Microsoft's Encryption RaceDavid Meyer
Microsoft unveiled a raft of measures to counteract what it characterizes as the “advanced persistent threat” of government snooping. It says these steps will “ensure governments use legal process rather than technological brute force to access customer data.”
As has been previously reported, this will include more widespread use of encryption in the company’s networks and systems. It also includes measures that specifically address the concerns of Microsoft’s international public-sector and business customers.
Notably, the company will expand its Government Security Program, which allows governments to inspect the company’s source code so they can check that it doesn’t include hidden backdoors for the benefit of U.S. intelligence and law enforcement agencies.
In a blog post, Microsoft General Counsel Brad Smith said:
“We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centers in Europe, the Americas, and Asia, and we’ll further expand the range of products included in these programs.”
Microsoft’s name has popped up repeatedly in the months following Edward Snowden’s revelations of global mass surveillance, mostly carried out by the Americans, British, and Australians.
The company allegedly provided U.S. agencies with early warnings of vulnerabilities in its software before it patches those flaws, in theory giving those agencies a window of opportunity to exploit them. It also reportedly worked directly alongside the National Security Agency to help the spies circumvent some of the encryption protecting its online communications services.
Now, as signs emerge that the NSA scandal is threatening the revenue of U.S. tech vendors, Microsoft is trying to get back in the world’s good books. First up is that “advanced persistent threat” designation—while it doesn’t specifically call out the U.S. government, it does put such snooping in the same category as malware and “cyber attacks.”
Then there’s Microsoft’s newfound urgency in applying encryption across its systems. This is essential for a company moving into the cloud, and indeed Smith noted that Microsoft already encrypts Outlook.com and Office 365 content when it’s being passed between the company and its customers (of course, the Outlook.com encryption is the same encryption that Microsoft is alleged to have helped the NSA compromise). Windows Azure storage is also encrypted in transit.
Here’s what Smith promised on that front, characterizing it as an “acceleration” of Microsoft’s encryption plans:
- Customer content moving between our customers and Microsoft will be encrypted by default.
- All of our key platform, productivity, and communications services will encrypt customer content as it moves between our data centers.
- We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.
- All of this will be in place by the end of 2014, and much of it is effective immediately.
- We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we’ll leave the choice to developers, but will offer the tools to allow them to easily protect data.
- We’re working with other companies across the industry to ensure that data traveling between services—from one -email provider to another, for instance—is protected.
Smith also moved to reassure government and business customers that Microsoft will try to tell them if and when agencies are after their data.
“Where a gag order attempts to prohibit us from doing this, we will challenge it in court,” he wrote. “We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”
There has never been any conclusive evidence of backdoors existing in Windows or other Microsoft products, although rumors to that effect have circulated for years. There are certainly plenty of people in the tech industry—even Linux creator Linus Torvalds—who have been asked to insert backdoors in their products, though of course those who admit as much also say they turned the authorities down.
Also from Gigaom
Storefront: E-Commerce (subscription required)