Microsoft Worked with the NSA on Outlook, SkyDrive and Skype

For Outlook, the newspaper reports that "the NSA became concerned about the interception of encrypted chats on Microsoft's Outlook.com portal from the moment the company began testing the service in July last year." But within five months Microsoft and the FBI – which acts as the liaison between silicon valley and the NSA – had developed a solution. This solution went live in December last year, two months before Outlook.com was launched to the public.

The NSA's concern was limited to Outlook's chat. An internal NSA newsletter states, "For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption."

Microsoft reportedly further helped the FBI Data Intercept Technology Unit (DITU)  understand the implications of its new email aliases feature, "which may affect our tasking processes."

The Guardian also indicates that the NSA has unfettered access to SkyDrive, Microsoft's cloud storage service that has more than 250 million users around the world. "An entry dated 8 April 2013 describes how the company worked 'for many months' with the FBI... to allow Prism access without separate authorization to its cloud storage service SkyDrive."

The Skype revelations make it clear that Skype had started working with the NSA some eight months before it was acquired by Microsoft, but that since the acquisition monitoring had improved. "One document," reports the Guardian, "boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. 'The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture'', it says."

The court orders that compel US technology companies to cooperate with US intelligence and law enforcement agencies are both secret and cannot be disclosed. In what looks like two separate statements from Microsoft to the Guardian, it first states: "When we upgrade or update products we aren't absolved from the need to comply with existing or future lawful demands."

The second statement expands: "Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

A Microsoft spokesperson told Infosecurity: “We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues.  First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes.

"Second", the spokesperson continued, "our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid.  Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate. To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.  Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely.  That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.”  

Two implications can be drawn from this. The first is that Microsoft is saying, 'It's not our fault, we are compelled by law to do this, we have no choice, but we cannot talk about it.' The second implication, however, is that if this is true, it is unlikely that the intelligence and law enforcement agencies would have applied such compulsion on Microsoft alone. It is more than possible that further Snowden revelations will indicate similar 'cooperation' from other US technology vendors.

What’s Hot on Infosecurity Magazine?