Those steps include the expansion of encryption across services; reinforcement of legal protections for customer data; and the enhancement of the transparency of software code, making it easier for customers to reassure themselves that Microsoft products do not contain back doors.
Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft, went so far in a blog post to characterize government snooping as an advanced persistent threat, alongside sophisticated malware and cyber-attacks.
“In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry,” Smith said. “If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications.”
When it comes to encryption, the NSA has been widely reported to have taken steps to thwart or weaken existing standards. Microsoft is now undertaking a comprehensive engineering effort across major communications, productivity and developer services such as Outlook.com, Office 365, SkyDrive and Windows Azure. Content moving between customers and Microsoft will be encrypted by default, and all key platform, productivity and communications services will encrypt customer content as it moves between data centers. And, it will encrypt customer content that it stores.
“In some cases, such as third-party services developed to run on Windows Azure, we’ll leave the choice to developers, but will offer the tools to allow them to easily protect data,” Smith said.
He added, “We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.”
All of this will be in place by the end of 2014, he said.
In terms of legal protections, Smith said that Microsoft is notifying business and government customers if it receives legal orders related to their data. “Where a gag order attempts to prohibit us from doing this, we will challenge it in court,” Smith noted. “We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”
Finally, Microsoft plans to open a network of transparency centers in Europe, the Americas and Asia to enable the review of its source code. Original Snowden reports alleged that Microsoft and other tech companies were complying with government surveillance by offering the NSA direct access to their systems to siphon information. It is a charge that all of them have denied.
“Ultimately, we’re sensitive to the balances that must be struck when it comes to technology, security and the law,” Smith concluded. “We believe these new steps strike the right balance, advancing for all of us both the security we need and the privacy we deserve.”