In the midst of the NSA snooping scandal, Microsoft is talking up a three-pronged approach to keep customer data safe from the prying eyes of governments.
In a blog post, the company’s top lawyer pledges Microsoft will use more encryption, fight government demands for customer data and make its own source code available to the scrutiny of government customers.
While some of these measures are already in place and some won’t be available to all customers, they represent an effort to take a stand against government efforts - such as the NSA mass surveillance - to gather information about Microsoft customers, says the statement by Brad Smith, the general counsel and executive vice president for Microsoft’s legal and corporate affairs.
We want to ensure that important questions about government access are decided by courts rather than dictated by technological might.
— Microsoft general counsel Brad Smith
“Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data,” Smith writes. “In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry… We want to ensure that important questions about government access are decided by courts rather than dictated by technological might.”
The new efforts being announced call for expanded use of encryption, taking a stronger stand against government demands for information and adding regional centers where government customers can examine Microsoft source code for security, he says.
Smith promises “a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services,” which includes Windows Azure cloud services, Office 365, SkyDrive and Outlook.com. Some of the measures he promises are already in place, but the list includes encrypting customer-to-Microsoft as well as Microsoft data-center-to-data center communications, and calls for encrypting data at rest.
Microsoft partners whose applications are available through Azure will have the option to encrypt or not, but Microsoft will provide tools for them to do so easily, Smith says.
He doesn’t specify what encryption will be used other than to say in some cases it will include perfect forward secrecy and encryption keys of 2048 bits, which is the same length it recommends its customers use. He says Microsoft is making an effort to enlist cooperation of third parties to protect data moving between services, such as email traveling from one provider to another.
Some of the work is already done. Customer data in Office 365 and Outlook.com customer is already encrypted between customers and Microsoft. Most Office 365 traffic and Windows Azure storage is encrypted between data centers, he says.
On the legal front, Microsoft says it will notify customers when it receives legal orders to release their data. If the orders call for keeping the action secret, the company will challenge the orders in court, he says, something it has done in the past. If the data is stored in other countries, Microsoft will assert objections that the requesting government has no jurisdiction over the data, he says.
“Except in the most limited circumstances,” Smith writes, “we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision.”
As for transparency, corporate customers will gain no benefits, but Smith says Microsoft will expand its program of letting government customers review its source code in order to assure themselves there are no security back doors. Network transparency centers will be opened in Europe, Asia and the Americas to give government customers a greater ability to run assurance tests.
Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at firstname.lastname@example.org and follow him on Twitter@Tim_Greene.