While we were all distracted by the upheaval of Microsoft’s Red Wedding reorg, I missed this report from the Guardian: Microsoft gave the NSA back-door access to its email service Outlook.com before it even launched last year.
Citing new documents Edward Snowden provided to the Guardian, the report said that Microsoft gave the NSA access to chats on Outlook.com, pre-encrypted emails from Outlook.com and Hotmail, SkyDrive and Skype video calls.
Information from SkyDrive and Skype went to Prism, and that data was shared with FBI and the CIA, and one NSA document the Guardian saw described it as a “team sport.”
I have asked Microsoft whether it has a comment on this report and will update this post when I hear back. (And check out this Associated Press interactive graphic on the global chase for Snowden, aka the Bourne Privacy.)
[do action=”custom_iframe” url=”http://hosted.ap.org/interactives/2013/nsa-phone-surveillance/?SITE=wasee” width=”630″ height=”500″ scrolling=””/]
If true, the Guardian report contradicts Microsoft’s early protestations that it only responded to specific requests for information. Here is the statement Microsoft gave to our business news reporter Janet Tu on June 6, which she quoted in a Microsoft Pri0 blog post:
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
The Guardian report says there were situations where Microsoft worked with the FBI for months to allow broad entry to SkyDrive, an online file-storing service, that intelligence analysts would no longer have to make specific requests to access.
I’m a cynic on privacy. Before the revelations from Snowden, I already believed privacy was dead — I voluntarily and knowingly gave it up in exchange for free Web services. I share my personal information with Facebook so I can connect to its social network. I allow Google to read all my communication because I want free email. I understand that Google wants to make money selling ads based on words in my email. It’s one of the reasons I no longer have an Android phone. I don’t want Google connecting my phone calls and my location data with my search terms at my computer and email.
But intelligence agencies getting broad access to this information is another matter.
Microsoft has long tried to distinguish itself from Google as stronger on privacy protections. The company loudly proclaimed its Do Not Track features built into the browser Internet Explorer. This report blurs that marketing distinction.
The other thing to keep in mind while technology companies claim they want to say more about the Prism but can’t: They are all angling for government contracts. Amazon.com and Microsoft want to sell government the very cloud services needed to process all this massive data.
Google and Microsoft are competing fiercely to provide email and other software services to federal agencies. This is from way back, but in 2010 Google was so annoyed about the USDA choosing Microsoft that it sued the government. Here is my 2010 news report on the lawsuit.
Read the Guardian report. It’s eye opening.
Update 11:35 a.m.:
Microsoft provided a statement (the same one that’s in the Guardian report) denying that it gave the government blanket access to SkyDrive, Outlook.com, Skype or any Microsoft product.
“We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes. Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate. To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product. Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.”
Update 4:51 p.m.:
Microsoft general counsel Brad Smith has written a blog post discussing the Guardian’s report saying there are “significant inaccuracies in the interpretations of leaked government documents.”
Smith said on Tuesday he asked U.S. Attorney General Eric Holder to allow Microsoft and other companies to give more information about how they handle requests for customer information. Interestingly, he notes that he believes the companies have the right to share information under the U.S. Constitution, which makes it clear the prohibition is coming from the NSA. Here’s a quote from Smith that indicates that: “We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the Government is stopping us.”
He may just be rocking legal style, but I like that the G is capitalized, like the Bs in “Big Brother.” With all due respect to Snoop Dogg, it ain’t nothin’ but a G thang, baby.
If the Constitution gives cover to Microsoft and the other tech companies to discuss how it handles national security requests for customer information, then I’m looking for a tech company to stick its neck out and provide that information. That company would secure a brand distinction for transparency. But the company would need to weigh that against a potential whipping by the NSA.
About Hotmail and Outlook.com, Smith wrote, “We do not provide any government with direct access to emails or instant messages. Full stop.” He added that the company did talk to the government about legal compliance requirements as it prepared to launch Outlook.com, “in none of these discussions did Microsoft provide or agree to provide any government with direct access to user content or the ability to break our encryption.” He said the same is true of SkyDrive and Skype.
The Guardian reacts to Smith’s post in this report.