Microsoft customer privacy vs. NSA snooping

In the midst of the NSA snooping scandal, Microsoft is talking up a three-pronged approach to keep customer data safe from the prying eyes of governments.

In a blog post, the company's top lawyer pledges Microsoft will use more encryption, fight government demands for customer data and make its own source code available to the scrutiny of government customers.

BACKGROUND:Tech industry calls for 'oversight and accountability' of NSA surveillance 

RECENT:NSA is said to collect cellphone location data across the world 

While some of these measures are already in place and some won't be available to all customers, they represent an effort to take a stand against government efforts - such as the NSA mass surveillance - to gather information about Microsoft customers, says the statement by Brad Smith, the general counsel and executive vice president for Microsoft's legal and corporate affairs.

"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures and in our view, legal processes and protections in order to surreptitiously collect private customer data," Smith writes. "In particular, recent press stories have reported allegations of governmental interception and collection without search warrants or legal subpoenas of customer data as it travels between customers and servers or between company data centers in our industry... We want to ensure that important questions about government access are decided by courts rather than dictated by technological might."

The new efforts being announced call for expanded use of encryption, taking a stronger stand against government demands for information and adding regional centers where government customers can examine Microsoft source code for security, he says.

Smith promises "a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services," which includes Windows Azure cloud services, Office 365, SkyDrive and Some of the measures he promises are already in place, but the list includes encrypting customer-to-Microsoft as well as Microsoft data-center-to-data center communications, and calls for encrypting data at rest.

Microsoft partners whose applications are available through Azure will have the option to encrypt or not, but Microsoft will provide tools for them to do so easily, Smith says.

He doesn't specify what encryption will be used other than to say in some cases it will include perfect forward secrecy and encryption keys of 2048 bits, which is the same length it recommends its customers use. He says Microsoft is making an effort to enlist cooperation of third parties to protect data moving between services, such as email traveling from one provider to another.

Some of the work is already done. Customer data in Office 365 and customer is already encrypted between customers and Microsoft. Most Office 365 traffic and Windows Azure storage is encrypted between data centers, he says.

On the legal front, Microsoft says it will notify customers when it receives legal orders to release their data. If the orders call for keeping the action secret, the company will challenge the orders in court, he says, something it has done in the past. If the data is stored in other countries, Microsoft will assert objections that the requesting government has no jurisdiction over the data, he says.

"Except in the most limited circumstances," Smith writes, "we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees just as they did before these customers moved to the cloud without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision."

As for transparency, corporate customers will gain no benefits, but Smith says Microsoft will expand its program of letting government customers review its source code in order to assure themselves there are no security back doors. Network transparency centers will be opened in Europe, Asia and the Americas to give government customers a greater ability to run assurance tests.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritynsasoftwaregovernmentindustry verticalsWide Area Network

More about MicrosoftNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place