Microsoft boosts anti-snooping protection in, OneDrive

The consumer webmail and cloud storage services will now be protected with new encryption

Microsoft has added encryption safeguards to the webmail service and to the OneDrive cloud storage service, in part to better protect these consumer products from government snoops.

"Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data," Matt Thomlinson, vice president, Trustworthy Computing Security, at Microsoft wrote in a blog post.

The move follows similar ones from other cloud computing providers. For example, Google announced end-to-end encryption for Gmail in April, including protection for email messages while they travel among Google data centers. It recently announced similar encryption for its Google Drive cloud storage service.

It's not clear from Microsoft's announcement whether the encryption protection it announced covers messages and OneDrive files as they travel within Microsoft data centers. It's also not clear what, if any, encryption OneDrive and have had until now. Microsoft didn't immediately respond to a request for comment.

Cloud computing providers like Microsoft, Google, Amazon and many others have been rattled by disclosures from former National Security Agency contractor Edward Snowden regarding government snooping into online communications, due to the effect on their consumer and business customers.

As a result, these companies have been busy boosting encryption on their systems, while also lobbying the U.S. government to stop the stealthy and widespread monitoring of Internet services.

In December, Microsoft announced it would roll out in the coming 12 months sweeping improvements in encryption across its consumer and enterprise cloud services, including, its Azure platform, Office 365 and other products. Tuesday's announcement is part of that ongoing effort.

Brad Smith, Microsoft's general counsel, wrote then that "we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures -- and in our view, legal processes and protections -- in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection -- without search warrants or legal subpoenas -- of customer data as it travels between customers and servers or between company data centers in our industry."

Smith went on to say that, if true, the situation threatens to "seriously undermine" the security and privacy of online communications, turning government snooping into "an advanced persistent threat alongside sophisticated malware and cyber attacks."

The company said Tuesday that inbound and outbound mail from is now protected with Transport Layer Security (TLS) encryption as it travels to and from Microsoft email systems. A caveat is that if there's another email service provider involved in the exchange it must also have implemented TLS on its end. Microsoft has been working with other large, international email service providers on efforts to get TLS more broadly adopted. also now has Perfect Forward Secrecy (PFS) encryption, which Thomlinson said uses a different encryption key for every connection, "making it more difficult for attackers to decrypt connections."

PFS support has also been added to OneDrive's website, mobile app and desktop sync clients. "As with's email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive," he wrote.

Thomlinson also announced the opening of the first Microsoft Transparency Center at the company's Redmond, Washington, headquarters. These centers will let "participating governments" review source code for key Microsoft products and verify that they contain no "back doors," he wrote.

The intention seems to be to assure foreign governments that Microsoft isn't giving the U.S. government access to its cloud computing systems in order to let it spy on individuals, government agencies and businesses abroad.

The Redmond center is the first of several that Microsoft plans to open, including one in Brussels that was announced in January.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurityinternet

More about Amazon Web ServicesGoogleIDGMicrosoftNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place