Security Advisor
Microsoft's Prism Involvement Detailed in Recently Leaked Documents
Microsoft, who has denied being involved with Prism since the program was first divulged, released a statement this week saying it did not provide the NSA with a backdoor to access personal Outlook.com e-mails and Skype conversations.
Update (07/17): In a letter posted Tuesday in response to last week's allegations that Microsoft provided encryption backdoors for Outlook.com and Skype, Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs at Microsoft, denied that the company provided any sort of technology to the NSA, saying "We do not provide any government with the technical capability to access user content directly or by itself. Instead, governments must continue to rely on legal process to seek from us specified information about identified accounts."
Recently leaked documents described Microsoft working hand in hand with the National Security Agency (NSA) to break encryption and provide access to its customers' data through the NSA's Prism surveillance program.
The secret disclosures were given to the UK-based Guardian newspaper by NSA leaker Edward Snowden. According to the Thursday Guardian story, Microsoft provided the government agency with an encryption workaround to broadly monitor the activities of its Outlook.com, Skype and SkyDrive users.
The workaround was provided after the NSA expressed concern about not being able to gain access to Web chats on Microsoft's newly revamped Outlook.com service (formerly known as "Hotmail"). Prior to receiving the encryption workaround, Microsoft had already provided access to personal e-mails through the Outlook.com and Hotmail services, according to the Guardian's account.
The recently released information also contained details that Microsoft cooperated with the FBI in providing insights on how to undercut the e-mail alias feature in Outlook.com.
The Guardian also reported that the integration of the Skype voice-over-IP telephony service into the Prism program started as far back as November 2010, before Microsoft's acquisition of the Luxembourg-based company. In February 2011, Skype received a signed directive from the attorney general to comply. Microsoft announced its plans to purchase of Skype in May 2011.
Speaking on the issue of consumer privacy, ACLU technology expert Chris Soghoian told the Guardian that Microsoft's involvement with Prism directly goes against its commitment to user privacy made on the Skype Web site. "In the past, Skype made affirmative promises to users about their inability to perform wiretaps," said Soghoian to the newspaper. "It's hard to square Microsoft's secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google."
In a statement made by Microsoft yesterday, the company confirmed that it has been working with government agencies on national security matters, but that it had not provided the NSA with any means to broadly monitor Skype, Outlook.com or Skydrive, except by subpoena.
"First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes. Second, our compliance team examines all demands very closely, and we reject them if we believe they aren't valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate."
While Microsoft's statement directly contradicts the recently leaked information, the company has held the same argument that it only provided specific access to a limited amount of personal data when requested by a court order since news of the Prism surveillance program surfaced in June. In March, Microsoft announced a new policy to disclose law enforcement requests for customer data. However in June, the company clarified that it now includes FISA request data in the bulk number of requests it reports every six months. In a June blog post, Microsoft indicated that it is obliged by the U.S. government to obscure exactly which portion of that data is disclosed due to FISA requests. It also suggested that it hasn't received a bulk-spying FISA request such as the Verizon FISA order disclosed by Snowden.
"We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers," claimed John Frank, vice president and deputy general counsel for Microsoft, in the June blog post.
Snowden had previously disclosed that other major technology companies, including Google, Facebook, Yahoo, AOL and Apple, also are actively participating in the Prism surveillance program. However, Microsoft was the first to join the program, according to the leaked NSA documents.