Redmond is looking to become a leader in a newly competitive space: your privacy. On Wednesday, Microsoft announced that it is expanding encryption across all of its services and undertaking other actions to guard against snooping by governments.
On the official Microsoft blog, General Counsel Brad Smith wrote that his company shares the concerns of customers “about government surveillance of the Internet.” Because of this shared interest, he said, the company’s steps are designed to ensure that governments “use legal process rather than technological brute force to assess customer data.”
He specifically mentioned “recent allegations in the press of broader and concerted efforts by some governments to circumvent online measures” in order to gather private customer data, in particular the interception without warrants or subpoenas of data as it travels “between customers and servers or between company data centers.”
Last month, The New York Times reported that the U.S. National Security Agency (NSA) could spy on Google and Yahoo users, and possibly others, without having direct access to the data centers of those companies, by tapping into the fiber-optic Internet backbones of such providers as Verizon, the BT and Level 3.
The story said it wasn’t clear if the providers cooperated and, at any rate, Yahoo and Google are now encrypting their data for backbone travel. One assumes such encryption could make the NSA’s task harder, but it’s also not evident how difficult decoding that encrypted data would be for the world’s most capable encryption/decryption governmental agency. Microsoft said it will employ “best-in-class industry cryptography,” such as Perfect Forward Secrecy and 2048-bit key lengths.
Microsoft noted that it has been encrypting its products and services for years to protect against hackers, and it has “no evidence” of unauthorized government access but it wants to address the issue directly.
‘Enhancing the Transparency’
Services included, or enhanced, in this new initiative include Outlook.com, Office 365, SkyDrive and Windows Azure, as well as all of its customer-created or stored content. Third-party services that run on Azure will be the responsibility of the respective developers, although Microsoft will make tools available. All of the additional encryption will occur before the end of next year, and Microsoft pledged that it will work with other services, such as e-mail providers, to encourage the implementation of similar efforts.
In addition to expanding encryption, the company also said it was reinforcing legal protections for customers’ data, and “enhancing the transparency” of its code, so that coders could perform due diligence and help ensure that products have not been built with back-door access. In fact, a network of “transparency centers” will be opened around the world to support these efforts.
Legal enhancements will include the notification of business and government customers if Microsoft receives legal orders about their data. If a gag order is imposed, the Microsoft vows to challenge it.
Posted: 2013-12-06 @ 6:35am PT
I don't worry about snooping by government. I do worry about snooping by commercial interests, like Microsoft.