Microsoft Helped NSA Bypass Cloud Encryption: Report
Microsoft helped the U.S. National Security Agency (NSA) bypass the encryption safeguards on some of its popular cloud services, according to July 11 report in The Guardian.
The claims are the latest in the continuing NSA spying controversy, which made international headlines after NSA contractor Edward Snowden leaked top-secret documents and thrust the PRISM intelligence-gathering program into the spotlight. Fueling the scandal were assertions that the U.S. government had direct access to the servers, and therefore the data, of major Web services providers, including Google, Facebook and Microsoft.
"The government has granted itself power it is not entitled to. There is no public oversight. The result is people like myself have the latitude to go further than they are allowed to," Snowden told The Guardian.
Google and other major cloud companies were swift to push back against the accusation. In an Official Google Blog post dated June 11, Google Chief Legal Officer David Drummond wrote: "Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users' data are simply untrue. However, government nondisclosure obligations regarding the number of FISA [Foreign Intelligence Surveillance Act] national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation."
Following Google's lead, and citing its First Amendment rights, Microsoft recently requested permission from the U.S. government to disclose more details about government requests for customer data in an effort to combat charges that the company grants the intelligence community unrestricted access to its cloud servers.
"To promote additional transparency concerning the Government's lawful access to Microsoft's customer data, Microsoft seeks to report aggregate information about FISA orders and FAA [FISA Amendments Act] directives separately from all other local, state, and federal law enforcement demands," said the company in its June 19 filing with the U.S. Foreign Intelligence Surveillance Court.
Now Microsoft is facing renewed scrutiny after the U.K. news organization released more details on the documents provided by Snowden.
"Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new Outlook.com portal," said The Guardian report. Additionally, the "agency already had pre-encryption stage access to email on Outlook.com, including Hotmail," reported the paper.
With the help of the FBI, Microsoft also reportedly helped the NSA give PRISM easier access to its cloud storage service, SkyDrive. Also ensnared in this latest controversy is Skype, the company's massively popular voice and video calling service. "In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism," revealed the report.
While the scandal embroiled consumer-grade services, by and large, enterprises should be wary, according to Steve Weis, chief technology officer for PrivateCore, a cloud security startup. It all boils down to who manages the encryption keys.
The former Google technologist, who worked on the search giant's two-factor authentication system, noted that in terms of its technology foundation, Microsoft's SkyDrive product is fundamentally the same for both enterprise users of its Office 365 product and consumers. He told eWEEK that for many cloud services, "the user isn't in control of the [encryption] keys."
Such services—"not specific to Microsoft," Weis said—can be compelled by a lawful request to hand over decrypted data without the data's owner being made aware. "If you don't encrypt your data before you send your data, it's exposed," said Weis.