Microsoft unveiled a raft of measures to counteract what it now characterizes as the “advanced persistent threat” of government snooping. It says these steps will “ensure governments use legal process rather than technological brute force to access customer data.”
As has been previously reported, this will include more widespread use of encryption in the company’s networks and systems. However, it also includes measures that specifically address the concerns of Microsoft’s international public-sector and business customers.
Notably, Microsoft will expand its Government Security Program, which allows governments to inspect the firm’s source code so they can check it doesn’t include any hidden backdoors for the benefit of U.S. intelligence and law enforcement agencies.
In a blog post, Microsoft General Counsel Brad Smith said:
“We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centers in Europe, the Americas and Asia, and we’ll further expand the range of products included in these programs.”
Microsoft’s name has popped up repeatedly in the months following Edward Snowden’s revelations of global mass surveillance, mostly carried out by the Americans, the British and the Australians.
The company is alleged to give U.S. agencies early warning of vulnerabilities in its software before it patches those flaws, in theory giving those agencies a window of opportunity to exploit them. It also reportedly worked directly alongside the NSA to help the spies circumvent some of the encryption protecting its online communications services.
Now, as signs emerge that the NSA scandal is already threatening the revenues of U.S. tech vendors, Microsoft is trying to get back in the world’s good books. First up is that “advanced persistent threat” designation – while it doesn’t specifically call out the U.S. government, it does put such snooping in the same category as malware and “cyber attacks”.
Then there’s Microsoft’s newfound urgency in applying encryption across its systems. This is essential for an outfit moving into the cloud as Microsoft is doing, and indeed Smith noted that the firm already encrypts Outlook.com and Office 365 content when it’s being passed between Microsoft and its customers (of course, the Outlook.com encryption is the same encryption that Microsoft is alleged to have helped the NSA to compromise). Windows Azure storage is also now encrypted in transit.
Here’s what Smith promised on that front, characterizing this as an “acceleration” of Microsoft’s encryption plans:
- Customer content moving between our customers and Microsoft will be encrypted by default.
- All of our key platform, productivity and communications services will encrypt customer content as it moves between our data centers.
- We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.
- All of this will be in place by the end of 2014, and much of it is effective immediately.
- We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we’ll leave the choice to developers, but will offer the tools to allow them to easily protect data.
- We’re working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.
Smith also moved to reassure government and business customers that Microsoft will try to tell them if and when agencies are after their data.
“Where a gag order attempts to prohibit us from doing this, we will challenge it in court,” he wrote. “We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”
There has never been any conclusive evidence of backdoors existing in Windows or other Microsoft products, although rumors to that effect have circulated for years. There are certainly plenty of people in the tech industry – even Linux creator Linus Torvalds — who have been asked to insert backdoors in their products, though of course those who admit as much also say they turned the authorities down.