Security Advisor
Microsoft To Add Data Encryption in Response to Gov. Snooping
It will also make code more transparent in hopes to ease customers of fears of hidden backdoors.
Microsoft yesterday announced that it is taking steps to guard against government surveillance of its customers' data.
Brad Smith, general counsel and executive vice president of Legal and Corporate Affairs at Microsoft, outlined in a blog post that the company will be strengthening and expanding its encryption services, both in transit and at its datacenters, in the coming year. The company is aiming to reinforce its legal protection of personal data and plans to make its software code more transparent to assure it doesn't have a backdoor to be tapped.
Smith explained that Microsoft's actions are in reaction to press accounts that Microsoft's online security measures are bypassed by governments. While Smith didn't mention former National Security Agency (NSA) contractor Edward Snowden by name, it was NSA documents leaked by Snowden that indicated that the NSA had worked with Microsoft to crack its data encryption, as well as reach into Microsoft's network with Microsoft's alleged participation in the NSA's PRISM program.
"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures -- and in our view, legal processes and protections -- in order to surreptitiously collect private customer data," wrote Smith. "In particular, recent press stories have reported allegations of governmental interception and collection -- without search warrants or legal subpoenas -- of customer data as it travels between customers and servers or between company data centers in our industry."
Microsoft, Yahoo, Google and other service providers have all denied allowing unfettered NSA access to customer data on their networks, except by court order, but this time Smith allowed for the possibility. He described the government snooping capability, "if true," as "an advanced persistant threat" for Microsoft's customers.
On the encryption front, Smith said that all data moving through its online services, including Windows Azure, Office 365, Outlook.com and SkyDrive, will employ Perfect Forward Secrecy -- a cryptography process that generates random public keys per online session -- and will be using 2048-bit key lengths. All data will also be encrypted as it moves between Microsoft datacenters, and data moving between Microsoft and customers will be encrypted by default.
Smith said Microsoft plans to have the strengthened encryption process fully implemented by the end of 2014 and will roll it out in phases as available.
"Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we're committed to moving quickly," said Smith.
As for the legal side of protecting data, Microsoft will continue to alert customers when court-ordered data requests are received, and the company will challenge in court any requests hidden behind gag orders. Smith said that it's also up to its customers to review any court orders received directly from government agencies before Microsoft hands over any requested data.
Finally, in an effort to increase code transparency, Smith said Microsoft will be opening "network of transparency centers" in Europe, Asia and the Americas in which businesses and customers will be able to take a close look at code for Microsoft's complete line of products.
"We all want to live in a world that is safe and secure, but we also want to live in a country that is protcted by the Constitution," wrote Smith. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. And we're focused on applying new safeguards worldwide, recognizing the global nature of these issues and challenges."
However, some of Snowden's descriptions of NSA spying indicated that the agency had the means to siphon traffic off international communications hubs across the globe. If so, any traffic sent over the Internet could be tapped, perhaps before landing in Microsoft's datacenters.