Microsoft has pledged to do more to protect its customers from government snooping, promising to increase its use of strong encryption, enforce legal protections to customer privacy, and increase the transparency of its own code to settle concerns regarding potential back-door Trojans.
Since documents leaked from the NSA by former contractor Edward Snowden confirmed what the tin-foil hat brigade had always been telling us - to whit, that world governments are regularly involved in illegal monitoring of citizens' private data, personal movements and even insert back-doors into commercial cryptography products
- concerns over privacy have been at an all-time high. This goes doubly for providers of closed-source products and cloud-based services - both categories Microsoft relies upon for its income.
As a result, Microsoft needs to reassure its customers that they're not the NSA's pet plaything - and fast. Enter Brad Smith, Microsoft general counsel, with a blog post
detailing exactly what the company is doing to keep its customers private data private.
'Recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centres in our industry,
' Smith warns. 'If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.
'In light of these allegations, we’ve decided to take immediate and coordinated action in three areas: we are expanding encryption across our services; we are reinforcing legal protections for our customers’ data; we are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.
Smith breaks down the three moves with details including a shift to default-on encryption across all the company's cloud-based services - even for direct server-to-server communications between data centres. Microsoft's plan does not, however, appear to include encrypting internal communications within a single data centre - although a move to supporting 2,048-bit key lengths and Perfect Forward Secrecy is to be welcomed.
Smith also details a commitment to notifying business and government customers if any legal orders - such as a disclosure request - are received for their data, and to challenge in court any gag order that would prevent it from doing so. 'We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data,
' Smith claims. 'And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.
' Again, however, there's a gap in the plan: while business and government customers receive a near-guarantee of a warning should spooks seek court-approved access to their data, there's no such promise for individuals using Microsoft's cloud-based services like Outlook.com, SkyDrive or Office 365.
Finally, Smith explains Microsoft's plan to increase the transparency of its codebase without going fully open-source: 'Just as we’ve called for governments to become more transparent about these issues, we believe it’s appropriate for us to be more transparent ourselves. We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products. We’ll open these centers in Europe, the Americas and Asia, and we’ll further expand the range of products included in these programs.
In short, Microsoft's response to post-Snowden paranoia is welcomed - but hardly stretches far enough. Businesses are more heavily protected than consumers, encryption is still not all-encompassing, and only governments - the very establishments accused of infecting closed-source software with back-door Trojans in the first place - will have any ability to review the company's source code. Whether it's enough for the company to win back customer confidence remains to be seen.