Microsoft 'alarmed' by NSA spying. (But let's not forget it knew about the risks at least two years ago)

Summary: Microsoft's chief lawyer compared the National Security Agency to hackers, and tried to reassure business users that their data was as safe as it can be. But the software giant knew about the effects of the Patriot Act at least two years ago. Why? I was the guy asking the questions.

SHARE:
TOPICS: Security
16

Microsoft 'alarmed' by NSA spying. (But let's not forget it knew about the risks at least two years ago)

I almost choked on my coffee this morning.

Thanks to the ongoing spate of leaks from former U.S. government contractor Edward Snowden, we now have a much clearer picture — even if the water is still a little muddy — of the vast scale of the American and British mass global surveillance efforts. At the heart of the programs are the Silicon Valley giants, who continue to declare their innocence from complicity in handing over huge amounts of user and customer data.

Read this

NSA mass surveillance leaks: Timeline of events to date

NSA mass surveillance leaks: Timeline of events to date

Updating timeline coverage from ZDNet, CNET, and CBS News of the NSA's mass surveillance leaks.

Microsoft is just one of the named seven major companies at the heart of the scandal.

In a blog post published Wednesday night, Microsoft's chief lawyer Brad Smith said the company was "alarmed" by recent allegations that some governments were able to "circumvent" online security and legal processes and protections to collect data — hinting but not directly outing the U.S. National Security Agency and Britain's GCHQ.

Excuse me?

My first reaction: You knew about this at very least two years ago, when this then-22 years old London-dwelling reporter asked the company's then-U.K. managing director if the software giant could guarantee that European data wouldn't leave the EU "under any circumstances," even under a request by the Patriot Act.

It turns out the company couldn't. 

"Microsoft cannot provide those guarantees. Neither can any other company," Gordon Frazer said on the record, in view of about two-dozen journalists and reporters at the London launch of Office 365 in June 2011.

It was pretty big news at the time. ReadWrite grabbed it, as did Wired and Engadget, Ars Technica, and others. It was the first time a European company admitted that U.S. law could extraterritorially dip into EU-based companies owned by a U.S. corporation and take data at will for inspection by U.S. intelligence and law enforcement agencies.

The Europeans caught wind of this. According to my sources on the ground at the time, following a series of "WHAT?!"-type phone calls from Brussels-based bureaucrats, they were pissed. They were absolutely out-of-this-world incensed. 

It led to European Parliament members submitting questions in session to the European Commissioner in charge of justice, Viviane Reding, who spent the following years denying there was an issue, in a stubborn bid to save face amid concerns that the U.S. government had been circumventing what the EU thought to be "strong" Europe-wide data protection rules. 

The revelations ultimately led to a diplomatic spat between the EU and the U.S., which led Reding on a year-and-a-half backroom deal session to hammer out exactly what the U.S. could and couldn't do in regards to respecting European privacy laws. (Which as a result, like thousands of other Americans and foreign nationals, it wouldn't surprise me in the least to be "one of those" on a list that gets me singled out almost every damn time I get on a plane.)

Like others, Microsoft is joining the effort to bolster the encryption in its products and the links between its datacenters. It'll take until the end of 2014 — a far later timeline than Yahoo's efforts to ramp up security by just the first quarter.

But it's still a little bit too late considering the software giant was fully aware of these issues in June 2011. In fact, probably longer considering I had personally been banging the drum and in touch with Microsoft staff and legal counsel on a near-daily basis for months prior to my initial write-ups.

The software giant also said Wednesday will "take new steps to reinforce legal protections for our customers' data," by basically doing what it did in the past. It will notify business and government customers if the company receive legal orders related to their data. But if it can't, it won't. Microsoft may challenge gag orders (which they note it has done in the past — and successfully) but it may not win in every case. 

"And we'll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country," Smith wrote. Which, frankly, is at the very heart of the issue.

That's the crux of the problem. The Patriot Act, along with the Foreign Intelligence Surveillance Act (FISA), and other acts of law can still be used to circumvent the supra-national European-wide data protection laws. Just because a handful of specific NSA and GCHQ-related programs have been disclosed doesn't mean the law has changed. 

I hate to say, "I told you so," but, well... yeah.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • The same can be said...

    The same can be said for all companies (Google, Yahoo, Apple, etc.).
    ian.aldrighetti
    • For the record...

      Yeah, you're absolutely right. You can read more behind my reasoning and motives behind my choices here, should you wish. http://www.zdnet.com/blog/igeneration/america-reacts-to-911-why-i-began-investigating-the-patriot-act/12580
      zwhittaker
      • You have an odd take on this Zack

        Look at this:

        1. "this then-22 years old London-dwelling reporter asked the company's then-U.K. managing director if the software giant could guarantee that European data wouldn't leave the EU "under any circumstances," even under a request by the Patriot Act."

