Microsoft Condemns US Government As An “Advanced Persistent Threat”

28

I remember 2007 like it was yesterday when there was euphoria in the air around the concept of “hope and change.”  Fast forward six years, a sluggish economy has left many with just a little change in their pockets and one of America’s most successful corporations is condemning its own government as an “Advanced Persistent Threat.”

Whistleblower Edward Joseph Snowden was an American computer specialist, a former CIA employee, and former NSA contractor who disclosed over 200,000 classified documents to journalists Glen Greenwald and Laura Poitras. Details released from the cache have revolved primarily around the United States’ NSA mass surveillance program, named PRISM, and to a lesser extent, its counterparts such as the British GCHQ, Israel’s ISNU, the CSE in Canada, the ASIS in Australia and Norway’s NIS.  These leaks proved to be quite embarrassing for the US government and the program appears to be unconstitutional.

The leaks have also been harmful to many US based corporations, Yahoo, Google, Apple, Microsoft, and many other who supposedly willingly participated in the NSA surveillance program.  All of these companies have denied willingly participating in government program and claim they only provided information when they have received a court order. Many governments and international companies have been hesitant to use cloud services from US based companies in fear that the NSA may be spying on sensitive information.  Another invasive US law, the patriot act, is understandably a great concern to these companies as well.

Microsoft has begun to combat some of these issues by physically building datacenter located in specific countries, giving an option for customers to not have their information ever leave that datacenter.  In a post today by Microsoft’s Chief General Counsel Brad Smith, he promises a number initiatives the company is taking to protect customer data mostly revolved around transparency and strengthening encryption:

Many of our customers have serious concerns about government surveillance of the Internet.

We share their concerns. That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.

Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.

In light of these allegations, we’ve decided to take immediate and coordinated action in three areas:

    • We are expanding encryption across our services. 
    • We are reinforcing legal protections for our customers’ data. 
    • We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.

Here’s a closer look at what we’re doing:

Expanding Encryption

For many years, we’ve used encryption in our products and services to protect our customers from online criminals and hackers. While we have no direct evidence that customer data has been breached by unauthorized government access, we don’t want to take any chances and are addressing this issue head on. Therefore, we will pursue a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.

This effort will include our major communications, productivity and developer services such as Outlook.com, Office 365, SkyDrive and Windows Azure, and will provide protection across the full lifecycle of customer-created content. More specifically:

    • · Customer content moving between our customers and Microsoft will be encrypted by default. 
    • · All of our key platform, productivity and communications services will encrypt customer content as it moves between our data centers. 
    • · We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths. 
    • · All of this will be in place by the end of 2014, and much of it is effective immediately. 
    • · We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we’ll leave the choice to developers, but will offer the tools to allow them to easily protect data. 
    • · We’re working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.

Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption.

Reinforcing Legal Protections

We also will take new steps to reinforce legal protections for our customers’ data. For example, we are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.

Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision.

Increasing Transparency

Just as we’ve called for governments to become more transparent about these issues, we believe it’s appropriate for us to be more transparent ourselves. We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centers in Europe, the Americas and Asia, and we’ll further expand the range of products included in these programs.

Ultimately, we’re sensitive to the balances that must be struck when it comes to technology, security and the law. We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution. We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. And we’re focused on applying new safeguards worldwide, recognizing the global nature of these issues and challenges. We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve.

Source: Brad Smith

Fun Reading: What Happened To Edward Snowden by technology columnist John C. Dvorak

About Author

Suril is a scientist, journalist and obsessive Microsoft observer. He holds an advanced degree in Biotechnology with minors in Biochemistry, Microbiology, and Molecular Biology. Send him tips on twitter: http://www.twitter.com/surilamin

  • http://ardhagp.com/ Ardha Gp

    little bit late, but.. better than nothing. i hope this action will increase consumer trust.

    • 0bamasnought

      I really don’t agree. Microsoft is pushing Amnesty for Criminal Aliens, as well as for more H1-B’s, when there are over 8000 unemployed IT professionals in King County alone. And maybe we should talk about the surplus of STEM grads who can’t find jobs in their fields.

      But I can’t figure out why there’s a picture of Peter Boyle in this article.

      He really rocked in Young Frankenstein.

      • http://ardhagp.com/ Ardha Gp

        haha.. i think you were right about picture of peter boyle in this article, i’ve just bing it.

        • 0bamasnought

          Those are other things that you may Bing.
          It may have escaped your attention, but the US has an employment problem.
          A dearth of jobs, and an surplus of skilled labor.

          • http://ardhagp.com/ Ardha Gp

            hehe..yeah i forgot about that, thank you for the clue, i’ll dig it.

  • SategB

    Ironic thing is that companies like MSFT, Google, and Facebook has more private information on us then the Government and most people do not even think twice about it. The Government wouldn’t be able to collect the info from these companies if we was not so willing to give it to them.

    • kid92x

      Exactly man lol reading my ethics for the information age book for class, people would faint at the knowledge of how much info Corporations collect from us. Scary almost how in 10 minutes someone with your phone number can look up your address, all info about where you live, when you bought your house for how much etc.. but is the price we pay to use such services as yellowpages, Zillow, and so on.
      The Govt’ just has the power to pick at these huge Corporations and use their data for w.e reason they consider ‘good enough’ to pose a threat -_-
      That’s not even touching all the databases that Cops and the FBI have access to, people would freak out if they ever read this book lol

      • Pmormr

        Good luck living in the modern age without access to email or a cell phone.

