Encryption, lawyers, and openness: Microsoft acts on NSA's 'persistent threat'

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution."

"Many of our customers have serious concerns about government surveillance of the Internet. We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

With those words, Microsoft general counsel Brad Smith announced the three-pronged countermeasures his company is implementing to foil government surveillance, which he dubbed an "advanced persistent threat" on the same level as malware and cyber-attacks: all-encompassing encryption, "reinforced" legal protections, and enhanced source code transparency.

Encrypt it, encrypt it good

Microsoft already implemented HTTPS encryption for many of its services, but a recent leak provided by whistleblower Edward Snowden revealed that the NSA spies on connections between the data centers of technology companies to snatch unencrypted information "behind the curtain."

While Yahoo and Google were the only two companies explicitly fingered in that report (and have since bolstered their own security efforts), Microsoft is taking steps to prevent similar intrusions.

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

The plan

Going forward, Microsoft promises to encrypt all of Microsoft's "key platform, productivity, and communications services"--Outlook.com, Office 365, SkyDrive, and Windows Azure are listed as specific examples--to protect data as it's transferred between Microsoft and its customers, as well as the connections between Microsoft's own data centers. The company also promises to encrypt customer content stored on Microsoft servers, and plans to work with other companies to ensure data moving between services stays secure.

Without getting specific, Smith says many of those protections are in place now, and all will be in effect by the end of 2014. The encryption itself will be "best-in-class industry cryptography," including Perfect Forward Secrecy and 2048-bit RSA key lengths, two technologies that Twitter and Google also respectively implemented in recent months to foil NSA snooping.

Microsoft's moves echo what Google chairman Eric Schmidt recently prescribed to end government snooping in the next ten years: "The solution to government surveillance is to encrypt everything."

Bolstering that, the chair of the Internet Engineering Task Force group developing HTTP 2.0 recently announced that the next-gen protocol will also only work with HTTPS-encrypted URLs.

More lawyers, more openness

The other countermeasures Microsoft is taking has less direct impact on everyday users, but will reassure the company's corporate and government clients.

Smith says the company will notify "business and government customers"--note that consumers are explicitly not mentioned--if the government issues legal orders for their data, and Microsoft will challenge any gag orders it receives if the government attempts to block Microsoft from informing users about the requests. The ongoing legal fallout from secret government information requests shows those challenges won't always be successful, but hey--at least they're trying.

Microsoft's also tackling another bugbear head-on. When it was recently revealed that the NSA spends billions to crack encryption efforts and install backdoors into software, speculation quickly raged that Microsoft software (such as Windows and BitLocker) were vulnerable, given the company's close relationship with the U.S. government.

To squash that rumor, Smith announced that Microsoft will expand an existing program that allows government customers to review the source code of Microsoft software. While you and I still won't be able to sneak a peek at Windows' innermost secrets, Microsoft plans to open "transparency centers" in Europe, Asia, and North and South America to make it easier for government agents to vet its code, and will be adding more products to the program in coming months.

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution," Smith wrote. "We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."

Hear, hear.

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooGoogleMicrosoftsecuritynsaprivacy

More about GoogleInternet Engineering Task ForceMicrosoftNSARSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Chacos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place