“Many of our customers have serious concerns about government surveillance of the Internet. We share their concerns. That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.”
With those words, Microsoft general counsel Brad Smith announced the three-pronged countermeasures his company is implementing to foil government surveillance, which he dubbed an “advanced persistent threat” on the same level as malware and cyber-attacks: all-encompassing encryption, “reinforced” legal protections, and enhanced source code transparency.
While Yahoo and Google were the only two companies explicitly fingered in that report (and have since bolstered their own security efforts), Microsoft is taking steps to prevent similar intrusions.
“The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector,” Smith told The New York Times. “We concluded that we better assume that there might be such an attempt at Microsoft, or has already been.”
Going forward, Microsoft promises to encrypt all of Microsoft’s “key platform, productivity, and communications services”—Outlook.com, Office 365, SkyDrive, and Windows Azure are listed as specific examples—to protect data as it’s transferred between Microsoft and its customers, as well as the connections between Microsoft’s own data centers. The company also promises to encrypt customer content stored on Microsoft servers, and plans to work with other companies to ensure data moving between services stays secure.
Without getting specific, Smith says many of those protections are in place now, and all will be in effect by the end of 2014. The encryption itself will be “best-in-class industry cryptography,” including Perfect Forward Secrecy and 2048-bit RSA key lengths, two technologies that Twitter and Google also respectively implemented in recent months to foil NSA snooping.
Bolstering that, the chair of the Internet Engineering Task Force group developing HTTP 2.0 recently announced that the next-gen protocol will also only work with HTTPS-encrypted URLs.
More lawyers, more openness
The other countermeasures Microsoft is taking has less direct impact on everyday users, but will reassure the company’s corporate and government clients.
Smith says the company will notify “business and government customers”—note that consumers are explicitly not mentioned—if the government issues legal orders for their data, and Microsoft will challenge any gag orders it receives if the government attempts to block Microsoft from informing users about the requests. The ongoing legal fallout from secret government information requests shows those challenges won’t always be successful, but hey—at least they’re trying.
Microsoft’s also tackling another bugbear head-on. When it was recently revealed that the NSA spends billions to crack encryption efforts and install backdoors into software, speculation quickly raged that Microsoft software (such as Windows and BitLocker) were vulnerable, given the company’s close relationship with the U.S. government.
To squash that rumor, Smith announced that Microsoft will expand an existing program that allows government customers to review the source code of Microsoft software. While you and I still won’t be able to sneak a peek at Windows’ innermost secrets, Microsoft plans to open “transparency centers” in Europe, Asia, and North and South America to make it easier for government agents to vet its code, and will be adding more products to the program in coming months.
“We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution,” Smith wrote. “We want to ensure that important questions about government access are decided by courts rather than dictated by technological might.”