  • pdouglas

    One thing people need to realize, it is not the NSA which is the threat to over reaching public cloud computing per se, it is human nature. The impulse that has driven the NSA to invade our privacy, resides in all of us: including people at Microsoft, Google, Yahoo!, etc. At any point, rogue employees or management may come to the conclusion they have a legitimate reason to abuse our privacy and data, and then we are all screwed. This is precisely why we should not overly trust others with our data. NEVER hand over confidential data to others when their is a potential that they can turn around and use it against you. In the words of Gandalf the Grey, “Keep it hidden. Keep it safe!”

    The notion that one day virtually all data will be stored in the public cloud is utterly stupid. If you have a brain in your head, recognize human nature for what it is: people / institutions go back on their word all the time, and you should avoid making yourself vulnerable to this form of human weakness. Keep your sensitive information off of the cloud – unless you have a thing for Russian Roulette!

  • mag

    This is most likely a move for more market share from Microsoft’s perspective. Why would their users continue to use their product if they felt a very basic level of violation of privacy? There have been past reports of Microsoft’s correspondence with data collection, either with a government or private entity, so why would it bother the company so much unless it hurt a basic principle of the company to be a competitor in the computing market? This news seems to be just a public relations stunt to tell the public that Microsoft ‘cares’.

    “We’re therefore taking additional steps to increase transparency by
    building on our long-standing program that provides government customers
    with an appropriate ability to review our source code, reassure
    themselves of its integrity…”, what is a ‘government customer’? Are they saying that they are trying to protect consumers while still participating with the entity that has no problem with violating consumer’s basic rights for their own investigations?

    All in all, big technology companies based in the U.S. can always tell you that they ‘care’, but unless you are able to have power in being able to see for yourself what they have done, the companies will always at some point be vulnerable to handing over sensitive data to the people pointing the gun at either their heads or their income.

    Of course, it isn’t just Microsoft who may take these precautions to regain footing within the public market space. Basically all of the companies outed by the NSA surveillance documents (Google, Apple, Yahoo, Facebook, etc.) would be under stress from the public with regards to (at least) privacy concerns. And it will always be a continuous battle with this relatively young and powerful advancement in human history, between public and private entities, to achieve a balance of acceptable behavior on both sides.

    Remember Aaron Swartz and others. Don’t forget the atrocious measures of acts like CISPA, SOPA, DMCA, and CFAA. Support open source initiatives. And please educate yourself on technological issues so that the public may make intelligent decisions for itself now and into the future.

    • QuestionItAgain

      Microsoft should declare their support for Snowden’s actions. THAT would be saying something. Especially when all the corporate news, which is nothing more than a corporate delivery system, is claiming Snowden to be a traitor. It’s shameful. Aaron Schwartz didn’t kill himself.

  • Giant Pink

    I hope you mean this Microsoft because I would really like to be friends with you again.

    • nohone

      Who do you use now? Google?

      Microsoft gives your info to the NSA when they are required to by law.
      Google gives your info to the NSA when they are required to by law, they also sell your information to anyone willing to pay for it, they use your information to track you, and use your information to sell ads that are pushed to you.

      Who would you prefer to be friends with? One that gives you stuff, or one that uses you, squeezing the last bit out of you that they possibly can?

  • LarryCohen2014

    This is all damage control and PR spinning. Microsoft was the first company to join PRISM and was the company that gave NSA all the private encryption keys to their online services. They also bought Skype so the NSA could tap it.

    DO NOT trust anything that Microsoft is saying. They’re almost as bad as Google!

    • Emi the Strange

      dont trust anything that Microsoft is saying, but i have to trust a random person like you about what you are saying? oh yeah that makes sense /s

    • nohone

      “They also bought Skype so the NSA could tap it”

      The rest was just tin-foil hat paranoid ranting, but with that line you slipped into full on crazy. Since 2005 Skype has been a US owned company, why would Microsoft spend $8.5 billion simply to aid the NSA?

      Seriously, do you people actually think at all before you write this crap?

      • Guest

        This coming from the guy who so paranoid he thinks some Android phone user is going to track him down to shout dirty names at him or something…LOL

    • Zdenko

      What is really disconcerning is the fact MSFT made no mention of Skype encryption policy. Their less then openness on this issue taints their words about anything regarding security.

  • Hans-Christian Andersen

    That’s cute. Microsoft is huffing and puffing about the govt tapping into their systems, but are happy to hand data over when asked as well as breaking privacy on Skype, so that they can tap into peoples conversations.

    • nohone

      If they are asked through a court order, they will hand over the data, just like Google, Apple, Yahoo, and every other company with operations in the US will do. That is the way the law works, and there needs to be a reason to get that court order. At least Microsoft is making it harder for the govt. while the others are doing nothing.

      • Dyksm

        Twitter has been rather active in fighting court orders, and has one several times.

  • BeaveVillage

    Microsoft’s had backdoor access into PC’s since the mid 90’s, but they never exploited it like the US Government has in recent years. Microsoft condemning a Democrat Administration, someone take a picture, it’s likely not even MSNBC will report this.

  • r00t

    Right, let the government check your software for their own back doors.
    Killin me…

    “We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors.”

    • Dykam

      That is of course to let other governments check, which are currently extremely hesitant.

  • ez

    Microsoft will stop when the NSA starts charging them for the data instead of paying for it.

  • Pingback: Et Tu, Microsoft? | Extrano's Alley, a gun blog

  • Michael Lombardo

    Didn’t Microsoft already whore for these guys? A little late to claim virginity.

  • QuestionItAgain

    HEY, people gave the government the benefit of the doubt after 911, regarding security. Then they realized, after forgiving the Feds over and over, the Feds were creating policy for corporate interest. Then companies realized The People wanted the Constitution MORE than the Patriot Act. It’s that simple. We live and learn. It’s time to stop the NSA.