Microsoft is fed up.
After pleading with the U.S. government for more transparency concerning law-enforcement requests for user data and voicing its support for legislation that seeks to curb the National Security Agency’s (NSA) powers, Microsoft is weighing in on the controversy in the starkest terms yet. And the software giant signaled that it will make it tougher for any government to access or intercept user data on its cloud and Web services offerings.
Concerning the classified disclosures provided by ex-NSA contractor Edward Snowden, Brad Smith, Microsoft general counsel and executive vice president, expressed concern over the efforts of some governments to “surreptitiously collect private customer data.” Not only are they sidestepping IT security safeguards, he said in company remarks, but in his company’s view they are also circumventing “legal processes and protections.”
Snowden’s revelations about the NSA and its capabilities, if true, could undermine the growing cloud computing market, hinted Smith. He added that “these efforts threaten to seriously undermine confidence in the security and privacy of online communications.”
Smith likened the NSA’s activities to some of the most aggressive dangers faced by companies with an online presence. “Indeed, government snooping potentially now constitutes an ‘advanced persistent threat,’ alongside sophisticated malware and cyber-attacks,” he stated.
Just as Microsoft fortifies its cloud data centers against hackers and malware, the company is hoping to end government snooping by rolling out stronger user data protections.
Microsoft has vowed to move quickly in expanding its use of encryption in the wake of revelations that the NSA had access to the Internet traffic linking the data centers of major tech companies, including Google and Yahoo. Smith described the move as a “significant engineering effort, given the large number of services we offer and the hundreds of millions of customers we serve.”
According to Smith, Microsoft is instituting the following policies:
1. Encryption is on, by default, for data moving between customers and Microsoft
2. Customer content will be encrypted as it moves between data centers on all of the company’s “key platform, productivity and communications services”
3. Microsoft will use “best-in-class” industry cryptography, including Perfect Forward Secrecy and 2048-bit key lengths.
4. All customer data stored by Microsoft will be encrypted. Developers of third-party services running Windows Azure will have a choice but Microsoft will “offer the tools to allow them to easily protect data.”
Microsoft is also “working with other companies across the industry to ensure that data traveling between services—from one email provider to another, for instance—is protected,” said Smith. The company expects to have completed the overhaul by late 2014, although “much of it is effective immediately.”
In addition, Microsoft pledges to “reinforce legal protections for our customers’ data,” alerting customers when the government requests user data and challenging secret orders in court. Further, the company will continue to strive for greater transparency by opening “a network of transparency centers” in Europe, the Americas and Asia, said Smith.