Did Microsoft hand the NSA access to encrypted messages?

In July last year, when the news broke that Microsoft had allegedly collaborated closely with US intelligence services to allow users' communications to be intercepted, it severely dented the image of the tech giant.

According to top-secret documents obtained by the Guardian, which broke the story, Microsoft had allegedly helped the National Security Agency to circumvent the company's own encryption, and that the agency had pre-encryption stage access to email on Outlook.com, including Hotmail. It was also alleged that the company provided NSA easier access via Prism to its cloud storage service SkyDrive (with over 250 million users worldwide) and allowed video calls through Skype to be logged. Later disclosures and reports of the NSA's surveillance methods revealed the companies did not voluntarily provide information.

Almost a year later, Microsoft has come out in the open to protect the privacy of the Internet users (the company's officials maintain that they have been vocal on this topic right from the beginning). In a strongly-worded blog post today, Microsoft's top lawyer Brad Smith has called upon the US government to act on "unfinished business" a year after the breaking of the news of the extent of the National Security Agency's cyber-spying operations.

Microsoft's general counsel has set out five areas where he believes the government needs to take more action in the wake of Edward Snowden's revelations. While there had been some "initial positive reforms," Smith said in his blog post, "the reality is clear. The US government needs to address important unfinished business to reduce the technology trust deficit it has created."

Echoing similar sentiments in Redmond, Washington today, Brendon Lynch, Microsoft's Chief Privacy Officer, said that Microsoft does not surrender data to the government unless the company is approached with proper legal justifications (subpoenaed) and then too the company tries to direct the government agencies to go to the corporate customers for data instead of knocking on the doors of Microsoft.

During the NSA's now infamous illegal data gathering phase, Microsoft was not willingly providing any upfront data gathering facilities to the NSA, Lynch clarified. Whatever data the NSA was gathering, it was doing it on its own and through its own mechanisms (such as through ISPs) but we have strengthened even those loopholes with stronger data encryption methods, he told a group of international media touring the Microsoft campus. "People will not be using technology they do not trust and governments might be putting that trust to risk," he said.

"Privacy has been a core pillar for Microsoft right from the beginning," he said. "For us it has always been about customer trust."

According to Lynch, Microsoft adopts the principles of privacy by design, but the challenge is that "the goalposts seem to shift in terms of what is acceptable and not" quite rapidly. However, he said that Microsoft considers 'robust privacy management' important to gain and maintain customer trust and to enable valuable data uses.

Five major trends with privacy implications

1. The ubiquity of computing: There will be trillions of connected devices in 10 years.

2. Natural interactions such as voice recognition, gestures, capturing of biometric data, etc., will gain ground. "What is going to happen to all that data?" he asked.

3. Big data in the cloud will result in data-driven innovation.

4. Tailored, social experiences will personalized experiences to people but it is littered with potential privacy landmines.

5. Data collection and use by governments

Because of these trends, he said that there is a need for a big focus on privacy. But the key question are: how can organizations be good stewards of this data, how can organisations keep their privacy promises and how can organizations help people make the privacy choices that are right for them?

"People are struggling with the privacy choices today because there is so much data to be shared or protected," Lynch said. He cited the example of lengthy legal documents that are served out to users when they sign for an online service. "You can't made decisions based on reading privacy policies," he said. According to a research, it would take you 76 days to read through the privacy policies of all the common online services that you use.

Microsoft's approach

Lynch said that Microsoft has a corporate team that leads privacy policies. There are well-trained privacy people in all teams be it engineering, or in marketing. Currently, the company has 139 people with CIPP certification at Microsoft, a certification issued by IAPP (International association of Privacy Professionals).

For privacy, Microsoft has global principle-based policy, and there are standards, procedures and guidance. The company has over 40 full-time privacy professionals.

"Today, there is a dilemma for both individuals and IT service providers between choosing privacy and making computing more user-friendly," he aid, hinting at the hesitation people feel in sharing their personal data with Internet companies.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMicrosoftU.S. National Security Agencyencryptiongovernmentprivacy

More about HotmailMicrosoftNational Security AgencyNSAPrismSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zafar Anjum

Latest Videos

More videos

Blog Posts