer data," wrote Smith. The allegations Smith referred to started when the Washington Post reported a leak from ex-NSA contractor turned whistleblower Edward Snowden that detailed an NSA project called MUSCULAR.
Originally reported as affecting specifically internal server communications between Google and Yahoo, the NSA and GCHQ (its U.K. counterpart) were reportedly tapping entire data flows in fiber-optic cables that carry unencrypted communications between various data centers those companies use. While Microsoft wasn't named, Smith told the New York Times that the revelations nevertheless affected Microsoft deeply.
"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Mr. Smith said to the Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."
"If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications," wrote Smith in the blog post. "Indeed, government snooping potentially now constitutes an 'advanced persistent threat,' alongside sophisticated malware and cyber attacks."
Microsoft promised "comprehensive engineering efforts" to strengthen encryption of user data across its networks, including Outlook.com, Office 365, SkyDrive, Windows Azure, and other Microsoft services "across the full lifecycle of customer-created content." That means any Microsoft customer data moving between the end user and Microsoft will be encrypted by default, as well as all customer content being transferred between various Microsoft data centers.
Like Twitter and others, Microsoft is also adding Perfect Forward Secrecy - an advanced encryption technology that specifically protects against large-scale data vacuuming that governments are capable of - to its security arsenal. "All of this will be in place by the end of 2014, and much of it is effective immediately," wrote Smith.
Microsoft is one of many to take the stop towards plugging any possible leaks by encrypting nearly all data that it stores or transfers. Google, Twitter, Mozilla (Firefox), Facebook, and Yahoo have all made similar announcements.
Microsoft says it is taking additional measures to increase transparency, promising to "open a network of transparency centers" that will provide other governments (they're being spied on, too) with information like reviewing Microsoft's source code, in order to confirm, themselves, that no NSA back doors threaten their data.
Microsoft - along with most of the IT companies mentioned - was first implicated in the summer (also by Edward Snowden's leaks) in cooperating with the NSA, handing over user data to the agency and other law enforcement agencies in response to national security requests from the secret FISA court.
Microsoft hopes its encryption forces the NSA to reassert that secret, but at least not surreptitious, arrangement. "Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees - just as they did before these customers moved to the cloud - without undermining their investigation or national security," wrote Smith. "And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision.
- Sign up to receive the lastest news from LATINONE
-