Did Microsoft hand the NSA access to encrypted messages?

In July last year, when the news broke that Microsoft had allegedly collaborated closely with US intelligence services to allow users' communications to be intercepted, it severely dented the image of the tech giant.

According to top-secret documents obtained by the Guardian, which broke the story, Microsoft had allegedly helped the National Security Agency to circumvent the company's own encryption, and that the agency had pre-encryption stage access to email on Outlook.com, including Hotmail. It was also alleged that the company provided NSA easier access via Prism to its cloud storage service SkyDrive (with over 250 million users worldwide) and allowed video calls through Skype to be logged. Later disclosures and reports of the NSA's surveillance methods revealed the companies did not voluntarily provide information.

Almost a year later, Microsoft has come out in the open to protect the privacy of the Internet users (the company's officials maintain that they have been vocal on this topic right from the beginning). In a strongly-worded blog post today, Microsoft's top lawyer Brad Smith has called upon the US government to act on "unfinished business" a year after the breaking of the news of the extent of the National Security Agency's cyber-spying operations.

Microsoft's general counsel has set out five areas where he believes the government needs to take more action in the wake of Edward Snowden's revelations. While there had been some "initial positive reforms," Smith said in his blog post, "the reality is clear. The US government needs to address important unfinished business to reduce the technology trust deficit it has created."

Echoing similar sentiments in Redmond, Washington today, Brendon Lynch, Microsoft's Chief Privacy Officer, said that Microsoft does not surrender data to the government unless the company is approached with proper legal justifications (subpoenaed) and then too the company tries to direct the government agencies to go to the corporate customers for data instead of knocking on the doors of Microsoft.

During the NSA's now infamous illegal data gathering phase, Microsoft was not willingly providing any upfront data gathering facilities to the NSA, Lynch clarified. Whatever data the NSA was gathering, it was doing it on its own and through its own mechanisms (such as through ISPs) but we have strengthened even those loopholes with stronger data encryption methods, he told a group of international media touring the Microsoft campus. "People will not be using technology they do not trust and governments might be putting that trust to risk," he said.

"Privacy has been a core pillar for Microsoft right from the beginning," he said. "For us it has always been about customer trust."

According to Lynch, Microsoft adopts the principles of privacy by design, but the challenge is that "the goalposts seem to shift in terms of what is acceptable and not" quite rapidly. However, he said that Microsoft considers 'robust privacy management' important to gain and maintain customer trust and to enable valuable data uses.

Five major trends with privacy implications

1. The ubiquity of computing: There will be trillions of connected devices in 10 years.

2. Natural interactions such as voice recognition, gestures, capturing of biometric data, etc., will gain ground. "What is going to happen to all that data?" he asked.

3. Big data in the cloud will result in data-driven innovation.

4. Tailored, social experiences will personalized experiences to people but it is littered with potential privacy landmines.

5. Data collection and use by governments

Because of these trends, he said that there is a need for a big focus on privacy. But the key question are: how can organizations be good stewards of this data, how can organisations keep their privacy promises and how can organizations help people make the privacy choices that are right for them?

"People are struggling with the privacy choices today because there is so much data to be shared or protected," Lynch said. He cited the example of lengthy legal documents that are served out to users when they sign for an online service. "You can't made decisions based on reading privacy policies," he said. According to a research, it would take you 76 days to read through the privacy policies of all the common online services that you use.

Microsoft's approach

Lynch said that Microsoft has a corporate team that leads privacy policies. There are well-trained privacy people in all teams be it engineering, or in marketing. Currently, the company has 139 people with CIPP certification at Microsoft, a certification issued by IAPP (International association of Privacy Professionals).

For privacy, Microsoft has global principle-based policy, and there are standards, procedures and guidance. The company has over 40 full-time privacy professionals.

"Today, there is a dilemma for both individuals and IT service providers between choosing privacy and making computing more user-friendly," he aid, hinting at the hesitation people feel in sharing their personal data with Internet companies.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMicrosoftU.S. National Security Agencyencryptiongovernmentprivacy

More about HotmailMicrosoftNational Security AgencyNSAPrismSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zafar Anjum

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts