Microsoft pushes back against surveillance
The company plans to strengthen encryption of customer data and take a more active role in challenging efforts to collect information on users.
Microsoft officials say they are taking steps to guarantee that governments -- including the United States -- follow legal processes rather than use what the company's top lawyer called "brute force" to access data about its customers.
The company plans to strengthen encryption of customer data and take a more active role in challenging efforts to collect information on its users. It will also be more active in informing customers when data is requested. In addition, Microsoft will expand customers' access to source code to allay concerns that built-in "back doors" exist to allow law enforcement and intelligence agencies to access the information.
"Indeed, government snooping potentially now constitutes an 'advanced persistent threat,' alongside sophisticated malware and cyberattacks," Microsoft General Counsel Brad Smith wrote in a Dec. 4 blog post.
Smith's post does not mention the National Security Agency or the U.S. government by name, but it does acknowledge concerns about reports of "governmental interception and collection -- without search warrants or legal subpoenas -- of customer data as it travels between customers and servers or between company data centers in our industry."
Microsoft has been deeply enmeshed in the U.S. government's information-mining efforts. According to documents leaked by former NSA contractor Edward Snowden, Microsoft gave the agency and the FBI access to information on users of the company's Outlook.com email service, SkyDrive storage service and Skype videoconferencing network.
Smith said the company will be more skeptical about governments' requests for personal information and data stored by its cloud customers.
"Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees -- just as they did before these customers moved to the cloud -- without undermining their investigation or national security," Smith wrote.
Microsoft also plans to use applicable foreign laws when appropriate to resist data-collection attempts made outside established legal processes, which appears to be a nod to European customers who store material in data centers that are subject to the sometimes more stringent privacy protections of European law.
Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, said U.S.-based cloud vendors will have to go the extra mile to assure foreign customers that their data is safe from bulk collection. In August, he published a report that estimates NSA surveillance could cost U.S. cloud providers $22 billion to $35 billion over the next three years.
Castro said he expects more companies to follow Microsoft's lead in making privacy protection a selling point for customers. But he worries that NSA surveillance "is turning the Internet into a third-world country" in which each company is responsible for its own security. "The government is creating more risk, and that's a cost to everyone else," Castro told FCW.