Microsoft former chief privacy adviser Caspar Bowden has said for years that he does not trust Microsoft as a company, nor does he trust its software. If a privacy expert who previously worked for Microsoft can’t trust the company, should we? Well at the 31st Chaos Communication Congress (31C3), Bowden presented The Cloud Conspiracy 2008 – 2014 (pdf).
Bowden served as Chief Privacy Officer at Microsoft for nine years, responsible for advising 40 National Technology Officers from different countries. During an internal strategy conference in 2011, with Microsoft deputy general counsel, cloud management personnel and the NTOs in attendance, Bowden warned, “If you sell Microsoft cloud computing to your own governments then this [FISA] law means that the NSA can conduct unlimited mass surveillance on that data.”
After that, Bowden said the deputy general counsel “turned green” and the room was dead silent. During the coffee break, Bowden was threatened with being fired. Two months later, Microsoft decided Bowden was redundant and fired him.
In Bowden’s presentation about 'The Cloud Conspiracy,' he explained that he’s not referring to the cloud as in storage, but the cloud as in data processing. “You cannot protect data in cloud computing,” he said.
His talk could basically be boiled down to how likely is it, legally or technically, that data centers have secret doors for warrantless mass surveillance? Bowden explained how the 2008 changes to the Foreign Intelligence Surveillance Act Amendment Act (FISAAA) added the secret surveillance of remote computing services, aka the cloud. That surveillance, he said, doesn’t have to be triggered by potential criminality or national security, but is instead “purely political surveillance” of “ordinary lawful democratic activities.”
Bowden primarily is talking about secret targeted cloud surveillance of non-US persons outside of the US; that’s a whopping 95% of the world. In other words, the former Microsoft Privacy Chief said FISAAA means “If you are not American, you cannot trust U.S. software services.” Even if the software started off being cryptographically sound, software updates can be pushed through – pushed at you because you are targeted – with results of subverting your security.
He added that any company choosing not to comply with a FISA order can be found in contempt of the Foreign Intelligence Surveillance Court (FISC). If someone in an American company were to tell a foreign data protection authority about the FISA order, then the individual/company could potentially be charged with the Espionage Act and face 20 years in prison…or worse.
In the synopsis of his lecture, Bowden wrote, “There is one law (FISA 702) and one policy (EO12333) which authorizes the US government to conduct mass surveillance on ‘foreigners in foreign lands’. These are drafted in terms which discriminate the privacy rights you have by the passport you hold - in fact there are no rights at all for non-Americans outside the US.”
Now get this, the slides explaining FISAAA and what happens if you don’t comply with FISC have not changed from what Bowden presented pre-Snowden at the internal Microsoft cloud strategy meeting. You know, the one that ultimately resulted in Microsoft firing him for daring to tell the truth about its cloud services. Yet even the EU laughed off NSA cloud surveillance capabilities before the PRISM scandal.
The rest of his multidisciplinary talk deals with “national and international surveillance and privacy law, Five Eyes SIGINT policy, technical security and economics” as well as possible EU strategies and resolutions. Since PRISM, Bowden has come to believe that the only way to ensure cloud privacy is to have free and open source software running on locally hosted data centers. “The only possible resolution compatible with universal rights is data localization, or construction of a virtual zone in which countries have agreed mutual verifiable inspections that mass-surveillance is not occurring.”
Bowden describes the current political situation with the meta-panopticon slide below.
Since talk started of alleged back doors in Microsoft products, Microsoft’s General Counsel Brad Smith makes it appear as if Microsoft is working hard on transparency and fighting the good fight to reform surveillance. Maybe that’s true, maybe Microsoft hopes that trust in US services is not irreparably damaged? Bowden doesn’t trust the company or its software and he likely knows more secrets about Microsoft than we will ever know.
Despite Microsoft’s current public position on mass surveillance and privacy, “The thoughts that Edward Snowden have put in the minds of the public cannot now be unthought,” Bowden said.