        2. "Microsoft cannot provide those guarantees. Neither can any other company," Gordon Frazer said on the record

        3. "Microsoft's chief lawyer Brad Smith said the company was "alarmed" by recent allegations that some governments were able to "circumvent" online security and legal processes and protections to collect data"

        Ummm...I gather you feel that question 1. and answer 2. have some direct connection to observational comment 3.?

        If you do feel that way, I am quite taken aback, I cant see how you even came to such a misconstrued and shabby conclusion.

        Im actually a little blown away that you seem to NOW be saying this previous question and answer exchange was also covering some kind of common knowledge that these two were also discussing the likelihood of the U.S. government surreptitiously intercepting data outside of legal means.

        Lets look at this a little closer. Im going to actually use some quotes directly out of your previous articles on this Zack, that way we can be assured that we are referring to what your understanding of the situation was as opposed to what someone else might have felt the conversation was about.

        As quoted at http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225

        The actual exchange was reported by you to go exactly as this:

        "The question put forward:
        Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

        Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based).
        Though he said that "customers would be informed wherever possible," he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it.
        He said: "Microsoft cannot provide those guarantees. Neither can any other company."

        And as you mentioned before, your research into the Patriot Act lead you to understand the following at http://www.zdnet.com/blog/igeneration/summary-zdnets-usa-patriot-act-series/9233

        "U.S. law enforcement could use the USA PATRIOT Act on a U.S.-based organisation -- like Microsoft, Google, Intel or Amazon, for example -- to force its local subsidiary companies across the world into handing over user data to U.S. authorities"

        Now...I see this whole exchange between the reporter and Microsoft, backed up of course by your understanding of what the Patriot Act could do about EU data; that information generated and stored in the EU that finds itself possessed by big IT companies like MS may be FORCED to HAND OVER data to the US government, by way of the Patriot Act, and that while Microsoft would always try and inform users, no company could guarantee that this would always happen.

        At no place in this exchange, and certainly at no place in your previous articles on the subject have I seen anyone say, including YOU Zack that the above also opened the door to some likelihood that the United Sates government would simply surreptitiously intercept data by circumventing online security and perhaps even the law. The above conversations and comments were nothing similar to such a thing. They had ZERO, repeat ZERO to do with anything other than the US ordering a company like Microsoft to turn over data by legal order under the Patriot Act, focusing on the possibility that this could happen even in cases where Microsoft was in possession of data on EU soil and there were no guarantees people would always be informed of such.

        How do we get from that, to Microsoft should have known back then that some governments were probably going to "circumvent" online security and legal processes and protections to collect data???

        This is just absurd!!! Good lord man. Look and think for a moment about what you have written! Its just plainly and most obviously wrong. This isn't just some opinion, its clear in the text of the very written words you reported before and wrote yourself.

        Now, if you ask me, could Microsoft have made a good educated guess as to the capabilities of the US government being physically able to do such a thing, I am most certain that Microsoft would have said on this much different topic, yes, the government probably can secretly intercept data if they put their mind to it. Would they have ever speculated on whether the government was likely to do it?

        I also bet if asked such a troubling but pointed question that Microsoft would have also said something much along the lines of "We certainly would hope that any privately held data the U.S. government wishes to get their hands on, that such efforts come through acceptable and proper legal channels by way of requests under the Patriot Act or any other applicable law and that the government does not choose instead to circumvent online security and legal processes and protections to collect data"

        So, I really cannot even imagine in my wildest dreams how you came to your "Excuse me" moment. Certainly not by way of the question and answer you referred to. And even saying that in any event, Microsoft would have at least been able to guess this could happen, still means that everyone should also be hoping that even when we know something bad is possible, like, oh...lets say a person can loose their mind and go on a shooting spree for example, that when we hear it did happen we will still say, "Im alarmed to hear that someone else has lost their mind and gone on a fatal shooting spree"

        What did you think?? Someone is going to simply say "So what? Big deal?" They sure couldn't say "We told you so" because they didn't. Of course Microsoft is not going to be very happy that the U.S. government is doing these kind of things.

