Saying that governments must use the “legal process rather than technological brute force to access customer data,” Microsoft announced it’s taking steps to protect its customers’ data from government snooping.
In doing so, Microsoft characterized the reported actions of some governments as a “persistent threat” akin to sophisticated malware and cyber attacks.
Microsoft’s actions take place following reports that the U.S. National Security Agency was intercepting traffic inside Google’s and Yahoo’s private networks and fears that the NSA may have broken into Microsoft’s global communications links as well, according to a Washington Post report.
The actions Microsoft is taking, outlined last night in a blog post from General Counsel Brad Smith, fall largely into three areas:
- Expanding encryption across its various services: Microsoft says it has no direct evidence that its customers’ data have been breached by unauthorized government access but that it’s taking measures to enhance encryption across its services such as Outlook.com, Office 365, SkyDrive and Windows Azure. Among the measures: encrypting by default content moving between Microsoft and its customers, encrypting content moving between Microsoft’s data centers, and encrypting customer content that it stores. Microsoft said many of the measures are in place already while the rest will be in place by the end of 2014.
- Reinforcing legal protections for its customers’ data: Microsoft says it will continue its practice of notifying its business and government customers if it receive legal orders related to their data, or will challenge the orders in court if there are gag orders preventing Microsoft from notifying its customers.
- Enhancing transparency of its software code, which, Microsoft says, makes it “easier for customers to reassure themselves that our products do not contain back doors.” Microsoft already has a program that allows its government customers to review its source code to confirm there are no back doors, Smith said. The company will now open a “network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products” and will expand the product range covered in these programs.
Smith explained why Microsoft took these actions, saying in part:
Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.