Microsoft will encrypt consumer data and make its software code more transparent, in a bid to boost consumer confidence in its security.
“Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures—and in our view, legal processes and protections—in order to surreptitiously collect private customer data,” Brad Smith, Microsoft’s general counsel, wrote in a corporate blog posting published late Dec. 4. “In particular, recent press stories have reported allegations of governmental interception and collection—without search warrants or legal subpoenas—of customer data as it travels between customers and servers or between company data centers in our industry.”
Smith is referring, of course, to reports that the National Security Agency (NSA) has penetrated deeply into the world’s tech companies and telecommunication networks. Top-secret documents from government whistleblower Edward Snowden, leaked to media outlets such as The Guardian and The Washington Post, describe a program, known as PRISM, which allegedly siphons information from the databases of nine major technology companies, including Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL, and Apple.
Soon after the Snowden leaks began in June, Microsoft denied that it had given its assent to the NSA tapping its databases. “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis,” a company spokesperson wrote in an email to Slashdot at the time. “In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.” But that didn’t stop reports of Microsoft collaborating tightly with the NSA to intercept user communications.
Microsoft claims that it will now encrypt data flowing through Outlook.com, Office 365, SkyDrive, and Windows Azure. That will include data moving between customers’ devices and Microsoft servers, as well as data moving between Microsoft data-centers. The encryption will involve Perfect Forward Secrecy and 2048-bit key lengths, and the company hopes to have all measures in place by the end of 2014.
“We also will take new steps to reinforce legal protections for our customers’ data,” Smith wrote. “For example, we are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we will challenge it in court.”
The increased-transparency part of Microsoft’s new initiative is perhaps the most interesting, considering the company’s longstanding advocacy of proprietary software. But Microsoft actually isn’t planning on throwing its code open for anyone to examine, as much as that might quell fears about government-designed backdoors and other nefarious programming. Instead, according to Smith, “transparency” means “building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors.”
In addition, Microsoft plans on opening a network of “transparency centers” where customers can go to “assure themselves of the integrity of Microsoft’s products.” That’s not exactly the equivalent of volunteers going through TrueCrypt to ensure a lack of NSA backdoors, and it seems questionable whether such moves (vague as they are at this point) on Microsoft’s part will assure anyone that it hasn’t been compromised by government sources. But with Google and other tech firms making a lot of noise about encrypting their respective services, Microsoft has little choice but to join them in introducing new privacy initiatives.
Image: Mikko Lemola/Shutterstock.com