Microsoft is taking some extra steps to protect private customer data from being scooped up by controversial government surveillance methods.
These steps include more encryption of services across networks and services, more legal protections, and increased transparency of software code to reassure anxious customers that Microsoft products do not have “back doors.”
The moves may not be as extensive as some privacy advocates would like, but are certainly a step in the right direction as pressure is increasingly put on tech companies to ensure consumer privacy. Otherwise, Microsoft could potentially lose business to more secure companies.
Microsoft’s changes come as other tech companies, too, are increasing their security and encryption. Google, Yahoo, Mozilla, Twitter and Facebook are just a few examples.
In addition, Microsoft has released what appears to be its strongest statement ever in response to efforts by the United States and other governments worldwide to collect user data through controversial methods.
Though the statement did not specify recent allegations involving US spy agencies, it can be assumed it comes in response controversy surrounding such groups.
In the blog post, Brad Smith, Microsoft’s general counsel and executive vice president for legal and corporate affairs, said that the moves are in response to the large number of customers who hold “serious concerns about government surveillance of the Internet.”
“We share their concerns,” he wrote in the the post. “That’s why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data.”
Microsoft is just one of several tech companies which may have been the targets of US surveillance efforts. According to The Washington Post, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube, Apple, and Microsoft all allegedly gave the U.S. National Security Agency (NSA) permission to access their servers. Unsurprisingly, each company quickly denied any complicity.
More recently, news organizations have reported that access to customer data from Yahoo and Google was made via fiber-optic cables. The New York Times reported that the cables are a “weak spot” for the tech companies, which are owned by still other providers.
In Microsoft’s statement this week, Smith cited other news reports that point to government efforts to “circumvent online security measures – and in [Microsoft’s] view, legal processes and protections – in order to surreptitiously collect private customer data” without any search warrants or subpoenas.
He compared the surveillance to malware and cyber-attacks, and labeled such methods “advanced persistent threats.”
However, he did say there is “no direct evidence that [Microsoft] customer data has been breached by unauthorized government access.”
When it comes to the company’s new efforts to expand encryption, it will include Outlook.com, Office 365, SkyDrive, Windows Azure, and “customer content moving between our customers and Microsoft.” The same content will be encrypted traveling to and from data centers. Among the encryption methods to be used by Microsoft are Perfect Forward Secrecy and 2048-bit key lengths. Some of these protections are now in place, while the rest will be in place by 2014.
In addition, Microsoft said it will notify its business and government customers if there are legal orders sent to the company about data. However, there are some limitations.
“Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data,” he said.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security,” he added. “And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision.”
While the company’s efforts are global, its statements are clearly related to recent surveillance methods by the NSA. European leaders in particular have expressed outrage over the NSA’s alleged activities. Yet, some governments, such as India, want to learn more about these methods to utilize them in their own countries. India and United States argue increased surveillance will lower the risk of terrorism.
Tech companies are somewhat stuck in the middle of the debate. Like any business, they tend to want to avoid controversy. They also do not want to lose market share because of lax responses.
“We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution,” Smith said. “We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve.”
Edited by Blaise McNamee