Encryption, Lawyers, and Openness: Microsoft Acts on NSA's 'Persistent Threat'

"We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution."

By Brad Chacos
Thu, December 05, 2013

PC World — "Many of our customers have serious concerns about government surveillance of the Internet. We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data."

With those words, Microsoft general counsel Brad Smith announced the three-pronged countermeasures his company is implementing to foil government surveillance, which he dubbed an "advanced persistent threat" on the same level as malware and cyber-attacks: all-encompassing encryption, "reinforced" legal protections, and enhanced source code transparency.

Encrypt it, encrypt it good

Microsoft already implemented HTTPS encryption for many of its services, but a recent leak provided by whistleblower Edward Snowden revealed that the NSA spies on connections between the data centers of technology companies to snatch unencrypted information "behind the curtain."

While Yahoo and Google were the only two companies explicitly fingered in that report (and have sinceA bolstered their own security efforts), Microsoft is taking steps to prevent similar intrusions.

"The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector," Smith told The New York Times. "We concluded that we better assume that there might be such an attempt at Microsoft, or has already been."

The plan

Going forward, Microsoft promises to encrypt all of Microsoft's "key platform, productivity, and communications services"--Outlook.com, Office 365, SkyDrive, and Windows Azure are listed as specific examples--to protect data as it's transferred between Microsoft and its customers, as well as the connections between Microsoft's own data centers. The company also promises to encrypt customer content stored on Microsoft servers, and plans to work with other companies to ensure data moving between services stays secure.

Without getting specific, Smith says many of those protections are in place now, and all will be in effect by the end of 2014. The encryption itself will be "best-in-class industry cryptography," including Perfect Forward Secrecy and 2048-bit RSA key lengths, two technologies thatA Twitter and Google also respectively implemented in recent months to foil NSA snooping.

Microsoft's moves echo what Google chairman Eric Schmidt recently prescribed to end government snooping in the next ten years: "The solution to government surveillance is to encrypt everything."

Bolstering that, the chair of the Internet Engineering Task Force group developing HTTP 2.0 recently announced that the next-gen protocol will also only work with HTTPS-encrypted URLs.

More lawyers, more openness

The other countermeasures Microsoft is taking has less direct impact on everyday users, but will reassure the company's corporate and government clients.

Continue Reading

Originally published on www.pcworld.com. Click here to read the original story.
Our Commenting Policies