        And for you to claim that they somehow expected this due to known previous conversations, well, I put it to you that most people and companies may recognize a governments ability to do bad but certainly dosnt necessarily expect it.
        Cayble
        • Considering you spend your time on this site praising Microsoft so much

          One has to sprinkle quite a bit of salt in your own assertions -- which, by the way, might I also point out, you weren't there covering this in person, let alone for nearly two years with every waking moment possible.
          zwhittaker
          • The only answer is open source

            Linux has no secret backdoors because nothing in Linux is a secret. It is 100% public, and that is the only thing anyone can trust right now.
            T1Oracle
          • Yeah, neither is Ubuntu's built-in spyware a secret...oh wait.

            'nuff said.
            MrElectrifyer
    • ian.aldrighetti: "The same can be said for all companies ..."

      That's why this is all so ... exquisite.

      I'm truly amazed that there are *ANY* fanbois of U.S. multi-billion dollar, multinational tech companies left. ZDNet, apparently, is their last refuge.

      Zack nailed it with this bit:

      "That's the crux of the problem. The Patriot Act, along with the Foreign Intelligence Surveillance Act (FISA), and other acts of law can still be used to circumvent the supra-national European-wide data protection laws. Just because a handful of specific NSA and GCHQ-related programs have been disclosed doesn't mean the law has changed."

      Nor does it mean that governments and corporations operate strictly inside the law. Corporations? Yup, the FISA Amendments Act of 2008, via the U.S. Attorney General, granted retroactive immunity to the telecoms. And the U.S. Supreme Court let it stand:

      "Supreme Court lets AT&T immunity stand in surveillance case
      http://thehill.com/blogs/hillicon-valley/technology/260951-supreme-court-lets-atat-immunity-stand-in-surveillance-case

      Now, c'mon, in unison ... Go AT&T! Go Verizon! Go Sprint! Go Microsoft! Go Google! Go Facebook! Go Apple! ... I CAN'T HEAR YOU!!!
      Rabid Howler Monkey
      • What cracks me up is people who think

        European countries aren't doing exactly the same thing. They're just a little smarter than the U.S. is in keeping it covered up.
        baggins_z
      • I think you have

        been rabid too long. You need help.
        Moosehouse
        • @Moosehouse

          You need to wake up. :)
          Rabid Howler Monkey
  • Not sure what the author's point is

    Microsoft is not able to open data centres that are outside of the NSA's extraterritorial reach due to US law. This is not news - it wasn't just you who knew about this even in 2011.

    What exactly would you have it do? There are no legal tools the company can use to put any data out of reach of NSA spies. I'm sure it wishes it could.
    Mac_PC_FenceSitter
    • Well, the issue with the article goes beyond that even.

      Zack seems to be saying that because Microsoft has become aware of allegations that these activities by the government seem to be taking place that a Microsoft representative shouldn't be saying he is alarmed at the allegations because he must have suspected the possibility.

      What kind of madness is that? I suspect many governments, and even specific people in some governments are probably doing many dastardly things around the world. It dosnt mean I don't become alarmed when I hear a specific allegation. Even about something I specifically suspect may be true to begin with.

      And Zacks whole pointing to the previous question by the 22 year old reporter and the MS response don't even fit as some explanation that an MS lawyer already said this might be happening dosnt hold a drop of water. One had little to nothing directly with the other beyond the broadest part of the subject in general.
      Cayble
  • Microsoft 'alarmed' by NSA spying. (But let's not forget it knew about the

    Microsoft is alarmed because they thought the government would ask nicely instead of going behind their backs for the data. The patriot act basically gave the government all rights to tap into any company's data. There is recent news of companies using encryption but I don't know how much good that is going to do. This is the NSA. Tapping and surveillance and encryption is what they are good at. It might delay them a bit but I'm betting they will still find a way to decrypt the data.
    Loverock.Davidson
    • All it takes is a memo...

      Give us the keys.... BTW, you can't tell anyone you have given us the keys, or that we ordered you to give us the keys...
      jessepollard
      • You nailed it. The problem is

        the government has been too effective at convincing too many Americans that it is a poor, innocent victim of all-powerful corporations.
        baggins_z
  • Behind the scenes

    The overthrown government of usa now controlled by very dangerous and murderous thugs (beasts) of fbi/homeland security.

    overthrown gov:

    http://lissakr11humane.com/2012/09/08/collapse-of-the-constitutional-government-of-the-united-states-of-america-by-geral-sosbee/

    high tech torture, ELF, by low minded thugs of fbi:

    http://rudy2.wordpress.com/ex-fbi-agent-geral-sosbees-testimony-in-various-languages/

    http://rudy2.wordpress.com/brain-and-satellite-surveillance/

    'Veterans Today', Dr. Preston James on usa corruption & fbi murderous evil:

    http://www.veteranstoday.com/2013/11/28/alien-ets-hybrids-and-911/
    geralsosbee