Microsoft Doesn’t Encrypt Data Between Servers

Microsoft doesn’t generally encrypt server-to-server data links, exec admits.

Microsoft is “reviewing” its datacenter security following an admission by a senior Microsoft executive that the company does not encrypt data traveling between its internal servers or datacenters.

The revelation, made during a European Parliament hearing called to investigate mass surveillance of European citizens, comes on the heels of news that the U.S. National Security Agency (NSA) has tapped datacenter networks belonging to Google and Yahoo without the knowledge or permission of either company.

That hack, which is being investigated as part of an overall probe of NSA practices by House and Senate judicial committees, required that the NSA reverse-engineer Google networking and application protocols to get at streams of data so thick NSA analysts complained about the effort required to keep up, according to secret NSA documents released by whistleblower Edward Snowden to The Washington Post.

The NSA did have to beat layers of security, but did not have to crack end-to-end high-level encryption of every byte, which Google didn’t require at the time.

Following the October expose in Post, Google launched a high-profile effort to encrypt all its data, using cryptography Google network engineers believe the NSA cannot crack.

Tapping datacenter-network traffic from Microsoft would have been a little easier, according to verbal testimony from Dorothee Belz, VP of legal and corporate affairs for Microsoft’s Europe, Middle-East/Asia region.

Microsoft does give the U.S. government some data on customers in response to warrants or other legal requests, but does not allow them direct access to Microsoft servers, she said. Microsoft does encrypt data under some circumstances and some services it offers to customers, but not all, Belz said in response to questions from European Parliament members.

“Server-to-server transportation is generally not encrypted,” she said at around the 2:40:00 mark in this YouTube video of the event. “This is why we are currently reviewing our security systems, to avoid interception of that communication.”

Microsoft didn’t respond to questions from about which services are or are not encrypted. A spokesperson said the company is evaluating changes that might help protect customer data, but offered no details.

The practice might be considered insecure and inadvisable in the U.S., but is very possibly illegal in Europe, according to Caspar Bowden, former chief privacy adviser to Microsoft, who was quoted in a Register story about the incident.

“Every European company which has used US-based cloud services must have a contract which specifies conditions for secure data processing,” including the routine use of encryption, he said. “It is negligent for cloud companies to have failed to encrypt the high-speed links between datacenters, and this has left EU citizens’ data wide open to political and economic surveillance from many powers, not just the NSA.”

The failure to encrypt could justify lawsuits from Microsoft’s European corporate customers even if the EU itself doesn’t press the issue, Bowden said.

Despite exposure of the NSA taps on its datacenter network – which prompted angry responses from Googlers ranging from Chairman Eric Schmidt to comparatively anonymous Google network engineers – Google does try to keep internal datacenter-update data traffic safe by using private fiber-optic leased-line networks and continually reviewing the quality of encryption concealing it, according to testimony at the same hearing from Nicklas Lundblad, Google’s director of public policy and government relations.

Microsoft issued nothing to indicate what portions of its security or services are being reviewed, or when any changes might be announced. Sergey Nivens