Microsoft's Quest for Surveillance Reforms -- Redmondmag.com

The Schwartz Report

Microsoft's Quest for Surveillance Reforms

In the year since Edward Snowden stunned the world with revelations that the National Security Agency (NSA) had a widespread digital surveillance effort that included the covert PRISM eavesdropping and data mining program, Microsoft marked the anniversary last week by saying it had unfinished business in the quest for government reforms.

While most cynics presumed intelligence agencies intercepted some communications, Snowden exposed what he and many believe was broad overreach by the government. Many of the revelations that kicked off a year ago last Thursday even put into question the legality of the NSA's activities and the restrictions imposed on the telecommunications and IT industry by the Foreign Intelligence Security Act (FISA).

The leaked documents implicated the leading telcos, along with Microsoft, Google, Facebook, Yahoo and many others, saying they were giving the feds broader access to e-mail and communications of suspected terrorists than previously thought. While the government insisted it was only acting when it believed it had probable cause and on court orders, the NSA's broad activities and the compliance of Microsoft and others put into question about how private our data is when shared over the Internet, even when stored in cloud services.

Whether you think Snowden is a hero for risking his life and liberty for exposing what he believed defied core American freedoms or you feel he committed treason, as Netscape Cofounder and Silicon Valley heavyweight Marc Andreessen believes, the worldview and how individuals treat their data and communications is forever changed.

The revelations were a setback for Microsoft's efforts to move forward its "cloud-first" transformation because the leaked NSA documents found that the company was among those that often had to comply with court orders without the knowledge of those suspected. To his credit, Microsoft General Counsel Brad Smith used the revelations to help put a stop to the objectionable activities.

Both Microsoft and Google last week marked the anniversary by showing the progress both companies have made. Google used the occasion to announce its new end-to-end encryption plugin for the Google Chrome browser and a new section in its Transparency Report that tracks e-mail encryption by service providers. Google announced it is using the Transport Layer Security (TLS) protocol to encrypt e-mail across its Gmail service. Its reason for issuing the Transparency Report was to point out that a chain is only as strong as its weakest link, hoping it would pressure all e-mail providers to follow suit. The report last week showed Hotmail and Outlook.com only implementing TLS 50 percent of the time.

Microsoft has lately emphasized it is stepping up its encryption efforts this year. Encryption for Office 365 is coming, Microsoft said last month. The company will offer 2018-bit Private Forward Secrecy as the default decryption for Office 365, Azure, Outlook.com and OneDrive. Next month Microsoft will also offer new technology for SharePoint Online and OneDrive for Business that will move from a single encryption key per disk to offering a unique encryption key for each file.

Shortly after the Snowden revelations, Microsoft, Google and others filed a lawsuit challenging the Foreign Intelligence Surveillance Act's stipulation that made it illegal for the companies to be more transparent. In exchange for dropping that lawsuit, Microsoft and others were able to make some limited disclosures. But in his blog post last week, Smith said providers should be permitted to provide more details, arguing doing so wouldn't compromise national security.

The unfinished business Smith would like to see resolved includes in summary:

Recognize that U.S. search warrants end at U.S. borders: The U.S. government should stop trying to force tech companies to circumvent treaties by turning over data in other countries. Under the Fourth Amendment of the U.S. Constitution, users have a right to keep their e-mail communications private. We need our government to uphold Constitutional privacy protections and adhere to the privacy rules established by law. That's why we recently went to court to challenge a search warrant seeking content held in our data center in Ireland. We're convinced that the law and the U.S. Constitution are on our side, and we are committed to pursuing this case as far and as long as needed.
End bulk collection: While Microsoft has never received an order related to bulk collection of Internet data, we believe the USA Freedom Act should be strengthened to prohibit more clearly any such orders in the future.
Reform the FISA Court: We need to increase the transparency of the FISA Court's proceedings and rulings, and introduce the adversarial process that is the hallmark of a fair judicial system.
Commit not to hack data centers or cables: We believe our efforts to expand encryption across our services make it much harder for any government to successfully hack data in transit or at rest. Yet more than seven months after the Washington Post first reported that the National Security Agency hacked systems outside the U.S. to access data held by Yahoo and Google, the Executive Branch remains silent about its views of this practice.
Continue to increase transparency: Earlier this year, we won the right to publish important data on the number of national security related demands that we receive. This helped to provide a broader understanding of the overall volume of government orders. It was a good step, but we believe even more detail can be provided without undermining national security.

President Obama has put forth some recommendations, though some believe they don't go far enough and have yet to affect any major changes. If you saw the interview NBC's Brian Williams conducted with Snowden in Moscow, it's clear, regardless of the legality of the leaks, this debate is far from over. But if you're concerned about your privacy, encrypting your data at rest and in transit is an important step moving forward.

Posted by Jeffrey Schwartz on 06/09/2014 at 1:06 PM

Featured

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.
Microsoft Claims Breakthrough in Quantum Computing Reliability

A new paper details Microsoft's recent progress in quantum computing -- specifically, its development of a system that is both significantly less prone to errors and better at correcting them.