Microsoft joined a growing number of IT giants, including Facebook, Google, Mozilla, Twitter and Yahoo making loud gestures about overhauling security to ward off unauthorized government surveillance to obtain private customer data.
Microsoft (MSFT) joined a growing number of IT giants, including Facebook (FB), Google (GOOG), Mozilla, Twitter (TWTR) and Yahoo (YHOO) making loud gestures about overhauling security to ward off unauthorized government surveillance to obtain private customer data.
Perhaps prodded by public disclosures of the National Security Agency's (NSA) circumventing security to intercept data traversing its data centers, Microsoft said on Dec. 4 it will tighten its encryption practices, notify users of legal requests for their data and re-examine its source code through what it called “transparency centers” to close back doors in its software.
The vendor went so far as to classify the NSA’s eavesdropping as an “advanced persistent threat,” a phrase typically reserved for malware and hacking owing to the intruder's undetected mining of information over an extended period of time.
“Many of our customers have serious concerns about government surveillance of the Internet,” wrote Brad Smith, Microsoft Legal and Corporate Affairs general counsel and executive vice president, in a blog post. “We share their concerns. That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.”
Smith said Microsoft will undertake the encryption screw-tightening immediately to span its Outlook, Office 365, SkyDrive and Windows Azure platforms with all measures in place by the close of 2014. Encryption enhancements will include:
- Content moving between customers and Microsoft
- Customer content moving between its data centers across platform, productivity and communications products
- An upgrade to state-of-the-art cryptography
- Encrypt stored customer content that Microsoft stores and offer its security tools to third-party developers
Smith said Microsoft is enacting the encryption enhancements proactively and will collaborate with other IT companies to safeguard data traveling between services.
“While we have no direct evidence that customer data has been breached by unauthorized government access, we don't want to take any chances and are addressing this issue head on,” he wrote.
More Security Measures
Microsoft also said it will open more doors for government customers to examine the source code of its software, adding to an existing program with a network of what Smith called “transparency centers” in the Americas, Asia and Europe for public sector agencies to “assure themselves of the integrity of Microsoft’s products.”
While he didn’t provide any additional details on the number of such facilities Microsoft will open or if it will restrict who gets to scrutinize its source code, he said the vendor will include more of its products in the effort over time.
“Just as we’ve called for governments to become more transparent about these issues, we believe it’s appropriate for us to be more transparent ourselves,” Smith wrote. “Ultimately, we’re sensitive to the balances that must be struck when it comes to technology, security and the law.”
In addition, Microsoft will notify business and government customers if they receive legal requests for their data and challenge in court any gag orders seeking to prevent them from doing so, Smith said.
“We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data,” he wrote, adding that Microsoft will extend similar efforts to data stored offshore.
Is It Enough?
Protecting data from intrusion is not a new ideal for any IT company and privacy is an age-old concern, but the extent to which IT giants are proceeding in tandem to publicize their security intentions to impede back-door government surveillance is unprecedented. The idea, of course, is to make governments or businesses proceed through the courts to obtain customer data rather than snooping on their data centers.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees—just as they did before these customers moved to the cloud—without undermining their investigation or national security,” Smith said.
Do Microsoft's and other IT vendors’ planned security changes go far enough? Will they reassure users that the companies are doing all they can to cocoon customers from government data spying?