Microsoft, Skype and other online service providers regularly tell their customers that customer privacy is "our priority." Perhaps they should add a disclaimer, that orders from the federal government seeking surveillance of those customers are a higher priority.
The latest revelations from the files of Edward Snowden, the self-described National Security Agency (NSA) whistleblower, show that Microsoft, "collaborated closely with U.S. intelligence services to allow users' communications to be intercepted, including helping the NSA to circumvent the company's own encryption," according to The Guardian.
Snowden, a former Booz Allen Hamilton employee who worked as a contractor to the NSA, leaked a trove of classified documents to The Guardian and the Washington Post last month, and is now reportedly hiding out in the Moscow airport, seeking asylum in a number of countries in an effort to avoid arrest by the U.S. Justice Department.
The Guardian reported that those documents show that Microsoft helped the NSA circumvent encryption to intercept web chats on the Outlook.com portal, and to get easier access to its cloud storage service, SkyDrive, which has more than 250 million users worldwide. The agency already had access to Outlook.com and Hotmail.
They also show that, "In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism (a top-secret program to collect data from Internet service providers); Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a 'team sport.'"
Microsofts response, in a statement, was that it provides customer data to the federal government only in response to "lawful demands & and we only ever comply with orders for requests about specific accounts or identifiers."
But, the simple online reality is that when the government makes "lawful demands" for information, those companies are "duty bound" to provide access to the government, said Steve Weis, CTO of encryption vendor PrivateCore.
U.S. government officials, from President Obama down through the heads of intelligence services, have emphasized that there are safeguards in place to limit data collection, and that the emails and phone calls of U.S. citizens are not being monitored in real time.
But, as has been reported many times in the last month, the Foreign Intelligence Surveillance Act (FISA) court routinely approves the collection of communications on citizens without a warrant if the NSA has a 51 percent belief that the target is not a U.S. citizen or is not in the U.S. at the time.
Privacy advocates like the Electronic Frontier Foundation (EFF) have argued for years that the government is abusing the laws that permit limited online surveillance in the hope of tracking suspected terrorists.
"The government has painted all this with a veneer of legality," said Trevor Timm, a digital rights analyst at EFF, "but in our minds, there is a huge question about whether it is lawful and constitutional. Even the author of the Patriot Act (U.S. Rep. Jim Sensenbrenner, R-Wisc.), says the phone metadata collection violates the law that he wrote."
Indeed, Sensenbrenner was quoted recently saying that the law was never intended to permit the kind of dragnet collection now ongoing, but to prevent it. He has said those defending it are, "spewing a bunch of bunk."
Rebecca Herold, CEO of The Privacy Professor, agrees that, "it certainly seems they are stretching applicability of the laws beyond the limits of their intentions," but added that part of the problem is that the laws, "were already written in a very vague and subjective manner."
Timm said EFF has "huge problems with this law because it is targeted at groups instead of individuals. It's using a lower threshold than probable cause. And these cases are decided by the FISA court in complete secrecy with no opposing counsel, so there is no pushback. Beyond that, the authority of the FISA court is through sweeping legal opinions on the Fourth Amendment that the public hasn't seen. We just think that's not democratic."
Timm said privacy advocates are not at all surprised at the recent revelations, but said they carry more weight because they are not just the statements of whistleblowers, but actual government documents. He said that might allow cases challenging the law, and the interpretation of it, to go forward.
Herold said she is surprised that Microsoft agreed to decryption, which she said amounts to "tampering with files. That would be like not only stealing someone's locked diary, but also then taking it to the manufacturer of the diary and having them break the lock open for you."
Weis and Todd Thiemann, PrivateCore's vice president of marketing, said the company takes no position on the legitimacy of the laws now being used to compel online providers to allow government surveillance. But, Weis said there is at least a way for end users to make the government come directly to them, rather than get their information from a service provider without their knowledge. His firm, through the use of virtualization and cryptography, "can take an untrusted server and create a secure environment on the CPU. The rest of the system can be compromised, but you'll still be protected."
That, he said, means the end user not only has the encryption keys, but that the government cannot get access to them by taking a snapshot of the server's memory.
"The government can still demand the information," he said, "but they have to come knocking on your door to do it, so at least you'll know."
Herold said it would be difficult to stop using Microsoft, "if your systems are all from Microsoft and all your applications you need to use run on Windows. However, this does point to the need to consider using security and privacy add-on products that come from other vendors instead of using the security and privacy tools embedded within Microsoft systems."
Trevor Timm said there are ways for individuals to make it more difficult for the government, through the use of online anonymity services like Tor and PGP encryption. But he said they can be "cumbersome and very user unfriendly."
"The answer is to require the NSA to allow people to have real privacy," he said.